jwjones2000
asked on
Cisco 5510 ASA Version 8.0(2) ASDM 6.0(2) Basic configuration.
This is my first time configuring a cisco 5510 ASA firewall. How can I go to the internet using the Cisco 5510 Device?
(outside) Public block IP - 67.115.20.128 255.255.255.128
(outside) Gateway 67.115.20.129
(inside) LAN Block IP - 10.9.0.0 25.255.255.0
Here is what I got so far:
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.192
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 67.115.
20.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:72bf6f02ffc baceeb869c b80c882412 0
ciscoasa#
(outside) Public block IP - 67.115.20.128 255.255.255.128
(outside) Gateway 67.115.20.129
(inside) LAN Block IP - 10.9.0.0 25.255.255.0
Here is what I got so far:
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.192
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 67.115.
20.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:72bf6f02ffc
ciscoasa#
ASKER
I won't do another change but this is the last thing I have on the Cisco 5510 ASA
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.128
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aeb4262d8a5 e1196cb83a 9c9da17138 a
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.128
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aeb4262d8a5
Remove the acl from the interface. It is not necessary unless you want to severely restrict outbound traffic:
no access-group Inside_access_in_2 in interface Inside
Add icmp inspect. Use Command line tool, Multi-line. Copy/paste the following:
policy-map global_policy
class inspection_default
inspect icmp
>global (Outside) 101 interface
>static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
You can't do both using the interface IP. You can't do both static and dynamic using "interface".
no static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
clear xlate
no access-group Inside_access_in_2 in interface Inside
Add icmp inspect. Use Command line tool, Multi-line. Copy/paste the following:
policy-map global_policy
class inspection_default
inspect icmp
>global (Outside) 101 interface
>static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
You can't do both using the interface IP. You can't do both static and dynamic using "interface".
no static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
clear xlate
ASKER
I did the following commands:
no access-group Inside_access_in_2 in interface Inside
I got the following Error:
ERROR: access-list Inside_access_in_2 is not associated with interface Inside
The multi-line command was successful
The last command no static:
ERROR: static element not found
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.128
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:681c0d129d0 6328ddb166 db40a9be33 8
no access-group Inside_access_in_2 in interface Inside
I got the following Error:
ERROR: access-list Inside_access_in_2 is not associated with interface Inside
The multi-line command was successful
The last command no static:
ERROR: static element not found
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.128
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:681c0d129d0
OK, but it looks like it removed the acl anyway. Any change in results?
Can you ping your gateway from the ASA? 67.115.20.129
Can you ping that gateway from a PC?
Can you ping anything else past that, like 198.6.1.2 ?
Can you ping your gateway from the ASA? 67.115.20.129
Can you ping that gateway from a PC?
Can you ping anything else past that, like 198.6.1.2 ?
ASKER
OK, but it looks like it removed the acl anyway. Any change in results?
Can you ping your gateway from the ASA? 67.115.20.129
PIng 67.115.20.129 using Interface (outside)
Results :
Type escape sequence to abort.
sending 5, 100-byte ICMP Echos to 67.115.20.129, timeout is 2 seconds:
!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10ms
Can you ping that gateway from a PC?
1st PC settings
IP address: 10.9.0.2
subnet: 255.255.255.0
gateway: 10.9.0.1
DNS: 10.9.0.1
Ping to 10.9.0.1 (GOOD)
browse to www.msn.com (NOT GOOD)
2nd PC settings (managment card)
IP address: 192.168.1.2
subnet: 255.255.255.0
gateway: 192.168.1.1
DNS: 192.168.1.1
ping to 192.168.1.1 (GOOD)
browse to www.msn.com (NOT GOOD)
Can you ping anything else past that, like 198.6.1.2 ?
PC1 NO
PC2 NO
Can you ping your gateway from the ASA? 67.115.20.129
PIng 67.115.20.129 using Interface (outside)
Results :
Type escape sequence to abort.
sending 5, 100-byte ICMP Echos to 67.115.20.129, timeout is 2 seconds:
!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10ms
Can you ping that gateway from a PC?
1st PC settings
IP address: 10.9.0.2
subnet: 255.255.255.0
gateway: 10.9.0.1
DNS: 10.9.0.1
Ping to 10.9.0.1 (GOOD)
browse to www.msn.com (NOT GOOD)
2nd PC settings (managment card)
IP address: 192.168.1.2
subnet: 255.255.255.0
gateway: 192.168.1.1
DNS: 192.168.1.1
ping to 192.168.1.1 (GOOD)
browse to www.msn.com (NOT GOOD)
Can you ping anything else past that, like 198.6.1.2 ?
PC1 NO
PC2 NO
ASKER
Let me tell you the device layout
AT&T gave us a Cisco router ( cisco 2600) I don't have access to that router but it's just a point to point.
AT&T cisco router goes to 8 port Switch (DMZ zone)
from switch (DMZ) port 1 goes to Sonic wall (PUBLIC IP 66.120.127.3)
from switch (DMZ) port 2 goes to CISCO 5510 ASA (PUBLIC IP 67.155.20.130)
We have two blocks of IP from AT&T
66.120.127.0/26
67.115.20.128/25
Why I have 2 firewall after DMZ switch? as soon Cisco 5510 starts working I will remove sonic wall and the cisco 5510 will replace sonicwall.
Does 67.115.20.130 works? Yes it does work because I plug in a stand alone computer on the DMZ zone before the sonic wall and cisco firewall and I configure the network card from my pc and it works I can go out using that public IP.
AT&T gave us a Cisco router ( cisco 2600) I don't have access to that router but it's just a point to point.
AT&T cisco router goes to 8 port Switch (DMZ zone)
from switch (DMZ) port 1 goes to Sonic wall (PUBLIC IP 66.120.127.3)
from switch (DMZ) port 2 goes to CISCO 5510 ASA (PUBLIC IP 67.155.20.130)
We have two blocks of IP from AT&T
66.120.127.0/26
67.115.20.128/25
Why I have 2 firewall after DMZ switch? as soon Cisco 5510 starts working I will remove sonic wall and the cisco 5510 will replace sonicwall.
Does 67.115.20.130 works? Yes it does work because I plug in a stand alone computer on the DMZ zone before the sonic wall and cisco firewall and I configure the network card from my pc and it works I can go out using that public IP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN Interface
nameif Outside
security-level 0
ip address 67.115.20.130 255.255.255.128
ospf cost 10
!
interface Ethernet0/1
description LAN Interface
nameif Inside
security-level 100
ip address 10.9.0.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 151.164.1.6
name-server 68.94.157.1
name-server 204.60.203.190
domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 67.115.
20.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
static (Inside,Inside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 10.9.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47e78117519