CISCO ASA 5510 ISSUE

I been trying to configure this firewall but I have so much trouble getting it to work, most of the subnet 10.0.0.0 is able to get out to the internet but the rest of the subnets haven't been able to go out ti the internet or access the servers in the 10.0.0.0 network..........  any help will be really apresiated it.

: Saved
:
ASA Version 7.0(6)
!
hostname WHCFIREWALL
enable password HAUpjtctjSNWh/S1 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.66 255.255.255.224
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns name-server 206.13.30.12
dns name-server 206.13.29.12
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.92
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.86
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.85
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.84
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.83
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.82
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.80
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.79
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.78
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.77
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.76
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.72
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.71
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.70
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.69
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209.xxx.xxx.81
pager lines 24
logging buffer-size 64000
logging buffered notifications
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xxx.81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.71 10.1.1.37 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.76 10.1.1.211 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.77 10.1.1.119 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.78 10.1.1.212 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.79 10.1.1.135 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.80 10.1.1.254 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.82 10.1.1.170 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.83 10.1.1.113 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.84 10.1.1.193 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.85 10.1.1.194 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.86 10.1.1.201 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.92 10.1.1.92 netmask 255.255.255.255
access-group OUTSIDE_ACCESS_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.65 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
route inside 192.168.101.0 255.255.255.0 10.1.1.25 1
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 10.0.0.0 255.0.0.0 10.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:cb7e45312d0da7582e31c7fed1a06e53
: end
cyberxelaAsked:
Who is Participating?
 
egyptcoConnect With a Mentor Commented:
yeap.. i forgot to tell you that asa don't like inter routing on same interface. you need this command

same-security-traffic permit inter-interface
0
 
SimWhiteCommented:
Change nat (inside) 0 0.0.0.0 0.0.0.0 to nat (inside) 1 0.0.0.0 0.0.0.0
0
 
egyptcoCommented:
first of all why do you need the static route "route inside 10.0.0.0 255.0.0.0 10.1.1.1 1 " since inside interface is directly connected to your 10.0.0.0. make sure all host in 10.0.0.0 have default gateway 10.1.1.1 and can ping it.

second, i see that only host configured with static nat are able to reach internet and the rest probably are not correctly translated. if your Internet router 209.xxx.xxx.65 isn't nat device for 10.0.0.0 this is the case. you need to fix your nat config:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
cyberxelaAuthor Commented:
well, most of the 10.0.0.0 is able to go out to the internet, but not the rest of the networks, like the 192.3.69.0 is not able to and they get connected throught the 10.1.1.224
0
 
cyberxelaAuthor Commented:
yes, the 209.xxx.xxx.65 is the internet router
0
 
SimWhiteCommented:
Show trace from any computer at 192.3.69.0
0
 
cyberxelaAuthor Commented:
you mean trace the internet router from  any computer at the 192.3.69.0
0
 
SimWhiteCommented:
I mean any internet address from 192.3.69.0 net
0
 
cyberxelaAuthor Commented:
sorry, I will try that later on today I can only test the firewall from 7:00 am to 7:30 am
0
 
egyptcoCommented:
did you try to fix your nat configuration. of course hosts with internal ip's can't reach internet. you need nat/pat for that purpose. SimWhite was actually faster than me suggesting the correct solutions in his first post. your internal hosts with static nat translations connect are all able to get to internet:

atic (inside,outside) 209.xxx.xxx.81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209.xxx.xxx.71 10.1.1.37 netmask 255.255.255.255

presumably these are all servers. the normal pcs are going to need pat

access-list pat-range permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range permit ip 192.3.69.0 255.255.255.0 any

global (outside) 1 interface
nat (inside) 1 access-list pat-range
0
 
cyberxelaAuthor Commented:
so I would have to change the nat (inside) 1 0 0 to ------ nat (inside) 1 access-list pat-range and add
access-list pat-range permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range permit ip 192.3.69.0 255.255.255.0 any

would I apply this to any of the interfaces
0
 
cyberxelaAuthor Commented:
now since 192.3.69.0 is just one of the subnets, would I have to also create access-lists for the rest of the subnets just like access-list pat-range permit ip 192.3.69.0 255.255.255.0 any
0
 
egyptcoCommented:
yap .. but you can always aggregate them like that:

access-list permit ip 192.0.0.0 255.0.0.0 any

basically add all subnets which are supposed to be translated to internet
0
 
cyberxelaAuthor Commented:
perfect, so I fix all the pat and nat rules here and now I am just waiting to be 7:00 am
0
 
yashinchaladCommented:
are you able to ping the other subnets which are not reachable through telnet sessions of 10.1.1.1?
ex: ping inside <any IP which is not reaching internet>
If ans is no, then i guess route information is not added.
route inside <N/w> <subnet> 10.1.1.1  1
ex: route inside 192.168.10.0 255.255.255.0 10.1.1.1  1
after than again ping an IP is the series which you added and check the rest.
let me know.
 
0
 
cyberxelaAuthor Commented:
but I don't have 192.168.10.0 subnet
0
 
yashinchaladCommented:
that was an example , replace it with the subnet which you face issue.
0
 
cyberxelaAuthor Commented:
well, I tried the firewall this morning but everything still the same, only the 10.0.0.0 subnet is able to  go out to the internet but thats prretty much all can be done becouse if I tried to ping the 192.3.69.0  subnet the pings time out from  a host in the 10.0.0.0 subnet and this are some of the messages I got in the log

%ASA-6-305012: Teardown dynamic UDP translation from inside:10.1.1.132/55518 to outside(pat-range):209.xxx.xxx.66/2697 duration 0:00:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.193/64606 due to DNS Response
%ASA-6-302016: Teardown UDP connection 10306 for outside:195.200.84.102/53 to inside:10.1.1.132/52055 duration 0:00:00 bytes 199
%ASA-7-609002: Teardown local-host outside:195.200.84.102 duration 0:00:00
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.50/1239 to 192.3.69.240/9100 flags SYN  on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 172.18.1.8/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.244/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.245/161 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.13/1038 to 192.3.69.248/161 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.106.81/57780 due to DNS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.193/64606 due to DNS Response
%ASA-7-710005: UDP request discarded from 10.1.9.2/138 to inside:10.255.255.255/138
%ASA-4-106023: Deny tcp src outside:207.115.36.69/57045 dst inside:209.xx.xxx.79/25 by access-group "pat-range"
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-4-106023: Deny tcp src outside:207.115.36.69/57080 dst inside:209.xxx.xxx.77/25 by access-group "pat-range"
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.10.10.3/2875 to outside(pat-range):209.xxx.xxx.66/3965 duration 0:02:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.17.1.146/53207 due to DNS Response
%ASA-6-305012: Teardown dynamic TCP translation from inside:10.10.10.3/2876 to outside(pat-range):209.xxx.xxx.66/3966 duration 0:02:30
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.106.81/57780 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.106.81/57780 due to DNS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.24/139 to 192.168.104.188/2489 flags RST ACK  on interface inside
%ASA-7-710005: UDP request discarded from 10.10.2.240/138 to inside:10.255.255.255/138
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.193/64606 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.193/64606 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.17.1.146/53207 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.24/445 to 192.168.104.188/2488 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.17.1.146/53207 due to DNS Response
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67
%ASA-4-106023: Deny tcp src outside:125.230.32.195/28814 dst inside:209.xxx.xxx.78/25 by access-group "pat-range"
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.107.63/137 on interface inside
%ASA-7-710005: UDP request discarded from 10.10.10.76/137 to inside:10.255.255.255/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.132/445 to 192.3.69.136/2406 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.132 dst inside:192.3.69.136 (type 0, code 0)
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.255/137
%ASA-7-710005: UDP request discarded from 10.10.10.76/137 to inside:10.255.255.255/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1025 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1031 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1028 due to DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1028 due to DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.255/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.150/137 on interface inside


so, I don't understand why is this happening, I am trying to remplace a 3com firewall and everything works fine when I swap to the 3com......  any ideas
0
 
egyptcoConnect With a Mentor Commented:
1. well now you have problem reaching your internal networks. all networks added in pat-range have no problems reaching internet, right?. first remove this line:

no route inside 10.0.0.0 255.0.0.0 10.1.1.1

your all 10.0.0.0 hosts resides behind the inside interface, isn't they. they need default gateway 10.1.1.1 in other to get to the asa. then asa should route to the router responsible for 192.3.69.0, which from your configuration is 10.1.1.224. in order to do so you need to bypass nat. the problem here is that we've configured everything with source in 10.0.0.0 to be nat'd outside. thats why your internal networks are not reachable. well now we are going to need the nat exemption.

access-list nonat permit ip 10.0.0.0 255.0.0.0 192.3.69.0 255.255.255.0
nat (inside) 0 access-list nonat

2. this shouldn't occure:
%ASA-4-106023: Deny tcp src outside:125.230.32.195/28814 dst inside:209.xxx.xxx.78/25 by access-group "pat-range"

have you applied pat-range on the outside interface? you shouldn't have done this. remove:
no access-group pat-range in interface outside
instead you need:
access-group OUTSIDE_ACCESS_IN in interface outside

3. if still not working pls do
sh route
and tracert from 10.0.0.0 and 192.3.69.0

and paste the outputs

0
 
cyberxelaAuthor Commented:
this is what the conf file looks like right now

: Saved
:
ASA Version 7.0(6)
!
hostname WHCFIREWALL
enable password HAUpjtctjSNWh/S1 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 209.xxx.xxx.66 255.255.255.224
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside

dns name-server 206.13.30.12
dns name-server 206.13.29.12

access-list OUTSIDE_ACCESS_IN extended permit icmp any any
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...92
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...86
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...85
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...84
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...83
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...82
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...80
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...79
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...78
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...77
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...76
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...72
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...71
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...70
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...69
access-list OUTSIDE_ACCESS_IN extended permit ip any host 209...81


access-list pat-range extended permit ip 10.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip 192.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip 172.0.0.0 255.0.0.0 any
access-list pat-range extended permit ip host 158.96.1.94 any
access-list pat-range extended permit ip host 158.96.3.195 any
access-list pat-range extended permit ip host 158.96.1.194 any
access-list pat-range extended permit ip host 158.96.133.131 any
access-list pat-range extended permit ip host 158.96.133.143 any
access-list pat-range extended permit ip host 158.96.172.71 any
access-list pat-range extended permit ip host 169.3.32.205 any
access-list pat-range extended permit ip host 169.3.32.206 any
access-list pat-range extended permit ip host 169.3.92.175 any


pager lines 24
logging enable
logging buffer-size 64000
logging buffered debugging
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400


global (outside) 1 interface
nat (inside) 1 access-list pat-range
nat (inside) 1 0.0.0.0 0.0.0.0


static (inside,outside) 209...81 10.1.1.82 netmask 255.255.255.255
static (inside,outside) 209...69 10.1.1.224 netmask 255.255.255.255
static (inside,outside) 209...70 10.1.1.16 netmask 255.255.255.255
static (inside,outside) 209...71 10.1.1.37 netmask 255.255.255.255
static (inside,outside) 209...72 10.1.1.72 netmask 255.255.255.255
static (inside,outside) 209...76 10.1.1.211 netmask 255.255.255.255
static (inside,outside) 209...77 10.1.1.119 netmask 255.255.255.255
static (inside,outside) 209...78 10.1.1.212 netmask 255.255.255.255
static (inside,outside) 209...79 10.1.1.135 netmask 255.255.255.255
static (inside,outside) 209...80 10.1.1.254 netmask 255.255.255.255
static (inside,outside) 209...82 10.1.1.170 netmask 255.255.255.255
static (inside,outside) 209...83 10.1.1.113 netmask 255.255.255.255
static (inside,outside) 209...84 10.1.1.193 netmask 255.255.255.255
static (inside,outside) 209...85 10.1.1.194 netmask 255.255.255.255
static (inside,outside) 209...86 10.1.1.201 netmask 255.255.255.255
static (inside,outside) 209...92 10.1.1.92 netmask 255.255.255.255

access-group OUTSIDE_ACCESS_IN in interface outside

route outside 0.0.0.0 0.0.0.0 209...65 1
route inside 158.96.1.194 255.255.255.255 10.1.1.224 1
route inside 158.96.3.195 255.255.255.255 10.1.1.224 1
route inside 158.96.133.131 255.255.255.255 10.1.1.224 1
route inside 158.96.133.143 255.255.255.255 10.1.1.224 1
route inside 158.96.172.71 255.255.255.255 10.1.1.224 1
route inside 169.3.32.205 255.255.255.255 10.1.1.224 1
route inside 169.3.32.206 255.255.255.255 10.1.1.224 1
route inside 169.3.92.175 255.255.255.255 10.1.1.224 1
route inside 172.17.1.0 255.255.255.0 10.1.1.5 1
route inside 172.18.1.0 255.255.255.0 10.1.1.5 1
route inside 192.3.69.0 255.255.255.0 10.1.1.224 1
route inside 192.168.101.0 255.255.255.0 10.1.1.25 1
route inside 192.168.104.0 255.255.255.0 10.1.1.25 1
route inside 192.168.105.0 255.255.255.0 10.1.1.25 1
route inside 192.168.106.0 255.255.255.0 10.1.1.25 1
route inside 192.168.107.0 255.255.255.0 10.1.1.25 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:755add5cb68fdf7151ab9fb1df0253f9
: end
0
 
cyberxelaAuthor Commented:
by looking at your examp by creating the access list permiting the ip 10.0.0.0 to the 192.3.69.0 will forward parckets back and forth would that have to be the case for the rest of the subnets as well because is a ASA thing that unless you specified what to permit it gets through and then would have to be nat to the access-list, here is where I get confuse
0
 
egyptcoCommented:
yep sure you should add all your subnet, which need to be excluded. it was only example. you go and add all subnets you need.
0
 
cyberxelaAuthor Commented:
ok so after doing a test I am still not able to access anything, this is what the log recorded

%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193
/1050 flags SYN ACK  on interface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.193/137 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-3-710003: TCP access denied by ACL from 10.1.1.13/3618 to inside:10.1.1.1/8
0
%ASA-7-710005: TCP request discarded from 10.1.1.13/3618 to inside:10.1.1.1/80
%ASA-7-710005: UDP request discarded from 10.1.5.39/137 to inside:10.255.255.255
/137
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193
/1050 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.193/137 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.121/137 to inside:10.255.255.25
5/137
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-2-106006: Deny inbound UDP from 10.1.1.50/1045 to 192.3.69.240/161 on inter
face inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.148/1026 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.3.69.148/1026 due to D
NS Response
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.158 (
type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 192.168.107.63/54976 due t
o DNS Response
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.158 (
type 0, code 0)
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.3.69.116/57205 due to
DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.168.104.65/137 on int
erface inside
%ASA-7-710005: UDP request discarded from 10.1.1.133/137 to inside:10.255.255.25
5/137
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.193 (
type 0, code 0)
%ASA-7-710005: UDP request discarded from 10.1.2.222/138 to inside:10.255.255.25
5/138
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 172.18.1.190/1027 due to D
NS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.104.65/52131 due t
o DNS Response
%ASA-2-106007: Deny inbound UDP from 10.1.1.132/53 to 172.18.1.190/1027 due to DNS Response
%ASA-2-106006: Deny inbound UDP from 10.1.1.132/137 to 192.3.69.158/137 on interface inside
%ASA-7-710005: UDP request discarded from 10.1.1.132/137 to inside:10.255.255.255/137
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.158/3536 flags SYN ACK  on interface inside
%ASA-3-106014: Deny inbound icmp src inside:10.1.1.133 dst inside:192.3.69.193 (type 0, code 0)
%ASA-6-110001: No route to 202.12.27.33 from 10.1.1.132
%ASA-2-106001: Inbound TCP connection denied from 10.1.1.133/445 to 192.3.69.193/1050 flags SYN ACK  on interface inside
%ASA-2-106007: Deny inbound UDP from 10.1.1.133/53 to 192.168.104.65/50523 due to DNS Response
0
 
cyberxelaAuthor Commented:
alright, I will give it a try this mornig again and i"ll [ost back again the results, I really apresiate all your help
0
 
cyberxelaAuthor Commented:
you know they use this command on this example but this is if you want to forward packets from DMZ1 to DMZ2, now my question is would this also apply if you packets that go in will have to came back out through the same interface they went in, I guess I will know letter on today when I run other test, thanks though
 http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
0
 
cyberxelaAuthor Commented:
thanks guys and I am sorry to answearing to late
0
All Courses

From novice to tech pro — start learning today.