Railroad
asked on
Cisco ASA 5505 Configuration Issue
So I was trying to clean up my Cisco ASA 5505 configuration, removing some old services that are no longer in place. Like a dummy, I didn't save the configuration before making changes. Now, none of my static routing is working.
Here is some of my configuration:
name 192.168.10.49 WEB
object-group service WEB
service-object tcp eq www
service-object tcp eq https
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group WEB any host xxx.xxx.xxx.235
static (inside,outside) xxx.xxx.xxx.235 WEB netmask 255.255.255.255
I am not able to ping the webserver nor can I access the website. Internally the site works fine, so I know it's the firewall.
Ideas of what I screwed up?
Thanks in advance.
Here is some of my configuration:
name 192.168.10.49 WEB
object-group service WEB
service-object tcp eq www
service-object tcp eq https
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group WEB any host xxx.xxx.xxx.235
static (inside,outside) xxx.xxx.xxx.235 WEB netmask 255.255.255.255
I am not able to ping the webserver nor can I access the website. Internally the site works fine, so I know it's the firewall.
Ideas of what I screwed up?
Thanks in advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASA Version 8.2(5)
ASDM Version 6.2(5)53
Here are the live logs of an attempt to access the website and ping the machine.
2 Sep 27 2016 09:38:21 106001 74.65.28.112 44641 xxx.xxx.xxx.235 80 Inbound TCP connection denied from 74.65.28.112/44641 to xxx.xxx.xxx.235/80 flags SYN on interface outside
3 Sep 27 2016 09:40:25 106014 74.65.28.112 xxx.xxx.xxx.235 Deny inbound icmp src outside:74.65.28.112 dst inside:xxx.xxx.xxx.235 (type 8, code 0)
ASDM Version 6.2(5)53
Here are the live logs of an attempt to access the website and ping the machine.
2 Sep 27 2016 09:38:21 106001 74.65.28.112 44641 xxx.xxx.xxx.235 80 Inbound TCP connection denied from 74.65.28.112/44641 to xxx.xxx.xxx.235/80 flags SYN on interface outside
3 Sep 27 2016 09:40:25 106014 74.65.28.112 xxx.xxx.xxx.235 Deny inbound icmp src outside:74.65.28.112 dst inside:xxx.xxx.xxx.235 (type 8, code 0)
ASKER
Yeah I write mem'd the configure so I simply can't reload.
I may have simply missed copying the command you mentioned. Can you give me an example, so I can look in my config for it.
Just as a note it looks like non of my services are functioning, Can't ping any of my external static IP's or access the associated services.
I may have simply missed copying the command you mentioned. Can you give me an example, so I can look in my config for it.
Just as a note it looks like non of my services are functioning, Can't ping any of my external static IP's or access the associated services.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Running... sh run | i access-group
Returns nothing
Sigh, guess I removed a command accidentally. What do I need to do to restore it?
Returns nothing
Sigh, guess I removed a command accidentally. What do I need to do to restore it?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got it:
access-group outside_access_in in interface outside
Thanks for help!
access-group outside_access_in in interface outside
Thanks for help!
Can you run the packet tracer? If your ASA image is 8.3+ use 192.168.10.49, if 8.2-, use public IP.
packet-tracer input outside tcp 8.8.8.8 48000 192.168.10.49 80 detailed