[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5510 config help needed

Posted on 2011-10-10
4
Medium Priority
?
314 Views
Last Modified: 2012-05-12
Trying to connect my ASA 5510 to a new internet provider. The provider gave us a cisco router that we can connect the ASA into.

We get a /27 LAN. I tried to scrub the config file to things that are necessary.

When I use a laptop the config works find. When I input it into the ASA there's no internet access. I can ping the gateway, but nothing beyond.

Any help would be appreciated. Thank you.
: Saved
:
ASA Version 7.2(4) 
!

dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.65.1.1 255.255.0.0 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address *.*.*.130 255.255.255.252 
!             
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
dns server-group DefaultDNS
 domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service tcp_jupiter tcp
 port-object range 5800 5999
 port-object eq www
 port-object eq imap4
 port-object eq ldap
 port-object eq https
 port-object eq sip
 port-object eq talk
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host www_out eq www 
access-list outside_access_in extended permit tcp any host www_out eq ssh 
access-list no-nat-inside extended permit ip 10.65.0.0 255.255.0.0 172.16.65.0 255.255.255.0 
access-list no-nat-inside extended permit ip 10.65.0.0 255.255.0.0 192.168.65.0 255.255.255.0 
access-list no-nat-inside extended permit ip host mercury_in host 198.179.147.37 
access-list vpn extended permit ip 10.65.0.0 255.255.0.0 172.16.65.0 255.255.255.0 
access-list vpn extended permit ip 192.168.65.0 255.255.255.0 172.16.65.0 255.255.255.0 
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip 10.65.0.0 255.255.0.0 any 
access-list inside_access_in extended permit ip 172.16.10.0 255.255.255.0 any 
pager lines 20
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz1 1500
mtu management 1500
mtu phone 1500
ip local pool vpnpool 172.16.65.1-172.16.65.254
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name gsp_info info action alarm
ip audit name gsp_attack attack action alarm drop reset
ip audit interface outside gsp_info
ip audit interface outside gsp_attack
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 140.239.60.67
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 172.16.10.0 255.255.255.0 tcp 20000 14000  udp 20000
nat (inside) 1 10.65.0.0 255.255.0.0 tcp 20000 14000  udp 20000
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 172.16.10.0 255.255.255.0 10.65.2.1 1
route outside 0.0.0.0 0.0.0.0 *.*.*.129 1
timeout xlate 3:00:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  3600
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 phone
ssh timeout 60
console timeout 0
management-access inside
ntp server 65.107.66.254 source outside prefer
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 10.65.1.5
 dns-server value 10.65.1.15 10.65.1.5
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock value gspvpn
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value *-vpn
 default-domain value ****.com
 split-dns value *****.com 
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value vpnpool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy gspvpn internal
group-policy gspvpn attributes
 vpn-idle-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value gsp-vpn
tunnel-group 198.179.147.37 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group gspvpn
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns default_dns
 parameters
  message-length maximum 2048
policy-map global-policy
 class global-class
  inspect ctiqbe 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ipsec-pass-thru 
  inspect dns default_dns 
  inspect netbios 
  inspect pptp 
  inspect tftp 
 class inspection_default
  inspect ftp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:

Open in new window

0
Comment
Question by:michaeltegler
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 36944496
At first glance, this is rather interesting:
global (outside) 1 140.239.60.67
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 172.16.10.0 255.255.255.0 tcp 20000 14000  udp 20000
nat (inside) 1 10.65.0.0 255.255.0.0 tcp 20000 14000  udp 20000

Try changing that to:

global (outside) 1 interface
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 172.16.10.0 255.255.255.0
nat (inside) 1 10.65.0.0 255.255.0.0

Then give a 'clear xlate' and see what happens.
0
 
LVL 17

Expert Comment

by:Jimmy Larsson, CISSP, CEH
ID: 36944552
Also, if you got a /27, why are you using a netmask of 255.255.255.252 (/30)?

/Kvistofta
0
 

Author Closing Comment

by:michaeltegler
ID: 36944622
Thank you very much. That did it.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36944629
Glad to be of service ;)
Thx for the points.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month20 days, 9 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question