Solved

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Posted on 2012-03-16
11
642 Views
Last Modified: 2012-03-17
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded  

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
0
Comment
Question by:craigbtg
  • 5
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732407
Try changing this line
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255
to this
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
0
 

Author Comment

by:craigbtg
ID: 37732646
Thanks, will give that a try.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 37732683
Are you doing it all via CLI or using the 5505's ADSM GUI Tool and then using the Wizard ?
0
Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

 

Author Comment

by:craigbtg
ID: 37732773
I am using CLI.  The above suggestion did not work.  Gave this response:

Result of the command: "static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255"

static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.2                                       ^55

ERROR: % Invalid Hostname


I re-ran the script and see a couple more errors as well.  These are the ones that came up:

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.


In trying a few more things eventually I got a message that reads:

ERROR: The apply and outbound commands have been deprecated,
      and as such, they have been superseded by the 'access-list'
      command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
      to help you to convert from outbound commands to access-lists.


Have some of the commands I am trying to run been replaced with something else?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732796
You're missing a part here:
static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
should be:
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255

You did do a conf t first to get you in to the right mode?

Could you show us the script you're using?
0
 

Author Comment

by:craigbtg
ID: 37732812
Thanks, will give that a try.

Not sure what conf t is...I go to the CLI in ASDM and cut and paste each of the lines in the script.  So basically I restore factory defaults first, open ASDM and go straight to the CLI.  Do not make any other changes other than the lines sent through the script in my original post.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732823
Ok, could you show us a (sanitized) version of what you are pasting?
It looks like that was specifically designed for the PIX and there are some differences between a PIX and an ASA :)
0
 

Author Comment

by:craigbtg
ID: 37732919
Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37732942
And otherwise we are here ;)

So can we (I) help you with that something extra?
0
 

Author Closing Comment

by:craigbtg
ID: 37732999
No thanks, I'm happy as long as it works :)

Thanks again
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37733214
No problem, otherwise you know where to find us :)
Thx for the points.
0

Featured Post

Watch Anatomy of a Wi-Fi Hack On-Demand

In less than a weekend, anyone with Internet access and some free time can become a Wi-Fi MitM to wreak havoc on your network. View our Wi-Fi Expert in an on-demand episode of our Secure Wi-Fi mini-series as he explores the motives, execution, and anatomy of a Wi-Fi hack.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco vWLC DHCP issues 36 95
Upgrading from Sonicwall Tz210 6 34
Cisco VOIP Question 1 27
Configure 2 Servers with Crossover cable 3 15
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question