Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Posted on 2012-03-16
11
Medium Priority
?
648 Views
Last Modified: 2012-03-17
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded  

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
0
Comment
Question by:craigbtg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732407
Try changing this line
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255
to this
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
0
 

Author Comment

by:craigbtg
ID: 37732646
Thanks, will give that a try.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 37732683
Are you doing it all via CLI or using the 5505's ADSM GUI Tool and then using the Wizard ?
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:craigbtg
ID: 37732773
I am using CLI.  The above suggestion did not work.  Gave this response:

Result of the command: "static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255"

static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.2                                       ^55

ERROR: % Invalid Hostname


I re-ran the script and see a couple more errors as well.  These are the ones that came up:

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.


In trying a few more things eventually I got a message that reads:

ERROR: The apply and outbound commands have been deprecated,
      and as such, they have been superseded by the 'access-list'
      command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
      to help you to convert from outbound commands to access-lists.


Have some of the commands I am trying to run been replaced with something else?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732796
You're missing a part here:
static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
should be:
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255

You did do a conf t first to get you in to the right mode?

Could you show us the script you're using?
0
 

Author Comment

by:craigbtg
ID: 37732812
Thanks, will give that a try.

Not sure what conf t is...I go to the CLI in ASDM and cut and paste each of the lines in the script.  So basically I restore factory defaults first, open ASDM and go straight to the CLI.  Do not make any other changes other than the lines sent through the script in my original post.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732823
Ok, could you show us a (sanitized) version of what you are pasting?
It looks like that was specifically designed for the PIX and there are some differences between a PIX and an ASA :)
0
 

Author Comment

by:craigbtg
ID: 37732919
Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37732942
And otherwise we are here ;)

So can we (I) help you with that something extra?
0
 

Author Closing Comment

by:craigbtg
ID: 37732999
No thanks, I'm happy as long as it works :)

Thanks again
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37733214
No problem, otherwise you know where to find us :)
Thx for the points.
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question