Link to home
Start Free TrialLog in
Avatar of michaeltegler
michaeltegler

asked on

Cisco ASA 5510 config help needed

Trying to connect my ASA 5510 to a new internet provider. The provider gave us a cisco router that we can connect the ASA into.

We get a /27 LAN. I tried to scrub the config file to things that are necessary.

When I use a laptop the config works find. When I input it into the ASA there's no internet access. I can ping the gateway, but nothing beyond.

Any help would be appreciated. Thank you.
: Saved
:
ASA Version 7.2(4) 
!

dns-guard
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 10.65.1.1 255.255.0.0 
!
interface Ethernet0/1
 nameif outside
 security-level 0
 ip address *.*.*.130 255.255.255.252 
!             
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CST recurring
dns server-group DefaultDNS
 domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service tcp_jupiter tcp
 port-object range 5800 5999
 port-object eq www
 port-object eq imap4
 port-object eq ldap
 port-object eq https
 port-object eq sip
 port-object eq talk
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any host www_out eq www 
access-list outside_access_in extended permit tcp any host www_out eq ssh 
access-list no-nat-inside extended permit ip 10.65.0.0 255.255.0.0 172.16.65.0 255.255.255.0 
access-list no-nat-inside extended permit ip 10.65.0.0 255.255.0.0 192.168.65.0 255.255.255.0 
access-list no-nat-inside extended permit ip host mercury_in host 198.179.147.37 
access-list vpn extended permit ip 10.65.0.0 255.255.0.0 172.16.65.0 255.255.255.0 
access-list vpn extended permit ip 192.168.65.0 255.255.255.0 172.16.65.0 255.255.255.0 
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 172.16.65.0 255.255.255.0 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip 10.65.0.0 255.255.0.0 any 
access-list inside_access_in extended permit ip 172.16.10.0 255.255.255.0 any 
pager lines 20
logging enable
logging asdm warnings
mtu inside 1500
mtu outside 1500
mtu dmz1 1500
mtu management 1500
mtu phone 1500
ip local pool vpnpool 172.16.65.1-172.16.65.254
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name gsp_info info action alarm
ip audit name gsp_attack attack action alarm drop reset
ip audit interface outside gsp_info
ip audit interface outside gsp_attack
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 140.239.60.67
nat (inside) 0 access-list no-nat-inside
nat (inside) 1 172.16.10.0 255.255.255.0 tcp 20000 14000  udp 20000
nat (inside) 1 10.65.0.0 255.255.0.0 tcp 20000 14000  udp 20000
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 172.16.10.0 255.255.255.0 10.65.2.1 1
route outside 0.0.0.0 0.0.0.0 *.*.*.129 1
timeout xlate 3:00:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  3600
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 phone
ssh timeout 60
console timeout 0
management-access inside
ntp server 65.107.66.254 source outside prefer
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 10.65.1.5
 dns-server value 10.65.1.15 10.65.1.5
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock value gspvpn
 pfs enable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value *-vpn
 default-domain value ****.com
 split-dns value *****.com 
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value vpnpool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy gspvpn internal
group-policy gspvpn attributes
 vpn-idle-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value gsp-vpn
tunnel-group 198.179.147.37 ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group gspvpn
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns default_dns
 parameters
  message-length maximum 2048
policy-map global-policy
 class global-class
  inspect ctiqbe 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect http 
  inspect icmp 
  inspect icmp error 
  inspect ipsec-pass-thru 
  inspect dns default_dns 
  inspect netbios 
  inspect pptp 
  inspect tftp 
 class inspection_default
  inspect ftp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Jimmy Larsson, CISSP, CEH
Jimmy Larsson, CISSP, CEH
Flag of Sweden image
Also, if you got a /27, why are you using a netmask of 255.255.255.252 (/30)?

/Kvistofta
Avatar of michaeltegler
michaeltegler

ASKER

Thank you very much. That did it.
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Glad to be of service ;)
Thx for the points.