Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ASA 5510 Access Rule Help

Posted on 2010-09-01
7
Medium Priority
?
664 Views
Last Modified: 2012-05-10
Hey Guys,

Just trying to configure a new ASA 5510. However Im having problems with the Access Rules,

The device is able to ping the gateway fine. Hosts on 192.168.2.0/24 network are unable to access external hosts through the WAN Interface.

I have added the access-list's that I thought would work fine however doesnt seem to be the case.

Attachted is the code

interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address 88.xx.xx.xx 255.255.255.240
!
interface Ethernet0/1
 nameif LAN
 security-level 0
 ip address 192.168.2.199 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 0
 ip address 20.0.0.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 192.168.2.7
 name-server 192.168.1.3
 name-server 192.168.6.3
 domain-name jmj.com
object network London_LAN
 subnet 192.168.2.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo-reply
 icmp-object time-exceeded
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit tcp any interface WAN eq www
access-list LAN_access_in extended permit tcp any any
access-list DMZ_access_in extended permit ip any any
access-list WAN_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list WAN_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any WAN
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (LAN,WAN) source dynamic London_LAN interface
access-group WAN_access_in in interface WAN
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
route WAN 0.0.0.0 0.0.0.0 88.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 LAN
http 192.168.1.0 255.255.255.0 LAN
http 192.168.6.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 LAN
telnet 192.168.2.0 255.255.255.0 LAN
telnet 192.168.6.0 255.255.255.0 LAN
telnet timeout 15
ssh timeout 15
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.43.244.18 source WAN
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:supportemea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 800 total points
ID: 33578554
Hi,
you missed global:

global (WAN) 1 interface
nat (inside) 1 192.168.2.0 255.255.255.0
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33578562
and this line not need:

no nat (LAN,WAN) source dynamic London_LAN interface

clear xlate
0
 
LVL 2

Author Comment

by:supportemea
ID: 33578925
Thanks Ikalmar,

Remember that this is a ASA 5510 its not a PIX... from my limited knowledge these are not in the IOS 8.3
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 400 total points
ID: 33579612
can u try like below


object network Local-Lan

subnet 192.168.2.0 255.255.255.0
nat (LAN,WAN) dynamic interface

policy-map global_policy
 class inspection_default
inspect icmp
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33579614
also delete the below line

nat (LAN,WAN) source dynamic London_LAN interface
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 800 total points
ID: 33581641
Actually there are quite a few things here I would suggest changing for the sake of security, for instance an access-list for IP ANY ANY is typically a bad idea. This should be handled by setting the security levels on the interfaces. LAN should be set to 100, DMZ to 50, and WAN to 0. This will allow traffic from LAN to go to either WAN or DMZ without access-lists, DMZ will talk to WAN, but not LAN.

The reason your access lists are not working is that you have no static statements to handle the PAT/NAT of the traffic. For instance say 192.168.2.100 is your web server. You would need the following static statement tell the ASA where to send the traffic that you permitted with the access-list.

static (inside,outside) tcp interface 80 192.168.2.100 80 netmask 255.255.255.255
0
 
LVL 2

Author Comment

by:supportemea
ID: 33584407
Thanks very much guys... both these worked brilliantly
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question