Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Posted on 2012-03-16
11
Medium Priority
?
655 Views
Last Modified: 2012-03-17
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded  

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
0
Comment
Question by:craigbtg
  • 5
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732407
Try changing this line
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255
to this
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
0
 

Author Comment

by:craigbtg
ID: 37732646
Thanks, will give that a try.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 37732683
Are you doing it all via CLI or using the 5505's ADSM GUI Tool and then using the Wizard ?
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 

Author Comment

by:craigbtg
ID: 37732773
I am using CLI.  The above suggestion did not work.  Gave this response:

Result of the command: "static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255"

static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.2                                       ^55

ERROR: % Invalid Hostname


I re-ran the script and see a couple more errors as well.  These are the ones that came up:

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.


In trying a few more things eventually I got a message that reads:

ERROR: The apply and outbound commands have been deprecated,
      and as such, they have been superseded by the 'access-list'
      command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
      to help you to convert from outbound commands to access-lists.


Have some of the commands I am trying to run been replaced with something else?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732796
You're missing a part here:
static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
should be:
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255

You did do a conf t first to get you in to the right mode?

Could you show us the script you're using?
0
 

Author Comment

by:craigbtg
ID: 37732812
Thanks, will give that a try.

Not sure what conf t is...I go to the CLI in ASDM and cut and paste each of the lines in the script.  So basically I restore factory defaults first, open ASDM and go straight to the CLI.  Do not make any other changes other than the lines sent through the script in my original post.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732823
Ok, could you show us a (sanitized) version of what you are pasting?
It looks like that was specifically designed for the PIX and there are some differences between a PIX and an ASA :)
0
 

Author Comment

by:craigbtg
ID: 37732919
Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37732942
And otherwise we are here ;)

So can we (I) help you with that something extra?
0
 

Author Closing Comment

by:craigbtg
ID: 37732999
No thanks, I'm happy as long as it works :)

Thanks again
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37733214
No problem, otherwise you know where to find us :)
Thx for the points.
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 16 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question