Solved

Cisco ASA 5505 Version 8.3(1)

Posted on 2011-02-14
12
1,125 Views
Last Modified: 2012-05-11
Hi Experts!

i have an ASA that is working like a charm with all of its nat rules in place however, all clients that are behind the ASA are unable to browse the internet with the excpetion of the server with its nat rules.  

This new method of natting has me perplexed to say the least :)  

Help!  

thanks a bunch


: Saved
:
ASA Version 8.3(1) 
!
hostname HATCH-ASA
domain-name xxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group DSL
 ip address pppoe setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.3
 name-server 4.2.2.2
 domain-name thehatchgroup.local
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network OWA 
 host 192.168.1.3
object network inside-network 
 subnet 192.0.0.0 255.255.255.0
object network Hatch-One-Email 
 host 192.168.1.3
object network Hatch-One-OWA 
 host 192.168.1.3
object network Hatch-One-RDP 
 host 192.168.1.3
object network Hatch-One-Web 
 host 192.168.1.3
object network OWA-6001 
 host 192.168.1.3
object network OWA-6002 
 host 192.168.1.3
object network OWA-6003 
 host 192.168.1.3
object network OWA-6004 
 host 192.168.1.3
object network OWA-HTTPS 
 host 192.168.1.3
object network Hatch-PPTP 
 host 192.168.1.3
object network Hatch-One-HTTPS 
 host 192.168.1.3
object-group service DM_INLINE_TCP_4 tcp
 port-object eq ftp
 port-object eq www
 port-object eq https
 port-object eq 3389
object-group service DM_INLINE_TCP_5 tcp
 port-object eq https
 port-object eq smtp
 port-object eq 3389
object-group service DM_INLINE_TCP_6 tcp
 port-object eq 3389
 port-object eq ftp
object-group service DM_INLINE_TCP_7 tcp
 port-object eq 3101
 port-object eq 3389
object-group service DM_INLINE_UDP_2 udp
 port-object eq snmp
 port-object eq snmptrap
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service tcp_data tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq www
 port-object eq https
object-group service tcp_udp_data tcp-udp
 port-object eq www
object-group service tcp_ica tcp
 port-object eq 2598
 port-object eq citrix-ica
access-list global_access extended permit ip any any 
access-list global_access extended permit icmp any any 
access-list global_access extended permit tcp any host xxx.xxx.xxx.xxx range 6001 6004 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any object-group DM_INLINE_UDP_2 
access-list acl_in_out extended permit tcp any any eq www 
access-list acl_in_out extended permit tcp any any eq https 
access-list acl_in_out extended permit tcp any any eq domain 
access-list acl_in_out extended permit tcp any any eq smtp 
access-list outside_access_in_1 extended permit ip any any 
access-list inbound extended permit icmp any any 
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq www 
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq smtp 
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq https 
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq pptp 
access-list inbound extended permit tcp any host xxx.xxx.xxx.xxx eq 3389 
access-list inbound extended permit ip any any 
pager lines 24
logging enable
logging monitor informational
logging asdm informational
logging mail informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Hatch-One-Email
 nat (inside,outside) static interface service tcp smtp smtp 
object network Hatch-One-RDP
 nat (inside,outside) static interface service tcp 3389 3389 
object network Hatch-One-Web
 nat (inside,outside) static interface service tcp www www 
object network OWA-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network OWA-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network OWA-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network OWA-6004
 nat (inside,outside) static interface service tcp 6004 6004 
object network Hatch-PPTP
 nat (inside,outside) static interface service tcp pptp pptp 
object network Hatch-One-HTTPS
 nat (inside,outside) static interface service tcp https https 
access-group inside_access_in in interface inside
access-group inbound in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
console timeout 0
vpdn group DSL request dialout pppoe
vpdn group DSL localname hatch621@sbcglobal.net
vpdn group DSL ppp authentication pap
vpdn username hatch621@sbcglobal.net password ***** store-local
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 4.2.2.2 4.2.2.3 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username xxxxxx password xxxxxxxxxxxx encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
hpm topN enable
Cryptochecksum:dea981717c80xx53ae2cce61xxf088d92112
: end
no asdm history enable

Open in new window

0
Comment
Question by:johnkesoglou
  • 5
  • 4
  • 3
12 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Enable icmp inspect so you can try to ping the dns servers from an inside host

policy-map global_policy
 class inspection_default
  inspect icmp

 
0
 

Author Comment

by:johnkesoglou
Comment Utility
Hi lrmoore

thanks for responding to my question

i added the the global commands and see no change.  from the server located at 192.168.1.3 i am able to browse the internet however all of the other clients that are behind this ASA are unable to get out.  (sorry if this sounds like i am repeating myself)
0
 

Author Comment

by:johnkesoglou
Comment Utility
i did a show version for your viewing pleasures :)


is this correct? a 10 limit on hosts?
HATCH-ASA# show ver

Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"

HATCH-ASA up 2 days 12 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
 0: Int: Internal-Data0/0    : address is e05f.b948.3609, irq 11
 1: Ext: Ethernet0/0         : address is e05f.b948.3601, irq 255
 2: Ext: Ethernet0/1         : address is e05f.b948.3602, irq 255
 3: Ext: Ethernet0/2         : address is e05f.b948.3603, irq 255
 4: Ext: Ethernet0/3         : address is e05f.b948.3604, irq 255
 5: Ext: Ethernet0/4         : address is e05f.b948.3605, irq 255
 6: Ext: Ethernet0/5         : address is e05f.b948.3606, irq 255
 7: Ext: Ethernet0/6         : address is e05f.b948.3607, irq 255
 8: Ext: Ethernet0/7         : address is e05f.b948.3608, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8              perpetual
VLANs                          : 3              DMZ Restricted
Dual ISPs                      : Disabled       perpetual
VLAN Trunk Ports               : 0              perpetual
Inside Hosts                   : 10             perpetual
Failover                       : Disabled       perpetual
VPN-DES                        : Enabled        perpetual
VPN-3DES-AES                   : Enabled        perpetual
SSL VPN Peers                  : 2              perpetual
Total VPN Peers                : 10             perpetual
Shared License                 : Disabled       perpetual
AnyConnect for Mobile          : Disabled       perpetual
AnyConnect for Cisco VPN Phone : Disabled       perpetual
AnyConnect Essentials          : Disabled       perpetual
Advanced Endpoint Assessment   : Disabled       perpetual
UC Phone Proxy Sessions        : 2              perpetual
Total UC Proxy Sessions        : 2              perpetual
Botnet Traffic Filter          : Disabled       perpetual
Intercompany Media Engine      : Disabled       perpetual

This platform has a Base license.

Serial Number: JMX1452Z018
Running Permanent Activation Key: 0x3103cc7a 0x205b8342 0x5443a580 0x9ae8c4b8 0x
c4172d83
Configuration register is 0x1
Configuration last modified by enable_15 at 09:05:44.275 PST Mon Feb 14 2011
HATCH-ASA#

Open in new window

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 300 total points
Comment Utility
This "should" allow it

object network obj_any
 nat (inside,outside) dynamic interface

I'm trying to get a copy of a working config... back shortly
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
One other thing that you must keep in mind is that the ASA tracks inside MAC addresses and once that number exceeds 10 you will begin to see dropped traffic and messages in the event log that say the maximum number of user licenses has been exceeded. This is because your license only allows for 10 inside hosts as is shown in the sh ver output.

If the license is being exceeded you will need to purchase a license upgrade. The unlimited inside hosts license isn't too bad, it's like $300 USD.

You should be aware of this as well as it can lead to dropped traffic and other initially inexplicable errors, especially if you have virtualized servers or workstations using VMware or an equivalent.

Cheers!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
Comment Utility
object network NETWORK_OBJ_192.168.15.0
 subnet 192.168.15.0 255.255.255.0

nat (inside,outside) after-auto source dynamic NETWORK_OBJ_192.168.15.0 interface

This is from working ASA 8.3

0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:johnkesoglou
Comment Utility
thanks guys, ill give this a shot!

also i have never run into an ASA with restricted DHCP licensing on the inside

Hasnt it always been on the number of SSL, Site 2 Site VPNS, and client VPNS?

John
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
that is the case on all ASA platforms, except on the 5505 you also have an inside user license to watch out for. All ASAs other than the 5505 are unlimited inside, and of course you can buy the unlimited 5505 license.

Cheers!
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 300 total points
Comment Utility
Yes, the 5505 is different. Your license only gives you 10 inside hosts
This is from your show version posted earlier

Inside Hosts                   : 10             perpetual

0
 

Author Comment

by:johnkesoglou
Comment Utility
lrmoore, puggle

thank you for your responses - much appreciated.

if i get a 5510, will i still run into the same DHCP issue or is the device unlimited ?

thanks again
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 200 total points
Comment Utility
it's not dhcp related, the firewall actually 'counts' the number of computers and blocks traffic once the limit is ecceeded. It is correct that a 5510 will not have this problem.

Cheers!
0
 

Author Closing Comment

by:johnkesoglou
Comment Utility
thank you for the prompt responses
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now