Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: ASA5510 HELP

ASA5510 HELP 10 years 2 weeks ago #18235

HI EVERYONE,
I just picked up the asa5510 and I can not see to get it to access the outside from the inside. I can ping out from the outside port but can not from the inside prot. Here is a copy of my config... I do have little expreance with it so any help would be great... Thank you...

interface Ethernet0/0
nameif outside
security-level 0
ip address 216.191.78.115 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.99 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.3.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.3.2
access-list outside_access_out extended permit ip 192.168.1.0 255.255.255.0 216.191.78.0 255.255.255.0 inactive
access-list outside_access_out extended permit tcp any any inactive
access-list outside_access_out extended permit tcp host 192.168.3.2 any
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm512-k8.bin
no asdm history enable
arp timeout 14400
nat (outside) 0 0.0.0.0 0.0.0.0 outside
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 216.191.78.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.3.2 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.3.2 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
The administrator has disabled public write access.

Re: ASA5510 HELP 10 years 2 weeks ago #18238

  • d_jabsd
  • d_jabsd's Avatar
  • Offline
  • Distinguished Member
  • Posts: 153
  • Karma: 0
your nat setup is wrong.

remove 'nat (outside) 0 0.0.0.0 0.0.0.0 outside '
--- you want to nat the inside interface

remove 'nat (inside) 0 0.0.0.0 0.0.0.0 '
--- nat (inside) 0 means you don't want to nat traffic that matches this line
--- 0.0.0.0 0.0.0.0 matches everything


add 'nat (inside) 1 0.0.0.0 0.0.0.0'
--- you want to nat everything coming into the inside destined for the outside

add 'global (outside) 1 interface'
--- use the outside interface address as the nat address and apply it to everything defined by nat (inside) 1


let us know how things turn out.
The administrator has disabled public write access.

Re: ASA5510 HELP 9 years 11 months ago #19123

  • CJC
  • CJC's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
I have been trying to get our ASA5510 up and running but to no avail so far. I have just found this posting and checked my config and made some adjustments but still cannot ping out and get no internet access either. Does any body have any further thoughts. I have included my script below:-

!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.100.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS

same-security-traffic permit inter-interface
access-list outside_access_in extended permit ip any any
access-list outside_access_out extended permit tcp any any inactive
access-list outside_access_out extended permit ip 192.168.0.0 255.255.255.0 192.
168.1.0 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging trap informational
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
asdm image disk0:/asdm521-54.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.100.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 outside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context

The outside interface is connected to an ADSL router with ip address of 192.168.1.1

Regards

CJC
The administrator has disabled public write access.

Re: ASA5510 HELP 9 years 11 months ago #19125

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there and welcome to the community.

I cannot spot anything obvious within the config.

Can you try adding the following lines;

[code:1]access-list allow_all extended permit ip any any
access-group allow_all in interface outside
access-group allow_all in interface inside
no access-group inside_access_out out interface inside
no access-group outside_access_out out interface outside[/code:1]

Now try pinging from the inside subnet to the ADSL router, i just wanted to turn off all the access lists to double check the rest of the config.

Just to double check, you have no further subnets inside the network ? The only subnet on the inside network is 192.168.0.0/24 subnet ? The reason i am asking is that you are routing everything to the ADSL Router therefore if you have further subnets inside then the ASA will send traffic to the ADSL Router.

Let us know how you get on.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: ASA5510 HELP 9 years 11 months ago #19163

  • CJC
  • CJC's Avatar
  • Offline
  • New Member
  • Posts: 2
  • Karma: 0
Thanks very much for your reply.

Upon checking things through again I found a faulty connection on one of the patch leads in use. So it now works .

Thanks again
The administrator has disabled public write access.
Time to create page: 0.087 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup