Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 cannot go internet

Posted on 2007-12-01
17
Medium Priority
?
706 Views
Last Modified: 2010-08-05
I tried to setup the Cisco ASA 5505 (Version 7.2(3)) @ my own office, I have 2 vlan's, one for outside, one for inside.  After I have setup, I still cannot go on internet, could anyone helps.

ASA Version 7.2(3)
!
hostname asa
domain-name domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.201.202.203 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name mydomain.com
object-group service dyanmictcp tcp-udp
 port-object eq www
object-group service dynamictcp tcp
 port-object range 1 65535
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq www
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq https
access-list outside_access_in extended permit tcp any eq pptp host 192.168.1.5 eq pptp
access-list outside_access_in extended permit gre any host 192.168.1.5
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.9 eq smtp
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq https
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 200.201.202.203 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 200.201.202.203 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp 200.201.202.203 smtp 192.168.1.9 smtp netmask 255.255.255.255  dns
static (inside,outside) 200.201.202.203 192.168.1.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4938d5954799633e9acde831a91f4138
: end
0
Comment
Question by:vvii
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20390612
have you made sure that you gave command "no shutdown" for all vlan interfaces
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20390970
Start by disabling the acl on the inside interface..

  no access-group inside_access_in in interface inside

Then check output of "show interface" to make sure both inside and outside are up/up and traffic counters in/out are increasing.

Then add this to allow icmp for testing

policy-map global_policy
 class inspection_default
  inspect icmp

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20391082
:)
you have no default route for outside

route outside 0.0.0.0 0.0.0.0 200.201.202.x

Regards
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 

Author Comment

by:vvii
ID: 20391471
I am using the ASDM, how can you set an default route???

I am not sure if the following code is correct, I don't think dynamictcp is neccessary:

object-group service dynamictcp tcp
 port-object range 1 65535
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq www
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq https
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20391732
Nope, delete them, they have no use since you specified
access-list inside_access_in extended permit tcp any any eq www

all you have to do is adding default route. But first, you should learn the gateway for outside 200.201.202.x network. Then in ASDM, click configuration, in left-pane click routing. Under static routes, click add. Type 0.0.0.0 as IP and 0.0.0.0 as netmask. Set options to none, set metric 1 and add the gateway IP of 200.201.202.x network as gateway IP

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20392010
Nice catch, MrH!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20392363
Thanks Les :)
0
 

Author Comment

by:vvii
ID: 20392901
I am gettin the following syslog message:

Deny tcp src outside 24.243.234.54/32337 dst inside 200.201.202.204 /25 by access_group "outside_access_in" [0x0, 0x0]

200.201.202.204 is my exchange server (192.168.1.5) which suppose to accept smtp.

One question, In NAT, I have already did the following:

Real address - inside 192.168.1.5/255.255.255.255
Static translation - outside 200.201.202.204
Enable PAT - tcp https (orginal port) to https (translated port)

Is there still a need for an Access Rule? I current added:

Interface: inside
Direction: incoming
Action: Permit
Souce: any
Dest: any
Protocol: tcp
(source port) Service = http
(dest port) Service = http

I am not sure if this is current, should I change the Dest to inside and for source port service, change to service = any???

Please advise
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20394188
Yes you still need ACL.

access-list outside_access_in permit tcp any interface outside eq smtp

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20394923
>Enable PAT - tcp https (orginal port) to https (translated port)
You also need tcp smtp (original) to smtp (translated)

>(source port) Service = http  <== source is "any" from outside
>(dest port) Service = http  <== destination matches the acl - https, smtp

0
 

Author Comment

by:vvii
ID: 20395617
hey MrHusy, when you said "access-list outside_access_in permit tcp any interface outside eq smtp", what is the dest and (source port) Service?

Interface: outside
Direction: incoming
Action: Permit
Souce: any
Dest: ????
Protocol: tcp
(source port) Service = ????
(dest port) Service = smtp

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20395841
source port=any
  for destination IP, on type section click the drop-down menu and choose interface, then choose outside interface
0
 

Author Comment

by:vvii
ID: 20403771
Please advise if the access-lists that I have changed is correct:

access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any eq pptp host 192.168.1.5 eq pptp (this should go to 192.168.1.5 only)
access-list outside_access_in extended permit gre any host 192.168.1.5
access-list outside_access_in extended permit tcp any host 192.168.1.9 eq smtp (this should go to 192.168.1.9 only)

access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit tcp any any eq smtp
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20403929
Hi vvii
   Issue is getting out of boundaries of your original question. Please open new question for different issue. For your exchange issue, I see that 204 is not your interface IP all you need is following commands.

static (inside, outside) 192.168.1.5 201.202.203.204 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 201.202.203.204 eq smpt

    Please double-check and decide which ip is exchange server. You say that 1.5 is your exchange but your statics and acls show 192.168.1.9. You say that 201.202.203.204 points exchange, but your static shows 200.201.202.203

static (inside,outside) tcp 200.201.202.203 smtp 192.168.1.9 smtp netmask 255.255.255.255  
access-list outside_access_in extended permit tcp any host 192.168.1.9 eq smtp (this should go to 192.168.1.9 only)

   Remember, you can not specify inside addresses in an acl which is grouped to outside interface unless exempt nat exists. So your outside_access_in acls which contain 192.168.1.x are all incorrect and useless

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 1500 total points
ID: 20403945
correction
static (inside, outside)  201.202.203.204 192.168.1.5 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 201.202.203.204 eq smpt

If your exchange server is 1.5 and outside ip for exchange is 203.204, above is what you need. If you say that 1.9 is my exchange, then just correct 5 as 9 and apply the same acls

0
 

Author Comment

by:vvii
ID: 20406176
This is what we have in our network:

201.202.203.204 as the public IP for our cisco asa
201.202.203.205 as the public IP for our DNS
201.202.203.206 as the public IP for our exchange and VPN

192.168.1.1 as the private IP for our cisco asa
192.168.1.3 as the public IP for our DNS
192.168.1.5 as the public IP for our exchange and VPN
192.168.1.9 is a static IP for our mail filter server

Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.
0
 

Author Comment

by:vvii
ID: 20437535
Le me rephase my current problem:
My overall network:

DSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)  

200.0.0.169/29 is the public IP for my DSL modem
200.0.0.170/29 is the public IP for my cisco ASA (LAN IP: 192.168.1.1/24)
200.0.0.171/29 is the public IP for my exchange and VPN - vpn.mydomain.com (LAN IP: 192.168.1.5/24)
200.0.0.172/29 is the public IP for my DNS, DHCP (LAN IP: 192.168.1.3/24)
192.168.1.9/24 is a static IP for our MAIL FILTER server

Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.

Problem:
1) Can send email out, but cannot recevie email
2) Cannot access Ootlook Web Access from internet
3) For VPN access, users can VPN into our network if they use the 200.0.0.172 instead of 200.0.0.171, and I have to change the following 2 access-list:

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp
TO
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp

access-list outside_access_in extended permit gre any host 200.0.0.171
TO
access-list outside_access_in extended permit gre any host 200.0.0.172

But we would like to allow users to VPN into the network with 200.0.0.171

ASA Version 7.2(1)
!
hostname asa5505
domain-name mydoamin.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.0.0.170 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan25
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name mydomain.com
dns server-group DefaultDNSsunrpc
object-group service dynamictcp tcp
 port-object range 1024 65535
object-group service timetcp udp
 port-object eq ntp
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq www
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq smtp
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq https
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 24
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 3389
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 8080
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 3550
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 4550
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 5550
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 6550
access-list inside_access_in extended permit tcp any object-group dynamictcp any range pcanywhere-data 5632
access-list inside_access_in extended permit tcp any any range 2189 2196
access-list inside_access_in extended permit tcp any any eq 2086
access-list inside_access_in extended permit udp host 192.168.1.6 any
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 2082
access-list inside_access_in extended permit udp any any object-group timetcp
access-list inside_access_in extended permit udp any any eq 5061
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 5066
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 1433
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 4899
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq www
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq https
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq smtp
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp
access-list outside_access_in extended permit gre any host 200.0.0.171
access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https
access-list outside_access_in extended permit udp any host 200.0.0.173
access-list outside_access_in extended permit tcp any host 200.0.0.173 range pcanywhere-data 5632
pager lines 24
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255
static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 209.112.47.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
!
 
!
class-map inspection_
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8953b2244e76ef27047d3b5ee4e1c2db
: end

Open in new window

0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question