• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 659
  • Last Modified:

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded  

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
0
craigbtg
Asked:
craigbtg
  • 5
  • 5
1 Solution
 
Ernie BeekExpertCommented:
Try changing this line
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255
to this
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
0
 
craigbtgAuthor Commented:
Thanks, will give that a try.
0
 
RafaelCommented:
Are you doing it all via CLI or using the 5505's ADSM GUI Tool and then using the Wizard ?
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
craigbtgAuthor Commented:
I am using CLI.  The above suggestion did not work.  Gave this response:

Result of the command: "static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255"

static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.2                                       ^55

ERROR: % Invalid Hostname


I re-ran the script and see a couple more errors as well.  These are the ones that came up:

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.


In trying a few more things eventually I got a message that reads:

ERROR: The apply and outbound commands have been deprecated,
      and as such, they have been superseded by the 'access-list'
      command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
      to help you to convert from outbound commands to access-lists.


Have some of the commands I am trying to run been replaced with something else?
0
 
Ernie BeekExpertCommented:
You're missing a part here:
static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
should be:
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255

You did do a conf t first to get you in to the right mode?

Could you show us the script you're using?
0
 
craigbtgAuthor Commented:
Thanks, will give that a try.

Not sure what conf t is...I go to the CLI in ASDM and cut and paste each of the lines in the script.  So basically I restore factory defaults first, open ASDM and go straight to the CLI.  Do not make any other changes other than the lines sent through the script in my original post.
0
 
Ernie BeekExpertCommented:
Ok, could you show us a (sanitized) version of what you are pasting?
It looks like that was specifically designed for the PIX and there are some differences between a PIX and an ASA :)
0
 
craigbtgAuthor Commented:
Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.
0
 
Ernie BeekExpertCommented:
And otherwise we are here ;)

So can we (I) help you with that something extra?
0
 
craigbtgAuthor Commented:
No thanks, I'm happy as long as it works :)

Thanks again
0
 
Ernie BeekExpertCommented:
No problem, otherwise you know where to find us :)
Thx for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now