Link to home
Start Free TrialLog in
Avatar of orphanc
orphancFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco ASA 5510 config problem- traffic getting out but not in!!

Hi this is a new question because the previous one wasn't very thorough!

I have set up and ASA 5510 firewall to replace basic Netgear FVs router- and have tried to mimic the rules it has.

I have set up two outside interfaces, one primary (10mg LES) and one backup adsl interface: config as follows:

: Saved
:
ASA Version 7.2(3)
!
hostname Ciscoasa
domain-name xxx.COM
enable password tq6dfNC3ZlBOcGgY encrypted
names
name 192.168.2.50 Mailstorm description Exchange Server
name 192.168.2.40 Filestorm description File Server
name 192.168.2.35 Seastorm description FTP Server
name 192.168.2.52 Xarios description Xarios Server
name 192.168.2.9 Sonicwall description Sonicwall_VPN
name 192.168.2.64 Graham description Used for Sales Force
name 192.168.2.69 Chrissy description Chrissy's PC
dns-guard
!
interface Ethernet0/0
 speed 10
 duplex full
 nameif OUTSIDE_PRIMARY
 security-level 0
 ip address 193.x.x.x.250 255.255.255.252
 ospf cost 10
!
interface Ethernet0/1
 nameif OUTSIDE_BACKUP
 security-level 0
 ip address 217.x.x.73 255.255.255.248
 ospf cost 10
!
interface Ethernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup OUTSIDE_PRIMARY
dns domain-lookup OUTSIDE_BACKUP
dns domain-lookup INSIDE
dns server-group DefaultDNS
 domain-name xx.COM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service xmpp_tls tcp
 description Spark
 port-object range 5222 5222
object-group service VPN_8008 tcp
 port-object range 8008 8008
object-group service atrweb tcp
 description ATRWEB
 port-object range 8000 8000
object-group service SMTP_allowed tcp
 description For exchange mail Delivery
 port-object eq smtp
object-group service XARIOS_HTTP tcp
 description XARIOS HTTP
 port-object range 9090 9090
object-group service XARIOS_HTTP_2 tcp
 description XARIOS_HTTP_2
 port-object range 9091 9091
object-group network Exchange_Server
 description Exchange Server
 network-object host Mailstorm
object-group network File_Server
 description File_Server
 network-object host Filestorm
object-group network TH_DCs
 description TH DC's
 network-object host Filestorm
 network-object host Mailstorm
object-group network Irvine_Local
 network-object 192.168.12.0 255.255.255.0
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_PRIMARY_access_in extended permit tcp host 194.159.181.194 eq https host Sonicwall eq https
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_PRIMARY_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group xmpp_tls host Filestorm object-group xmpp_tls
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq https host Mailstorm eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group SMTP_allowed host Mailstorm object-group SMTP_allowed
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq ftp host Seastorm eq ftp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq pptp host Filestorm eq pptp
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group atrweb host Xarios eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group VPN_8008 host Sonicwall eq https
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq www host Seastorm eq www
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP host Xarios object-group XARIOS_HTTP
access-list OUTSIDE_BACKUP_access_in extended permit tcp any object-group XARIOS_HTTP_2 host Graham object-group XARIOS_HTTP_2
access-list OUTSIDE_BACKUP_access_in extended permit tcp any eq imap4 host Mailstorm eq imap4
access-list INSIDE_access_in extended permit ip any any
access-list OUTSIDE_PRIMARY_1_cryptomap extended permit ip any any
pager lines 24
logging enable
logging asdm informational
logging host INSIDE Chrissy 6/1470
mtu OUTSIDE_PRIMARY 1500
mtu OUTSIDE_BACKUP 1500
mtu INSIDE 1500
mtu management 1500
no failover
monitor-interface OUTSIDE_PRIMARY
monitor-interface OUTSIDE_BACKUP
monitor-interface INSIDE
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (OUTSIDE_PRIMARY) 1 interface
global (OUTSIDE_BACKUP) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 1 192.168.2.0 255.255.255.0
static (INSIDE,OUTSIDE_PRIMARY) 193.x.x.250 192.168.2.1 netmask 255.255.255.255
access-group OUTSIDE_PRIMARY_access_in in interface OUTSIDE_PRIMARY
access-group OUTSIDE_BACKUP_access_in in interface OUTSIDE_BACKUP
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE_PRIMARY 0.0.0.0 0.0.0.0 193.x.x.249 1 track 1
route OUTSIDE_BACKUP 0.0.0.0 0.0.0.0 217.x.x.78 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
http 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
http 192.168.2.5 255.255.255.255 INSIDE
http 192.168.1.0 255.255.255.0 management
http Chrissy 255.255.255.255 INSIDE
http 192.168.2.68 255.255.255.255 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 193.195.216.249 interface OUTSIDE_PRIMARY
 num-packets 4
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto isakmp enable OUTSIDE_PRIMARY
crypto isakmp enable OUTSIDE_BACKUP
crypto isakmp enable INSIDE
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 195.112.2.19 255.255.255.255 OUTSIDE_PRIMARY
ssh 195.112.2.19 255.255.255.255 OUTSIDE_BACKUP
ssh 192.168.2.68 255.255.255.255 INSIDE
ssh Chrissy 255.255.255.255 INSIDE
ssh 192.168.2.5 255.255.255.255 INSIDE
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth enable
 group-lock none
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username admin password Zn1g.2LlcLd5BGRL encrypted privilege 15
tunnel-group 12.35.202.180 type ipsec-l2l
tunnel-group 12.35.202.180 ipsec-attributes
 pre-shared-key *
smtp-server 192.168.2.50
prompt hostname context
Cryptochecksum:d8f254e85fdf9371c70f304389173337
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

In short after much deliberation I can get out on the internet fine on the OUTSIDE_PRIMARY- I can ping the internet the GW out, but not the interface IP- this is fine though as icmp not allowed by default. On a piblic connection I can ping it, but I can't get in to from outside in what so ever. From my limited knowledge, I have set up the outside_in rules as needed and the inisde_in rules to permit any any.

A friend said I shouldn't have to configure the outside_outgoing rules- as high to low security on inerfaces is automatically allowed.

So, as nothing gets in I think I am missing something that should be quite obvious- a nat or route???I know it denies but default but I need some traffic allowe in.

Any ideas?

Thanks in advance!
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of orphanc

ASKER

Thank you so much!!! This is exactly correct and what I was looking for. I was staring at it too long; and couldn't see what I had done wrong, as on a previous ASA I had set up I had a DMZ and all hosts were NAT's to unique public addresses, so wasn't difficult- this is one IP (int) used for many, and got confused with how to break down port redirection.

Thanks for everything- your solution was worth every point.
Avatar of orphanc

ASKER

Exactly the answer! Thanks for everything- your solution was worth every point. :)
Glad to assist...