Solved

CISCO ASA 5510 ISSUE

Posted on 2009-05-13
26
4,397 Views
Last Modified: 2012-05-06
I been trying to configure this firewall but I have so much trouble getting it to work, most of the subnet 10.0.0.0 is able to get out to the internet but the rest of the subnets haven't been able to go out ti the internet or access the servers in the 10.0.0.0 network..........  any help will be really apresiated it.

: Saved
:
ASA Version 7.0(6)
!
hostname WHCFIREWALL
enable password HAUpjtctjSNWh/S1 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.66 255.255.255.224
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns name-server 206.13.30.12
dns name-server 206.13.29.12
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.92
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.86
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.85
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.84
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.83
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.82
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.80
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.79
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.78
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.77
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.76
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.72
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.71
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.70
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.69
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.81
pager lines 24
logging buffer-size 64000
logging buffered notifications
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xxx.81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.71 10.1.1.37 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.76 10.1.1.211 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.77 10.1.1.119 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.78 10.1.1.212 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.79 10.1.1.135 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.80 10.1.1.254 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.82 10.1.1.170 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.83 10.1.1.113 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.84 10.1.1.193 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.85 10.1.1.194 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.86 10.1.1.201 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.92 10.1.1.92 netmask 255.255.255.255
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.65 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
route inside 192.168.101.0 255.255.255.0 10.1.1.25 1
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 10.0.0.0 255.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:cb7e45312d0da7582e31c7fed1a06e53
: end
0
Comment
Question by:cyberxela
  • 15
  • 6
  • 3
  • +1
26 Comments
 
LVL 4

Expert Comment

by:SimWhite
ID: 24372746
Change nat (inside) 0 0.0.0.0 0.0.0.0 to nat (inside) 1 0.0.0.0 0.0.0.0
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24372785
first of all why do you need the static route "route inside 10.0.0.0 255.0.0.0 10.1.1.1 1 " since inside interface is directly connected to your 10.0.0.0. make sure all host in 10.0.0.0 have default gateway 10.1.1.1 and can ping it.

second, i see that only host configured with static nat are able to reach internet and the rest probably are not correctly translated. if your Internet router 209.xxx.xxx.65 isn't nat device for 10.0.0.0 this is the case. you need to fix your nat config:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

0
 

Author Comment

by:cyberxela
ID: 24373291
well, most of the 10.0.0.0 is able to go out to the internet, but not the rest of the networks, like the 192.3.69.0 is not able to and they get connected throught the 10.1.1.224
0
 

Author Comment

by:cyberxela
ID: 24373303
yes, the 209.xxx.xxx.65 is the internet router
0
 
LVL 4

Expert Comment

by:SimWhite
ID: 24373332
Show trace from any computer at 192.3.69.0
0
 

Author Comment

by:cyberxela
ID: 24373345
you mean trace the internet router from  any computer at the 192.3.69.0
0
 
LVL 4

Expert Comment

by:SimWhite
ID: 24373510
I mean any internet address from 192.3.69.0 net
0
 

Author Comment

by:cyberxela
ID: 24373609
sorry, I will try that later on today I can only test the firewall from 7:00 am to 7:30 am
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24373879
did you try to fix your nat configuration. of course hosts with internal ip's can't reach internet. you need nat/pat for that purpose. SimWhite was actually faster than me suggesting the correct solutions in his first post. your internal hosts with static nat translations connect are all able to get to internet:

atic (inside,outside) 209.xxx.xxx.81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.71 10.1.1.37 netmask 255.255.255.255

presumably these are all servers. the normal pcs are going to need pat

access-list pat-range permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range permit ip 192.3.69.0 255.255.255.0 any

global (outside) 1 interface
nat (inside) 1 access-list pat-range
0
 

Author Comment

by:cyberxela
ID: 24373939
so I would have to change the nat (inside) 1 0 0 to ------ nat (inside) 1 access-list pat-range and add
access-list pat-range permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range permit ip 192.3.69.0 255.255.255.0 any

would I apply this to any of the interfaces
0
 

Author Comment

by:cyberxela
ID: 24373971
now since 192.3.69.0 is just one of the subnets, would I have to also create access-lists for the rest of the subnets just like access-list pat-range permit ip 192.3.69.0 255.255.255.0 any
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24374021
yap .. but you can always aggregate them like that:

access-list permit ip 192.0.0.0 255.0.0.0 any

basically add all subnets which are supposed to be translated to internet
0
 

Author Comment

by:cyberxela
ID: 24374460
perfect, so I fix all the pat and nat rules here and now I am just waiting to be 7:00 am
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:yashinchalad
ID: 24374504
are you able to ping the other subnets which are not reachable through telnet sessions of 10.1.1.1?
ex: ping inside <any IP which is not reaching internet>
If ans is no, then i guess route information is not added.
route inside <N/w> <subnet> 10.1.1.1  1
ex: route inside 192.168.10.0 255.255.255.0 10.1.1.1  1
after than again ping an IP is the series which you added and check the rest.
let me know.
 
0
 

Author Comment

by:cyberxela
ID: 24374564
but I don't have 192.168.10.0 subnet
0
 
LVL 5

Expert Comment

by:yashinchalad
ID: 24374610
that was an example , replace it with the subnet which you face issue.
0
 

Author Comment

by:cyberxela
ID: 24382590
well, I tried the firewall this morning but everything still the same, only the 10.0.0.0 subnet is able to  go out to the internet but thats prretty much all can be done becouse if I tried to ping the 192.3.69.0  subnet the pings time out from  a host in the 10.0.0.0 subnet and this are some of the messages I got in the log

%ASA-6-305012: Teardown dynamic UDP translation from inside:10.1.1.132/55518 to outside(pat-range):209.xxx.xxx.66/2697 duration 0:00:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.193/64606 due to DNS Response
%ASA-6-302016: Teardown UDP connection 10306 for outside:195.200.84.102/53 to inside:10.1.1.132/52055 duration 0:00:00 bytes 199
%ASA-7-609002: Teardown local-host outside:195.200.84.102 duration 0:00:00
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.50/1239 to 192.3.69.240/9100 flags SYN  on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 172.18.1.8/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.244/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.245/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.248/161 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.106.81/57780 due to DNS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.193/64606 due to DNS Response
%ASA-7-710005: UDP request discarded from 10.1.9.2/138 to inside:10.255.255.255/138
%ASA-4-106023: Deny tcp src outside:207.115.36.69/57045 dst inside:209.xx.xxx.79/25 by access-group "pat-range"
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-4-106023: Deny tcp src outside:207.115.36.69/57080 dst inside:209.xxx.xxx.77/25 by access-group "pat-range"
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.10.10.3/2875 to outside(pat-range):209.xxx.xxx.66/3965 duration 0:02:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.17.1.146/53207 due to DNS Response
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.10.10.3/2876 to outside(pat-range):209.xxx.xxx.66/3966 duration 0:02:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.106.81/57780 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.106.81/57780 due to DNS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.24/139 to 192.168.104.188/2489 flags RST ACK  on interface inside
%ASA-7-710005: UDP request discarded from 10.10.2.240/138 to inside:10.255.255.255/138
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.193/64606 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.193/64606 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.17.1.146/53207 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.24/445 to 192.168.104.188/2488 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.17.1.146/53207 due to DNS Response
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67
%ASA-4-106023: Deny tcp src outside:125.230.32.195/28814 dst inside:209.xxx.xxx.78/25 by access-group "pat-range"
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-7-710005: UDP request discarded from 10.10.10.76/137 to inside:10.255.255.255/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.132/445 to 192.3.69.136/2406 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.255/137
%ASA-7-710005: UDP request discarded from 10.10.10.76/137 to inside:10.255.255.255/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1028 due to DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.255/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside


so, I don't understand why is this happening, I am trying to remplace a 3com firewall and everything works fine when I swap to the 3com......  any ideas
0
 
LVL 7

Assisted Solution

by:egyptco
egyptco earned 125 total points
ID: 24383796
1. well now you have problem reaching your internal networks. all networks added in pat-range have no problems reaching internet, right?. first remove this line:

no route inside 10.0.0.0 255.0.0.0 10.1.1.1

your all 10.0.0.0 hosts resides behind the inside interface, isn't they. they need default gateway 10.1.1.1 in other to get to the asa. then asa should route to the router responsible for 192.3.69.0, which from your configuration is 10.1.1.224. in order to do so you need to bypass nat. the problem here is that we've configured everything with source in 10.0.0.0 to be nat'd outside. thats why your internal networks are not reachable. well now we are going to need the nat exemption.

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.3.69.0 255.255.255.0
nat (inside) 0 access-list nonat

2. this shouldn't occure:
%ASA-4-106023: Deny tcp src outside:125.230.32.195/28814 dst inside:209.xxx.xxx.78/25 by access-group "pat-range"

have you applied pat-range on the outside interface? you shouldn't have done this. remove:
no access-group pat-range in interface outside
instead you need:
access-group OUTSIDE_ACCESS_IN in interface outside

3. if still not working pls do
sh route
and tracert from 10.0.0.0 and 192.3.69.0

and paste the outputs

0
 

Author Comment

by:cyberxela
ID: 24383885
this is what the conf file looks like right now

: Saved
:
ASA Version 7.0(6)
!
hostname WHCFIREWALL
enable password HAUpjtctjSNWh/S1 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.66 255.255.255.224
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside

dns name-server 206.13.30.12
dns name-server 206.13.29.12

access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...92
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...86
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...85
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...84
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...83
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...82
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...80
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...79
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...78
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...77
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...76
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...72
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...71
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...70
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...69
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...81


access-list pat-range extended permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip 192.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip 172.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip host 158.96.1.94 any
access-list pat-range extended permit ip host 158.96.3.195 any
access-list pat-range extended permit ip host 158.96.1.194 any
access-list pat-range extended permit ip host 158.96.133.131 any
access-list pat-range extended permit ip host 158.96.133.143 any
access-list pat-range extended permit ip host 158.96.172.71 any
access-list pat-range extended permit ip host 169.3.32.205 any
access-list pat-range extended permit ip host 169.3.32.206 any
access-list pat-range extended permit ip host 169.3.92.175 any


pager lines 24
logging enable
logging buffer-size 64000
logging buffered debugging
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400


global (outside) 1 interface
nat (inside) 1 access-list pat-range
nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) 209...81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209...69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209...70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209...71 10.1.1.37 netmask 255.255.255.255
static (inside,outside) 209...72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) 209...76 10.1.1.211 netmask 255.255.255.255
static (inside,outside) 209...77 10.1.1.119 netmask 255.255.255.255
static (inside,outside) 209...78 10.1.1.212 netmask 255.255.255.255
static (inside,outside) 209...79 10.1.1.135 netmask 255.255.255.255
static (inside,outside) 209...80 10.1.1.254 netmask 255.255.255.255
static (inside,outside) 209...82 10.1.1.170 netmask 255.255.255.255
static (inside,outside) 209...83 10.1.1.113 netmask 255.255.255.255
static (inside,outside) 209...84 10.1.1.193 netmask 255.255.255.255
static (inside,outside) 209...85 10.1.1.194 netmask 255.255.255.255
static (inside,outside) 209...86 10.1.1.201 netmask 255.255.255.255
static (inside,outside) 209...92 10.1.1.92 netmask 255.255.255.255

access-group OUTSIDE_ACCESS_IN in interface outside

route outside 0.0.0.0 0.0.0.0 209...65 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 192.168.101.0 255.255.255.0 10.1.1.25 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:755add5cb68fdf7151ab9fb1df0253f9
: end
0
 

Author Comment

by:cyberxela
ID: 24383967
by looking at your examp by creating the access list permiting the ip 10.0.0.0 to the 192.3.69.0 will forward parckets back and forth would that have to be the case for the rest of the subnets as well because is a ASA thing that unless you specified what to permit it gets through and then would have to be nat to the access-list, here is where I get confuse
0
 
LVL 7

Expert Comment

by:egyptco
ID: 24384157
yep sure you should add all your subnet, which need to be excluded. it was only example. you go and add all subnets you need.
0
 

Author Comment

by:cyberxela
ID: 24385274
ok so after doing a test I am still not able to access anything, this is what the log recorded

%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193
/1050 flags SYN ACK  on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.193/137 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-3-710003: TCP access denied by ACL from 10.1.1.13/3618 to inside:10.1.1.1/8
0
%ASA-7-710005: TCP request discarded from 10.1.1.13/3618 to inside:10.1.1.1/80
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193
/1050 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.193/137 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.50/1045 to 192.3.69.240/161 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to D
NS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.158 (
type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.158 (
type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.193 (
type 0, code 0)
%ASA-7-710005: UDP request discarded from 10.1.2.222/138 to inside:10.255.255.25
5/138
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.104.65/52131 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.18.1.190/1027 due to DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.158/137 on interface inside
%ASA-7-710005: UDP request discarded from 10.1.1.132/137 to inside:10.255.255.255/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.158/3536 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.193 (type 0, code 0)
%ASA-6-110001: No route to 202.12.27.33 from 10.1.1.132
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193/1050 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.104.65/50523 due to DNS Response
0
 
LVL 7

Accepted Solution

by:
egyptco earned 125 total points
ID: 24389384
yeap.. i forgot to tell you that asa don't like inter routing on same interface. you need this command

same-security-traffic permit inter-interface
0
 

Author Comment

by:cyberxela
ID: 24394419
alright, I will give it a try this mornig again and i"ll [ost back again the results, I really apresiate all your help
0
 

Author Comment

by:cyberxela
ID: 24394453
you know they use this command on this example but this is if you want to forward packets from DMZ1 to DMZ2, now my question is would this also apply if you packets that go in will have to came back out through the same interface they went in, I guess I will know letter on today when I run other test, thanks though
 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
0
 

Author Comment

by:cyberxela
ID: 24976254
thanks guys and I am sorry to answearing to late
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now