Cisco ASA Config

techmiss
techmiss used Ask the Experts™
on
Hi All,

I have a firewall problem with my Cisco ASA 5510 that I am trying to troubleshoot, it is all new kit so I have the luxury of being able to do what I want on it without fear of knocking out any live systems.

On one side I have a Cisco 887 router that has access to the internet on IP 192.168.3.1
On the other side I have a Cisco ASA 5510 on IP 192.168.3.2

When i telnet onto the Router I can ping the internet but not the inside network through the firewall, I think I have a problem with NAT, config is attached.

I can ping the internal network from the firewall ok... have I got it set-up properly?  I'm toying with the idea of wiping it and starting from scratch....
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Config?

;)

Author

Commented:
Doh.....

tg-asa-conf.txt
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Since you do address translations with nat/global-statements you do an overload NAT (PAT - Port address translation). That means that all sessions must be initiated from inside.

What you try to do is to ping to outside IP of the firewall, and it has no idea if and which inside host to translate the ping to.

In order to do inbound ping from internet you need to do a static translation. For example:
static (inside_TG,Outside_ADSL) 192.168.3.123 10.249.249.123
...which will allow you to from outside ping the outside ip 192.168.3.123 to reach the inside host 10.249.249.123.

Another approach (since you use private ip on the outside interface) is to remove all nat/global-statements and do no address translations at all in the firewall. But that requires that your outside router (and other routers involved if needed) have routes of the 10.249.249.0/24-network pointing towards 192.168.3.2.

So my question back is: what do you want to achieve? Why do you need to ping the inside hosts from the outside network? And do you need/want the ASA to translate any addresses at all?

Best regards
Kvistofta
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Ok, let's see.

First: global (Inside_TG) 101 interface should be: global (Outside_ADSL) 101 interface (for inside to outside traffic.
Second: It's normal that you can't ping from the outside to a host on the inside, you don't want that (or do you?).
Third: Perhaps it's an idea to have the router in bridge mode so the ASA has the public IP(s) on it's outside interface. Now you NAT on the router as well. That can give some isuues sometimes.
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Mmm, Kvistofta is still able to type much faster than I do :-~
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
:-)
Good point erniebeek, I didnt see the bad interface in the global-statement!

/J
Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Combined Expert Powerrrrrrr!!

:-D

Author

Commented:
Lol,  thanks for your replies, to answer some of the questions.

I don't really want to ping any inside addresses for any reason other than to test connectivity, but I see your point in the fact that this is normal.  However I can't ping the internet (8.8.8.8) from the Firewall when I can from the ASA.

As far as bridging goes, this seems like a good idea as I don't really want to do anything with the router other than pass traffic to the the firewall, all NAT etc will be done on the ASA - is this easy to set-up?

Because of these points would it be easier to bin this config and start over?

Cheers

K
Network and Security consultant
Commented:
"However I can't ping the internet (8.8.8.8) from the Firewall when I can from the ASA."
Can you ping internet from the ASA or not? :-)

I agree that you should avoid NAT in the router. If possible, get rid of the router entirely. But I guess it uses DSL or something? Otherwise, connect the ASA outside directly to internet and do all NAT in that instead.

Another approach if you must use your router but wanna protect your internal hosts is to reconfigure the ASA to be in transparent mode. Then the router will route and the ASA will be a bridging device with filtering capabilities.

Best regards
Kvistofta

Author

Commented:
Hi Kvistofta, sorry for confusion.

I can ping the internet from the ASA ok now yes.

Yolu are correct in your asumption, the only reason I have this Cisco 887 is because it is an ADSL2 circuit and the ASA obviously does not have this capability.

Can I change the configuration of the 887 router so this works in bridged mode instead and the ASA holds the public address?

Thanks

K
Jimmy Larsson, CISSP, CEHNetwork and Security consultant

Commented:
Yes, you can. But I don´t know exactly how. Hopefully someone else here can help you with that.

/Kvistofta
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial