Cisco ASA 5510 NAT
So, I tried to configure this firewall and got to the point that I needed to configure static and dynamic NATing, this is my first time trying to configure a firewall and unfortunally I can't get the local lan to go out to the internet, can some one guide please
: Saved
:
ASA Version 7.0(6)
!
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.66 255.255.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxxxxx
ftp mode passive
dns domain-lookup outside
dns name-server xxx.xx.29.12
dns name-server xxx.xx.30.12
access-list inside_access_out extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_access_out extended permit ip host 158.96.1.194 any
access-list inside_access_out extended permit ip host 158.96.3.195 any
access-list inside_access_out extended permit ip host 158.96.133.131 any
access-list inside_access_out extended permit ip host 158.96.133.143 any
access-list inside_access_out extended permit ip host 158.96.172.71 any
access-list inside_access_out extended permit ip host 169.3.92.175 any
access-list inside_access_out extended permit ip host 169.3.32.205 any
access-list inside_access_out extended permit ip host 169.3.32.206 any
access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.17.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.18.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.101.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.104.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.105.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.106.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.107.0 255.255.255.0 any
access-list inside_access_out extended permit ip 169.3.69.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxxx.xxx.xx 10.1.1.224 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.16 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.37 netmask 255.255.255.255
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1 "
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 169.3.69.224 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 30
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:4190fb3d665
: end
: Saved
:
ASA Version 7.0(6)
!
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.66 255.255.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxxxxxxxx
ftp mode passive
dns domain-lookup outside
dns name-server xxx.xx.29.12
dns name-server xxx.xx.30.12
access-list inside_access_out extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_access_out extended permit ip host 158.96.1.194 any
access-list inside_access_out extended permit ip host 158.96.3.195 any
access-list inside_access_out extended permit ip host 158.96.133.131 any
access-list inside_access_out extended permit ip host 158.96.133.143 any
access-list inside_access_out extended permit ip host 158.96.172.71 any
access-list inside_access_out extended permit ip host 169.3.92.175 any
access-list inside_access_out extended permit ip host 169.3.32.205 any
access-list inside_access_out extended permit ip host 169.3.32.206 any
access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.17.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.18.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.101.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.104.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.105.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.106.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.107.0 255.255.255.0 any
access-list inside_access_out extended permit ip 169.3.69.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxxx.xxx.xx 10.1.1.224 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.16 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.37 netmask 255.255.255.255
access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1 "
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 169.3.69.224 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 30
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:4190fb3d665
: end
ASKER
I can only access the firewall from 7:00 am to 7:45 am, so as soon as the clock says 7 I will run the SHOW XLATE and by the way I changed the global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx
as far as the points value, I am not to familier with the value, so I hope 125 that's about right
as far as the points value, I am not to familier with the value, so I hope 125 that's about right
ASKER
yes, I can ping inside hosts on the 10.0.0.0 and as well as the gateway xxx.xxx.xxx.65
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How could I acess the asmd log because it says that there is 20 messages, everytime I give it a show log... wow just went 800 more in less than 24hrs
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 823 messages logged
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 823 messages logged
ASDM logging is the scrolling display in the ASDM GUI. 800 in 24 hours is really nothing to worry about. When you peruse the messages, you'll see most of them are simply notices of dropped packets from the outside. We are interested in any packets originating from the inside and trying to get outside. IF the ASA is blocking, then the log will tell you.
ASKER
so I was able to access the internet on the 10.0.0.0 network but i am unable to access the internet with 192.3.69.xxx network any hints
Well you already have that subnet on the ACL
access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any
I would suggest you verify that
1) The subnet mask is correct
2) Check the ASDM log, from the CLI "show log", or the syslog for any error messages showing DENY to to ACL match
3) Is this the only subnet that is not communicating?
4) Does a SHOW XLATE have a translation for a PC on that subnet?
access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any
I would suggest you verify that
1) The subnet mask is correct
2) Check the ASDM log, from the CLI "show log", or the syslog for any error messages showing DENY to to ACL match
3) Is this the only subnet that is not communicating?
4) Does a SHOW XLATE have a translation for a PC on that subnet?
ASKER
as you mention in one of your preview posts and you repited again to check the logs, I was able to enable the sys log with 4000 of memory space, and i gave it sh log tu check the results on the log and kept getting a DENY acl everytime I ping outide to the internet from the 192.3.69.0 subnet, so what I did was add a new ACL to permit in packets from the outside interface since the security level is 0 on the outside and to transfer packets to the inside interface with a higher security level I guess an ACL takes care of the secury issue.
so, i thank MikeKane you for your help and knowlendge and I close this question accepting your comments as a solution
I will continue configuring this ASA device and if I get lost aging I will post with a new question I guess.
so, i thank MikeKane you for your help and knowlendge and I close this question accepting your comments as a solution
I will continue configuring this ASA device and if I get lost aging I will post with a new question I guess.
global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx
--- Yes you can use the interface here.
Since you have them X'd out, be sure that you have not assigned the interface address to any of the static maps. Each static map must be a unique address.
Start with ping tests, From the ASA, can you ping the outside gateway, an inside host?
From the ASA, when an attempt is made to go outbound, do a SHOW XLATE to see how the address was translated.
You can also SHOW LOG to get the last error messages which will show any issues with ACLs or xlates going outbound.