Solved

Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

Posted on 2012-03-16
11
641 Views
Last Modified: 2012-03-17
Hello,
I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any time-exceeded  

access-list 100 permit icmp any any unreachable

ip address outside xxx.xxx.xxx.94 255.255.255.224

ip address inside 192.168.1.1 255.255.255.0

global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116

global (outside) 1 xxx.xxx.xxx.95

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0 0 xxx.xxx.xxx.93

access-group 100 in interface outside

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static

static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0

access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
0
Comment
Question by:craigbtg
  • 5
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732407
Try changing this line
static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255
to this
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
0
 

Author Comment

by:craigbtg
ID: 37732646
Thanks, will give that a try.
0
 
LVL 10

Expert Comment

by:Rafael
ID: 37732683
Are you doing it all via CLI or using the 5505's ADSM GUI Tool and then using the Wizard ?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:craigbtg
ID: 37732773
I am using CLI.  The above suggestion did not work.  Gave this response:

Result of the command: "static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255"

static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.2                                       ^55

ERROR: % Invalid Hostname


I re-ran the script and see a couple more errors as well.  These are the ones that came up:

Result of the command: "ip address outside xxx.xxx.xxx.94 255.255.255.224"

ip address outside xxx.xxx.xxx.94 255.255.255.224
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "ip address inside 192.168.1.1 255.255.255.0"

ip address inside 192.168.1.1 255.255.255.0
    ^
ERROR: % Invalid input detected at '^' marker.


Result of the command: "outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static"

outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
   ^
ERROR: % Invalid input detected at '^' marker.


In trying a few more things eventually I got a message that reads:

ERROR: The apply and outbound commands have been deprecated,
      and as such, they have been superseded by the 'access-list'
      command.
INFO: A tool, Outbound Conduit Converter (OCC) is available in CCO
      to help you to convert from outbound commands to access-lists.


Have some of the commands I am trying to run been replaced with something else?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732796
You're missing a part here:
static (inside,outside) xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255
should be:
static (inside,outside) tcp xxx.xxx.xxx.95 80 192.168.1.95 80 netmask 255.255.255.255

You did do a conf t first to get you in to the right mode?

Could you show us the script you're using?
0
 

Author Comment

by:craigbtg
ID: 37732812
Thanks, will give that a try.

Not sure what conf t is...I go to the CLI in ASDM and cut and paste each of the lines in the script.  So basically I restore factory defaults first, open ASDM and go straight to the CLI.  Do not make any other changes other than the lines sent through the script in my original post.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37732823
Ok, could you show us a (sanitized) version of what you are pasting?
It looks like that was specifically designed for the PIX and there are some differences between a PIX and an ASA :)
0
 

Author Comment

by:craigbtg
ID: 37732919
Aaah, this stuff is going to drive me to drink.  As a test I restored the firewall to defaults, but before running the script I ran the 5505 Startup Wizard.  Once that was completed I then ran the original script.  Still got some of the errors mentioned, but now everything is working.  Looks like the commands are fine.  There is something extra that I probably need in the script that the Startup Wizard is adding.

Thank you very much for your help!  I'm glad I only need to touch these things every once in a while.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37732942
And otherwise we are here ;)

So can we (I) help you with that something extra?
0
 

Author Closing Comment

by:craigbtg
ID: 37732999
No thanks, I'm happy as long as it works :)

Thanks again
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37733214
No problem, otherwise you know where to find us :)
Thx for the points.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question