• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 359
  • Last Modified:

Help me sort this configuration out, please.

Hi Experts,

I need help on cleaning up (if any) this configuration, and then configure it so that I can ping the gateway at and hopefully anything beyond the gateway.

@erniebeek and fmarshall - I clean this up a little, just so to see if I can hit the gateway of that subnet first, and then do the site-to-site vpn configuration later.  If you have time, please take a look, and let me know if you have any questions.  Thanks.

ASA Version 8.2(1)18
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan12
 description EDF Network
 nameif EDF
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 12
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host eq 5450
pager lines 24
logging enable
logging list All level informational
logging trap All
logging asdm informational
logging host outside
logging host outside
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu EDF 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (EDF,outside) netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
: end

  • 3
  • 2
  • 2
  • +1
1 Solution
Fred MarshallPrincipalCommented:
Well, I'm not going to do a good job of interpreting a config file.  You might boil it down in put it in English, diagrams, etc.

But, that said, If you want to ping 192.1658.135.1 then it looks like you have to be on VLAN2 in the first place.  That would work.
And, if I understand it then this is a firewall with LAN  or trust side on subnet.
And, if that's right, then you want to be able to see through this box from VLAN2 to VLAN1.  Is that right?

Sheesh!! that's a heck of a complicated way to describe a simple NATting router ... if that's what this is.

If this is a router/firewall and you're comfortable setting it up then I'd do this:

Go back to factory defaults.
Confirm the LAN subnet is
Change the other side subnet from the default or blank to
Turn on NAT/Gateway mode if you must.
Turn on Router/No NAT mode if you must. .... whichever one you need.
Then you may need connection policies between the two.

But at least a simple, functioning router/firewall should be easy to set up for just the basics.
I'm not too up on devices that use the term "VLAN" for the Internet/WAN/Untrust side of the box.  Maybe it's used but it seems weird to me and maybe dangerous.
In my mind a VLAN is a separated LAN (emphaisis on L=LOCAL) and that's all.  Which is not to say that it's an internet connection or anything like that.  But maybe your device is different.
Robert Sutton JrSenior Network ManagerCommented:
Is there a device that is between this ASA and the INternet? Your outside interface is 131.254, yet your outside default route show 135.1 with no static route to it? What gives?
Also as a side note, you have two or more interfaces with the same security level and yet no same-security traffic permit statement in place to allow even trusted traffic flow? Please, let us know.
Robert Sutton JrSenior Network ManagerCommented:
Correction typo from above * 135.254
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Ernie BeekExpertCommented:
First of all I'm missing: nat (EDF) 1

Second, let's permit icmp through access-list outside_access_in extended permit icmp any any

Third, let's add some inspection:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

This is the inspection map that should be there by default.
Let's see where that gets us.

And remember, as long as you don't commit the changes to memory (write mem) you can easily roll back by doing a reload.
swgitAuthor Commented:
@fmarshall - Thank you.  I wish I had that luxury to redo it from scratch.  I come from a sys admin background, and only know very basic on the network side when it come to router/firewall.  However, I'm tasked to get this work, so I just have to do it.

@The_Warlock - Yes, this ASA is inside an MPLS, and I eventually want to have VPN traffic to go through it to a WAN link on, then, and then go outside to the Internet.  As to what is there on each interfaces, I will need help on how they can be secure, and such.  I'm still finding out and reading about those.

@erniebeek - Thanks much for your help.  That did the trick.  I do have a question those, related to your post.  What does the first line "nat (EDF) 1" do?  The send suggestion is to allow ping from any hosts to any destinations? and the third part, I'll read into it.  I appreciate your help, and letting me know of what that first line is for.  Thanks.
Ernie BeekExpertCommented:
To do NAT, there are two commands in place:
Nat (interface) x range, this defines where you do the nat from: from what interface and from what range on that interface.
Global (interface) x range/ip, this defines where you nat to: to what interface and to which ip/range (or the ip on the interface).

The second is to allow icmp back in to the outside interface (this could be locked down a bit more), where it goes depends on what is allowed in the rest of the config.

For the third, happy reading :)
swgitAuthor Commented:
Thanks. :)
Ernie BeekExpertCommented:
My pleasure :)
Thx for the points.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now