Help me sort this configuration out, please.

Posted on 2011-09-08
Last Modified: 2012-05-12
Hi Experts,

I need help on cleaning up (if any) this configuration, and then configure it so that I can ping the gateway at and hopefully anything beyond the gateway.

@erniebeek and fmarshall - I clean this up a little, just so to see if I can hit the gateway of that subnet first, and then do the site-to-site vpn configuration later.  If you have time, please take a look, and let me know if you have any questions.  Thanks.

ASA Version 8.2(1)18
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan12
 description EDF Network
 nameif EDF
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 12
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host eq 5450
pager lines 24
logging enable
logging list All level informational
logging trap All
logging asdm informational
logging host outside
logging host outside
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu EDF 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (EDF,outside) netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
: end

Question by:swgit
  • 3
  • 2
  • 2
  • +1
LVL 25

Expert Comment

by:Fred Marshall
ID: 36507354
Well, I'm not going to do a good job of interpreting a config file.  You might boil it down in put it in English, diagrams, etc.

But, that said, If you want to ping 192.1658.135.1 then it looks like you have to be on VLAN2 in the first place.  That would work.
And, if I understand it then this is a firewall with LAN  or trust side on subnet.
And, if that's right, then you want to be able to see through this box from VLAN2 to VLAN1.  Is that right?

Sheesh!! that's a heck of a complicated way to describe a simple NATting router ... if that's what this is.

If this is a router/firewall and you're comfortable setting it up then I'd do this:

Go back to factory defaults.
Confirm the LAN subnet is
Change the other side subnet from the default or blank to
Turn on NAT/Gateway mode if you must.
Turn on Router/No NAT mode if you must. .... whichever one you need.
Then you may need connection policies between the two.

But at least a simple, functioning router/firewall should be easy to set up for just the basics.
I'm not too up on devices that use the term "VLAN" for the Internet/WAN/Untrust side of the box.  Maybe it's used but it seems weird to me and maybe dangerous.
In my mind a VLAN is a separated LAN (emphaisis on L=LOCAL) and that's all.  Which is not to say that it's an internet connection or anything like that.  But maybe your device is different.
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507396
Is there a device that is between this ASA and the INternet? Your outside interface is 131.254, yet your outside default route show 135.1 with no static route to it? What gives?
Also as a side note, you have two or more interfaces with the same security level and yet no same-security traffic permit statement in place to allow even trusted traffic flow? Please, let us know.
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507402
Correction typo from above * 135.254
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 35

Accepted Solution

Ernie Beek earned 500 total points
ID: 36508767
First of all I'm missing: nat (EDF) 1

Second, let's permit icmp through access-list outside_access_in extended permit icmp any any

Third, let's add some inspection:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

This is the inspection map that should be there by default.
Let's see where that gets us.

And remember, as long as you don't commit the changes to memory (write mem) you can easily roll back by doing a reload.

Author Comment

ID: 36513097
@fmarshall - Thank you.  I wish I had that luxury to redo it from scratch.  I come from a sys admin background, and only know very basic on the network side when it come to router/firewall.  However, I'm tasked to get this work, so I just have to do it.

@The_Warlock - Yes, this ASA is inside an MPLS, and I eventually want to have VPN traffic to go through it to a WAN link on, then, and then go outside to the Internet.  As to what is there on each interfaces, I will need help on how they can be secure, and such.  I'm still finding out and reading about those.

@erniebeek - Thanks much for your help.  That did the trick.  I do have a question those, related to your post.  What does the first line "nat (EDF) 1" do?  The send suggestion is to allow ping from any hosts to any destinations? and the third part, I'll read into it.  I appreciate your help, and letting me know of what that first line is for.  Thanks.
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513694
To do NAT, there are two commands in place:
Nat (interface) x range, this defines where you do the nat from: from what interface and from what range on that interface.
Global (interface) x range/ip, this defines where you nat to: to what interface and to which ip/range (or the ip on the interface).

The second is to allow icmp back in to the outside interface (this could be locked down a bit more), where it goes depends on what is allowed in the rest of the config.

For the third, happy reading :)

Author Closing Comment

ID: 36513809
Thanks. :)
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513913
My pleasure :)
Thx for the points.

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question