Solved

Cisco ASA 5505 Configuration Issue

Posted on 2016-09-27
8
98 Views
Last Modified: 2016-09-27
So I was trying to clean up my Cisco ASA 5505 configuration, removing some old services that are no longer in place.  Like a dummy, I didn't save the configuration before making changes.  Now, none of my static routing is working.

Here is some of my configuration:

name 192.168.10.49 WEB

object-group service WEB
 service-object tcp eq www
 service-object tcp eq https

access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit object-group WEB any host xxx.xxx.xxx.235

static (inside,outside) xxx.xxx.xxx.235 WEB netmask 255.255.255.255

I am not able to ping the webserver nor can I access the website.  Internally the site works fine, so I know it's the firewall.

Ideas of what I screwed up?

Thanks in advance.
0
Comment
Question by:Railroad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 41817865
What do your logs say?
Can you run the packet tracer? If your ASA image is 8.3+ use 192.168.10.49, if 8.2-, use public IP.
packet-tracer input outside tcp 8.8.8.8 48000 192.168.10.49 80 detailed
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 250 total points
ID: 41817892
i assume you 'write mem'ed?  so you can't just restore from saved config and then try again?

one command I don't see is the access-group entry to apply the outside_access_in acl to the outside interface
0
 

Author Comment

by:Railroad
ID: 41817907
ASA Version 8.2(5)
ASDM Version 6.2(5)53

Here are the live logs of an attempt to access the website and ping the machine.

2      Sep 27 2016      09:38:21      106001      74.65.28.112      44641      xxx.xxx.xxx.235      80      Inbound TCP connection denied from 74.65.28.112/44641 to xxx.xxx.xxx.235/80 flags SYN  on interface outside

3      Sep 27 2016      09:40:25      106014      74.65.28.112            xxx.xxx.xxx.235            Deny inbound icmp src outside:74.65.28.112 dst inside:xxx.xxx.xxx.235 (type 8, code 0)
0
Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

 

Author Comment

by:Railroad
ID: 41817913
Yeah I write mem'd the configure so I simply can't reload.

I may have simply missed copying the command you mentioned.  Can you give me an example, so I can look in my config for it.

Just as a note it looks like non of my services are functioning, Can't ping any of my external static IP's or access the associated services.
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41817915
Per Cyclops, can you do the following:
sh run | i access-group
0
 

Author Comment

by:Railroad
ID: 41817922
Running... sh run | i access-group

Returns nothing

Sigh, guess I removed a command accidentally.  What do I need to do to restore it?
0
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41817926
access-group outside_access_in  in interface outside

outside is the ifname of your interface. make sure it is spelled exactly as in the config.
0
 

Author Comment

by:Railroad
ID: 41817931
I got it:

access-group outside_access_in in interface outside

Thanks for help!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question