[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 710
  • Last Modified:

Cisco ASA 5510 config issue 8.0(2) - No internet traffic

Hello,

I'm trying to configure a Cisco ASA 5510 so the inside clients can access the web.

The setup is a ADSL2+ connection --> Cisco 877 in full bridge mode --> Cisco ASA 5510

I can ping the internal PC's, I can ping the Gateway IP but I cant ping the outside world or access the web.

Here is my config:

--------------------------------------------------------------------------------------
!
ASA Version 8.0(2)
!
hostname FIREWALL
domain-name TEST.COM
enable password AAAAAAAAAAAAAAAAA encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address aaa.aaa.aaa.aaa 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd AAAAAAAAAAAAAAA encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name TEST.COM
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:57f86d842dcccb502adfbf5961315320
: end
--------------------------------------------------------------------------------------

Thanks for the help.
0
joe90kane
Asked:
joe90kane
  • 3
  • 3
1 Solution
 
InteraXCommented:
Hello joe90kane,

You don't have any ACL on the outside interface. As ICMP is a connectionless protocol, you need to allow the ICMP echo-reply traffic back through the firewall.

Try the following.
access-list OutsideIn extended permit icmp any any echo-reply
access-group OutsideIn in interface outside

Regards,

InteraX
0
 
InteraXCommented:
Hold on. You can ping the inside and gateway from the firewall, yes? Can you pint the firewall from the inside? Can you ping the firewall from the gateway?
I don't know if Cisco have changed the default settings, but have you tried creating an ACL from the inside allowing you DNS servers to send DNS requests out, then allowing any inside host to access HTTP and HTTPS?
0
 
joe90kaneAuthor Commented:
Thanks Guys, got it working - turned out to be the wrong Route and a loose connection on the 877 :-)

I now have a related issue.

I have 2 ASA's

ASA1 + 4mb least line (7 VPN's all connect back to head office)

subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***

------------

ASA2 + 4mb ADSL2+ (Simply config above)

------------

I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?

How can I enable traffic from ASA1 to ASA2 for all sites???

Thanks,


0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
InteraXCommented:
joe90kane,

You need to setup routing on the gateway to route traffic to the sites via ASA1 and a default route via ASA2. Sounds like a new question though. ;-)

InteraX
0
 
joe90kaneAuthor Commented:
The 2 ASA's are 192.168.1.253 & 252
0

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now