Solved

ASA 5510 Access Rule Help

Posted on 2010-09-01
7
652 Views
Last Modified: 2012-05-10
Hey Guys,

Just trying to configure a new ASA 5510. However Im having problems with the Access Rules,

The device is able to ping the gateway fine. Hosts on 192.168.2.0/24 network are unable to access external hosts through the WAN Interface.

I have added the access-list's that I thought would work fine however doesnt seem to be the case.

Attachted is the code

interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 88.xx.xx.xx 255.255.255.240
!
interface Ethernet0/1
 nameif LAN
 security-level 0
 ip address 192.168.2.199 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 0
 ip address 20.0.0.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 192.168.2.7
 name-server 192.168.1.3
 name-server 192.168.6.3
 domain-name jmj.com
object network London_LAN
 subnet 192.168.2.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object time-exceeded
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit tcp any interface WAN eq www
access-list LAN_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list WAN_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source dynamic London_LAN interface
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 88.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 LAN
http 192.168.1.0 255.255.255.0 LAN
http 192.168.6.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 LAN
telnet 192.168.2.0 255.255.255.0 LAN
telnet 192.168.6.0 255.255.255.0 LAN
telnet timeout 15
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source WAN
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:supportemea
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 200 total points
ID: 33578554
Hi,
you missed global:

global (WAN) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33578562
and this line not need:

no nat (LAN,WAN) source dynamic London_LAN interface

clear xlate
0
 
LVL 2

Author Comment

by:supportemea
ID: 33578925
Thanks Ikalmar,

Remember that this is a ASA 5510 its not a PIX... from my limited knowledge these are not in the IOS 8.3
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 100 total points
ID: 33579612
can u try like below


object network Local-Lan

subnet 192.168.2.0 255.255.255.0
nat (LAN,WAN) dynamic interface

policy-map global_policy
 class inspection_default
inspect icmp
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33579614
also delete the below line

nat (LAN,WAN) source dynamic London_LAN interface
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 200 total points
ID: 33581641
Actually there are quite a few things here I would suggest changing for the sake of security, for instance an access-list for IP ANY ANY is typically a bad idea. This should be handled by setting the security levels on the interfaces. LAN should be set to 100, DMZ to 50, and WAN to 0. This will allow traffic from LAN to go to either WAN or DMZ without access-lists, DMZ will talk to WAN, but not LAN.

The reason your access lists are not working is that you have no static statements to handle the PAT/NAT of the traffic. For instance say 192.168.2.100 is your web server. You would need the following static statement tell the ASA where to send the traffic that you permitted with the access-list.

static (inside,outside) tcp interface 80 192.168.2.100 80 netmask 255.255.255.255
0
 
LVL 2

Author Comment

by:supportemea
ID: 33584407
Thanks very much guys... both these worked brilliantly
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now