Solved

ASA 5510 initial Setup

Posted on 2008-06-21
7
1,574 Views
Last Modified: 2013-11-16
I'm having some trouble with the initial setup of a Cisco ASA 5510.  I'm unable to get the inside interface access to anything outside.  My first goal was to simply be able to browse the internet from the inside, but i've had no luck.  Any help would be greatly appreciated


here's the config:




: Saved

: Written by enable_15 at 07:02:59.603 UTC Sat Jun 21 2008

!

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.pieceofjunk.com

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif inside

 security-level 100

 ip address 10.2.10.1 255.255.255.0

!

interface Ethernet0/1

 nameif outside

 security-level 0

 ip address 192.168.168.5 255.255.255.0

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.pieceofjunk.com

same-security-traffic permit inter-interface

access-list icmp_ping extended permit icmp any any echo-reply

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

 

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (inside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group icmp_ping in interface inside

access-group icmp_ping in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.168.168 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 10.2.10.100-10.2.10.150 inside

dhcpd enable inside

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1d7a24930bced5a4ee33f59c539bc92e

ciscoasa(config)#

Open in new window

0
Comment
Question by:jared_barnes
  • 5
7 Comments
 
LVL 7

Accepted Solution

by:
naughton earned 100 total points
ID: 21839088
try:

global (outside) 1 192.168.168.100-192.168.168.200
nat (inside) 1 10.2.10.0 255.255.255.0

the global can be a single address, or a range.  depending on your needs.
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 21844964
There should not be anything wrong with

global (inside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0


However is the router IP address in your route statement correct?

route outside 0.0.0.0 0.0.0.0 192.168.168.168 1


Also heres a big problem

access-group icmp_ping in interface inside


This means allow only an echo reply outbound - ths is why nothing is working my friend

issue the following commands

no access-group icmp_ping in interface inside
no access-group icmp_ping in interface inside
wite mem
clear xlate

then retry :)

Pete


0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 21844972
oops

I meant


no access-group icmp_ping in interface inside
access-list icmp_ping extended permit icmp any any echo-reply
wite mem
clear xlate

then retry

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 21844981
jesus I cant type!  :( prefix the second command with a "no" to remove it

no access-list icmp_ping extended permit icmp any any echo-reply
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 400 total points
ID: 21845002
Bascially you only allowed ping reply's outbound - once you apply an ACL to an interface (in this case, the inside interface) you DENY all other traffic.
With no ACLs applied to the inteface then traffic will flow outbound (becasue the inside interface is more trusted then the outside one (lookat your securty rating for the interfaces  inside=100 outside=0)

To make pings work you can remove the other ACLs and access-group commands and simply enter the following commands

policy-map global_policy
class inspection_default
inspect icmp

Then it will statefully inspect ICMP traffic - and you done need to allow icmp back in again the firewall will sort that out for you securely :)




0
 

Author Closing Comment

by:jared_barnes
ID: 31469420
Thanks for your help!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21865097
ThanQ
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now