Improve company productivity with a Business Account.Sign Up


Help me sort this configuration out, please.

Posted on 2011-09-08
Medium Priority
Last Modified: 2012-05-12
Hi Experts,

I need help on cleaning up (if any) this configuration, and then configure it so that I can ping the gateway at and hopefully anything beyond the gateway.

@erniebeek and fmarshall - I clean this up a little, just so to see if I can hit the gateway of that subnet first, and then do the site-to-site vpn configuration later.  If you have time, please take a look, and let me know if you have any questions.  Thanks.

ASA Version 8.2(1)18
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address
interface Vlan12
 description EDF Network
 nameif EDF
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 12
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa821-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host eq 5450
pager lines 24
logging enable
logging list All level informational
logging trap All
logging asdm informational
logging host outside
logging host outside
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu EDF 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (EDF,outside) netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
: end

Question by:swgit
  • 3
  • 2
  • 2
  • +1
LVL 27

Expert Comment

by:Fred Marshall
ID: 36507354
Well, I'm not going to do a good job of interpreting a config file.  You might boil it down in put it in English, diagrams, etc.

But, that said, If you want to ping 192.1658.135.1 then it looks like you have to be on VLAN2 in the first place.  That would work.
And, if I understand it then this is a firewall with LAN  or trust side on subnet.
And, if that's right, then you want to be able to see through this box from VLAN2 to VLAN1.  Is that right?

Sheesh!! that's a heck of a complicated way to describe a simple NATting router ... if that's what this is.

If this is a router/firewall and you're comfortable setting it up then I'd do this:

Go back to factory defaults.
Confirm the LAN subnet is
Change the other side subnet from the default or blank to
Turn on NAT/Gateway mode if you must.
Turn on Router/No NAT mode if you must. .... whichever one you need.
Then you may need connection policies between the two.

But at least a simple, functioning router/firewall should be easy to set up for just the basics.
I'm not too up on devices that use the term "VLAN" for the Internet/WAN/Untrust side of the box.  Maybe it's used but it seems weird to me and maybe dangerous.
In my mind a VLAN is a separated LAN (emphaisis on L=LOCAL) and that's all.  Which is not to say that it's an internet connection or anything like that.  But maybe your device is different.
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507396
Is there a device that is between this ASA and the INternet? Your outside interface is 131.254, yet your outside default route show 135.1 with no static route to it? What gives?
Also as a side note, you have two or more interfaces with the same security level and yet no same-security traffic permit statement in place to allow even trusted traffic flow? Please, let us know.
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36507402
Correction typo from above * 135.254
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 36508767
First of all I'm missing: nat (EDF) 1

Second, let's permit icmp through access-list outside_access_in extended permit icmp any any

Third, let's add some inspection:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

This is the inspection map that should be there by default.
Let's see where that gets us.

And remember, as long as you don't commit the changes to memory (write mem) you can easily roll back by doing a reload.

Author Comment

ID: 36513097
@fmarshall - Thank you.  I wish I had that luxury to redo it from scratch.  I come from a sys admin background, and only know very basic on the network side when it come to router/firewall.  However, I'm tasked to get this work, so I just have to do it.

@The_Warlock - Yes, this ASA is inside an MPLS, and I eventually want to have VPN traffic to go through it to a WAN link on, then, and then go outside to the Internet.  As to what is there on each interfaces, I will need help on how they can be secure, and such.  I'm still finding out and reading about those.

@erniebeek - Thanks much for your help.  That did the trick.  I do have a question those, related to your post.  What does the first line "nat (EDF) 1" do?  The send suggestion is to allow ping from any hosts to any destinations? and the third part, I'll read into it.  I appreciate your help, and letting me know of what that first line is for.  Thanks.
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513694
To do NAT, there are two commands in place:
Nat (interface) x range, this defines where you do the nat from: from what interface and from what range on that interface.
Global (interface) x range/ip, this defines where you nat to: to what interface and to which ip/range (or the ip on the interface).

The second is to allow icmp back in to the outside interface (this could be locked down a bit more), where it goes depends on what is allowed in the rest of the config.

For the third, happy reading :)

Author Closing Comment

ID: 36513809
Thanks. :)
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513913
My pleasure :)
Thx for the points.

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question