Cisco ASA 5510 NAT

So, I tried to configure this firewall and got to the point that I needed to configure static and dynamic NATing, this is my first time trying to configure a firewall and unfortunally I can't get the local lan to go out to the internet, can some one guide please

: Saved
:
ASA Version 7.0(6)
!
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.66 255.255.xxx.xxx
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxxxxxxx
ftp mode passive
dns domain-lookup outside
dns name-server xxx.xx.29.12
dns name-server xxx.xx.30.12
access-list inside_access_out extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_access_out extended permit ip host 158.96.1.194 any
access-list inside_access_out extended permit ip host 158.96.3.195 any
access-list inside_access_out extended permit ip host 158.96.133.131 any
access-list inside_access_out extended permit ip host 158.96.133.143 any
access-list inside_access_out extended permit ip host 158.96.172.71 any
access-list inside_access_out extended permit ip host 169.3.92.175 any
access-list inside_access_out extended permit ip host 169.3.32.205 any
access-list inside_access_out extended permit ip host 169.3.32.206 any
access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.17.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 172.18.1.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.101.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.104.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.105.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.106.0 255.255.255.0 any
access-list inside_access_out extended permit ip 192.168.107.0 255.255.255.0 any
access-list inside_access_out extended permit ip 169.3.69.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400

global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx.xx "can i use the outside interface here?"
nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) xxx.xxxx.xxx.xx 10.1.1.224 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.16 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.xx 10.1.1.37 netmask 255.255.255.255

access-group inside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1  "
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 169.3.69.224 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 30
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:4190fb3d66561d464127ee38ba77226f
: end
cyberxelaAsked:
Who is Participating?
 
MikeKaneCommented:
Don't worry about the points.    

So the ASA has full connectivity as proven by the ping tests.   Next step is to ensure that the XLATE is working properly.   Also, try to access an outside web page, use the console log or the asdm log to look for any DENY messages that may be created.  Those will contain info on why the item was dropped.
0
 
MikeKaneCommented:
Couple of items in the config:
global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx.xx "can i use the outside interface here?"
    ---  Yes you can use the interface here.  

Since you have them X'd out, be sure that you have not assigned the interface address to any of the static maps.    Each static map must be a unique address.  

Start with ping tests,  From the ASA, can you ping the outside gateway, an inside host?  

From the ASA, when an attempt is made to go outbound, do a SHOW XLATE to see how the address was translated.  

You can also SHOW LOG to get the last error messages which will show any issues with ACLs or xlates going outbound.  

0
 
cyberxelaAuthor Commented:
I can only access the firewall from 7:00 am to 7:45 am, so as soon as the clock says 7 I will run the SHOW XLATE and by the way I changed the global (outside) 1 xxx.xxx.xxx.xx-xxx.xxx.xxx.xx to global (outside) 1 interface I will post back with the show results as soon as I get'em, I appresiate your help.

as far as the points value, I am not to familier with the value, so I hope 125 that's about right
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
cyberxelaAuthor Commented:
yes, I can ping inside hosts on the 10.0.0.0 and as well as the gateway  xxx.xxx.xxx.65
0
 
cyberxelaAuthor Commented:
How could I acess the asmd log because it says that there is 20 messages, everytime I give it a show log... wow just went 800 more in less than 24hrs

 Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Deny Conn when Queue Full: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 823 messages logged
0
 
MikeKaneCommented:
ASDM logging is the scrolling display in the ASDM GUI.   800 in 24 hours is really nothing to worry about.   When you peruse the messages, you'll see most of them are simply notices of dropped packets from the outside.   We are interested in any packets originating from the inside and trying to get outside.    IF the ASA is blocking, then the log will tell you.

0
 
cyberxelaAuthor Commented:
so I was able to access the internet on the 10.0.0.0 network but i am unable to access the internet with 192.3.69.xxx network any hints
0
 
MikeKaneCommented:
Well you already have that subnet on the ACL
        access-list inside_access_out extended permit ip 192.3.69.0 255.255.255.0 any

I would suggest you verify that
    1) The subnet mask is correct
    2) Check the ASDM log, from the CLI "show log",  or the syslog for any error messages showing DENY to to ACL match
    3) Is this the only subnet that is not communicating?
    4) Does a SHOW XLATE have a translation for a PC on that subnet?
0
 
cyberxelaAuthor Commented:
as you mention in one of your preview posts and you repited again to check the logs, I was able to enable the sys log with 4000 of memory space, and i gave it sh log tu check the results on the log and  kept getting a DENY acl everytime I ping outide to the internet from the 192.3.69.0 subnet, so what I did was add a new ACL to permit in  packets from the outside interface since the security level is 0 on the outside and to transfer packets to the inside interface with a higher security level I guess an ACL takes care of the secury issue.

so, i thank MikeKane you for your help and knowlendge and I close this question accepting your comments as a solution

I will continue configuring this ASA device and if I get lost aging I will post with a new question I guess.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.