Solved

Cisco ASA 5505 cannot go internet

Posted on 2007-12-01
17
618 Views
Last Modified: 2010-08-05
I tried to setup the Cisco ASA 5505 (Version 7.2(3)) @ my own office, I have 2 vlan's, one for outside, one for inside.  After I have setup, I still cannot go on internet, could anyone helps.

ASA Version 7.2(3)
!
hostname asa
domain-name domain.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 200.201.202.203 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name mydomain.com
object-group service dyanmictcp tcp-udp
 port-object eq www
object-group service dynamictcp tcp
 port-object range 1 65535
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq www
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq https
access-list outside_access_in extended permit tcp any eq pptp host 192.168.1.5 eq pptp
access-list outside_access_in extended permit gre any host 192.168.1.5
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.9 eq smtp
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq https
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit tcp any object-group dynamictcp any eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 200.201.202.203 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 200.201.202.203 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp 200.201.202.203 smtp 192.168.1.9 smtp netmask 255.255.255.255  dns
static (inside,outside) 200.201.202.203 192.168.1.3 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4938d5954799633e9acde831a91f4138
: end
0
Comment
Question by:vvii
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 20390612
have you made sure that you gave command "no shutdown" for all vlan interfaces
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20390970
Start by disabling the acl on the inside interface..

  no access-group inside_access_in in interface inside

Then check output of "show interface" to make sure both inside and outside are up/up and traffic counters in/out are increasing.

Then add this to allow icmp for testing

policy-map global_policy
 class inspection_default
  inspect icmp

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20391082
:)
you have no default route for outside

route outside 0.0.0.0 0.0.0.0 200.201.202.x

Regards
0
 

Author Comment

by:vvii
ID: 20391471
I am using the ASDM, how can you set an default route???

I am not sure if the following code is correct, I don't think dynamictcp is neccessary:

object-group service dynamictcp tcp
 port-object range 1 65535
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq www
access-list outside_access_in extended permit tcp any object-group dynamictcp host 192.168.1.5 eq https
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20391732
Nope, delete them, they have no use since you specified
access-list inside_access_in extended permit tcp any any eq www

all you have to do is adding default route. But first, you should learn the gateway for outside 200.201.202.x network. Then in ASDM, click configuration, in left-pane click routing. Under static routes, click add. Type 0.0.0.0 as IP and 0.0.0.0 as netmask. Set options to none, set metric 1 and add the gateway IP of 200.201.202.x network as gateway IP

Regards
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20392010
Nice catch, MrH!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20392363
Thanks Les :)
0
 

Author Comment

by:vvii
ID: 20392901
I am gettin the following syslog message:

Deny tcp src outside 24.243.234.54/32337 dst inside 200.201.202.204 /25 by access_group "outside_access_in" [0x0, 0x0]

200.201.202.204 is my exchange server (192.168.1.5) which suppose to accept smtp.

One question, In NAT, I have already did the following:

Real address - inside 192.168.1.5/255.255.255.255
Static translation - outside 200.201.202.204
Enable PAT - tcp https (orginal port) to https (translated port)

Is there still a need for an Access Rule? I current added:

Interface: inside
Direction: incoming
Action: Permit
Souce: any
Dest: any
Protocol: tcp
(source port) Service = http
(dest port) Service = http

I am not sure if this is current, should I change the Dest to inside and for source port service, change to service = any???

Please advise
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20394188
Yes you still need ACL.

access-list outside_access_in permit tcp any interface outside eq smtp

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20394923
>Enable PAT - tcp https (orginal port) to https (translated port)
You also need tcp smtp (original) to smtp (translated)

>(source port) Service = http  <== source is "any" from outside
>(dest port) Service = http  <== destination matches the acl - https, smtp

0
 

Author Comment

by:vvii
ID: 20395617
hey MrHusy, when you said "access-list outside_access_in permit tcp any interface outside eq smtp", what is the dest and (source port) Service?

Interface: outside
Direction: incoming
Action: Permit
Souce: any
Dest: ????
Protocol: tcp
(source port) Service = ????
(dest port) Service = smtp

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20395841
source port=any
  for destination IP, on type section click the drop-down menu and choose interface, then choose outside interface
0
 

Author Comment

by:vvii
ID: 20403771
Please advise if the access-lists that I have changed is correct:

access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any eq pptp host 192.168.1.5 eq pptp (this should go to 192.168.1.5 only)
access-list outside_access_in extended permit gre any host 192.168.1.5
access-list outside_access_in extended permit tcp any host 192.168.1.9 eq smtp (this should go to 192.168.1.9 only)

access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit tcp any any eq smtp
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20403929
Hi vvii
   Issue is getting out of boundaries of your original question. Please open new question for different issue. For your exchange issue, I see that 204 is not your interface IP all you need is following commands.

static (inside, outside) 192.168.1.5 201.202.203.204 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 201.202.203.204 eq smpt

    Please double-check and decide which ip is exchange server. You say that 1.5 is your exchange but your statics and acls show 192.168.1.9. You say that 201.202.203.204 points exchange, but your static shows 200.201.202.203

static (inside,outside) tcp 200.201.202.203 smtp 192.168.1.9 smtp netmask 255.255.255.255  
access-list outside_access_in extended permit tcp any host 192.168.1.9 eq smtp (this should go to 192.168.1.9 only)

   Remember, you can not specify inside addresses in an acl which is grouped to outside interface unless exempt nat exists. So your outside_access_in acls which contain 192.168.1.x are all incorrect and useless

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 20403945
correction
static (inside, outside)  201.202.203.204 192.168.1.5 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 201.202.203.204 eq smpt

If your exchange server is 1.5 and outside ip for exchange is 203.204, above is what you need. If you say that 1.9 is my exchange, then just correct 5 as 9 and apply the same acls

0
 

Author Comment

by:vvii
ID: 20406176
This is what we have in our network:

201.202.203.204 as the public IP for our cisco asa
201.202.203.205 as the public IP for our DNS
201.202.203.206 as the public IP for our exchange and VPN

192.168.1.1 as the private IP for our cisco asa
192.168.1.3 as the public IP for our DNS
192.168.1.5 as the public IP for our exchange and VPN
192.168.1.9 is a static IP for our mail filter server

Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.
0
 

Author Comment

by:vvii
ID: 20437535
Le me rephase my current problem:
My overall network:

DSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)  

200.0.0.169/29 is the public IP for my DSL modem
200.0.0.170/29 is the public IP for my cisco ASA (LAN IP: 192.168.1.1/24)
200.0.0.171/29 is the public IP for my exchange and VPN - vpn.mydomain.com (LAN IP: 192.168.1.5/24)
200.0.0.172/29 is the public IP for my DNS, DHCP (LAN IP: 192.168.1.3/24)
192.168.1.9/24 is a static IP for our MAIL FILTER server

Email should go to 192.168.1.9 then pass on to 192.168.1.5 to forward the email to our internal users.

Problem:
1) Can send email out, but cannot recevie email
2) Cannot access Ootlook Web Access from internet
3) For VPN access, users can VPN into our network if they use the 200.0.0.172 instead of 200.0.0.171, and I have to change the following 2 access-list:

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp
TO
access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.172 eq pptp

access-list outside_access_in extended permit gre any host 200.0.0.171
TO
access-list outside_access_in extended permit gre any host 200.0.0.172

But we would like to allow users to VPN into the network with 200.0.0.171


ASA Version 7.2(1)

!

hostname asa5505

domain-name mydoamin.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 200.0.0.170 255.255.255.248

!

interface Vlan3

 no forward interface Vlan1

 no nameif

 no security-level

 no ip address

!

interface Vlan25

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/6

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/7

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name mydomain.com

dns server-group DefaultDNSsunrpc

object-group service dynamictcp tcp

 port-object range 1024 65535

object-group service timetcp udp

 port-object eq ntp

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq www

access-list inside_access_in extended permit tcp any any eq domain

access-list inside_access_in extended permit udp any any eq domain

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq smtp

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq https

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 24

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 3389

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 8080

access-list inside_access_in extended permit tcp any any eq pop3

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 3550

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 4550

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 5550

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 6550

access-list inside_access_in extended permit tcp any object-group dynamictcp any range pcanywhere-data 5632

access-list inside_access_in extended permit tcp any any range 2189 2196

access-list inside_access_in extended permit tcp any any eq 2086

access-list inside_access_in extended permit udp host 192.168.1.6 any

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 2082

access-list inside_access_in extended permit udp any any object-group timetcp

access-list inside_access_in extended permit udp any any eq 5061

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 5066

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 1433

access-list inside_access_in extended permit tcp any object-group dynamictcp any eq 4899

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq www

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq https

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq smtp

access-list outside_access_in extended permit tcp any object-group dynamictcp host 200.0.0.171 eq pptp

access-list outside_access_in extended permit gre any host 200.0.0.171

access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https

access-list outside_access_in extended permit udp any host 200.0.0.173

access-list outside_access_in extended permit tcp any host 200.0.0.173 range pcanywhere-data 5632

pager lines 24

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255

static (inside,outside) tcp 200.0.0.171 smtp 192.168.1.9 smtp netmask 255.255.255.255

static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255

static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 209.112.47.170 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.33 inside

!
 

!

class-map inspection_

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8953b2244e76ef27047d3b5ee4e1c2db

: end

Open in new window

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
OSPF Routing Problems 9 64
Inter-VLAN routing configurations (Cisco Catalyst 2960) 9 43
Simple Guest VLAN Help 17 36
Access List 4 13
Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now