Announcement

Collapse
No announcement yet.

help cisco asa 5505

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • help cisco asa 5505

    HI,

    I have an ASA 5505 firewall, configured with "inside" 81.192.120.6 and "outside" 10.31.213.42. I have enabled nat rules and corresponding access list. Gateway of 10.31.213.41 is 10.31.213.41 other firewall.

    The system is working well, but after approximately 4 hours or falls "inside" the network, ie, from any host 81.192.120.0 do not see the firewall 81.192.120.6, and from "inside" the firewall console does not see any team 81.192.120.0, yet if I see any host that is beyond 10.31.213.42. When I ping from 81.192.120.6 console also answered me.

    If I change 81.192.120.0 network to another network interface ASA5505 start work until after a further 4 hours, I have to turn off and turn on the firewall.

    The truth is taht no what is happening, and I need help urgently.

    Configuration ASA:

    ASA Version 7.2(4)
    !
    hostname CCFW01
    domain-name nombre.domain
    names
    name 81.192.120.46 HOST1 description SERVWEBFTP
    name 81.192.120.64 HOST2 description FLOTAS
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 81.192.120.6 255.255.0.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 10.31.213.42 255.255.0.0
    !
    interface Vlan4
    nameif gestion
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    interface Ethernet0/0
    switchport access vlan 4
    !
    interface Ethernet0/1
    switchport access vlan 2
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    switchport access vlan 4
    shutdown
    !
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name nombre.domain
    object-group icmp-type ICMPGRUPO
    description icmpgrupo
    icmp-object alternate-address
    icmp-object conversion-error
    icmp-object echo
    icmp-object echo-reply
    icmp-object information-reply
    icmp-object information-request
    icmp-object mask-reply
    icmp-object mask-request
    icmp-object mobile-redirect
    icmp-object parameter-problem
    icmp-object redirect
    icmp-object router-advertisement
    icmp-object router-solicitation
    icmp-object source-quench
    icmp-object time-exceeded
    icmp-object timestamp-reply
    icmp-object timestamp-request
    icmp-object traceroute
    icmp-object unreachable
    object-group service TCP_1 tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq sqlnet
    port-object eq www
    port-object eq 445
    port-object eq exec
    port-object eq 137
    port-object eq 150
    port-object eq netbios-ssn
    port-object eq sunrpc
    port-object eq 3389
    port-object eq ssh
    port-object eq telnet
    object-group service TCL_2 tcp
    port-object eq 8050
    port-object eq telnet
    object-group service UDP_1 udp
    port-object eq 389
    port-object eq 445
    port-object eq 139
    port-object eq 150
    port-object eq netbios-ns
    port-object eq sunrpc
    port-object eq 3389
    access-list outside_access_in extended permit tcp any any object-group TCP_1
    access-list outside_access_in extended permit tcp any any object-group TCL_2
    access-list outside_access_in extended permit udp any any object-group UDP_1
    access-list outside_access_in extended permit icmp any any object-group ICMPGRUPO
    access-list inside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu gestion 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    no failover
    monitor-interface inside
    monitor-interface outside
    monitor-interface gestion
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 HOST1 255.255.255.255
    static (inside,outside) tcp interface ftp HOST1 ftp netmask 255.255.255.255
    static (inside,outside) tcp interface www HOST1 www netmask 255.255.255.255
    static (inside,outside) tcp interface 8050 HOST2 8050 netmask 255.255.255.255
    static (inside,outside) tcp interface ftp-data HOST1 ftp-data netmask 255.255.255.255
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 10.31.213.41 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 81.192.120.66 255.255.255.255 inside
    http 192.168.1.0 255.255.255.0 gestion
    http 81.191.120.66 255.255.255.255 inside
    http 81.191.120.18 255.255.255.255 inside
    snmp-server host inside 81.192.120.153 community public version 2c
    snmp-server location Sala ROOM
    snmp-server contact contact vst
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec start stop
    snmp-server enable traps remote-access session-threshold-exceeded
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:f70ec3de0c4bb8db9b56d76c66c627a6

  • #2
    Re: help cisco asa 5505

    You are using qute an unusual addressing scheme.
    Also I see don't see any port which is using VLAN1.

    Further, why are using such a setup? The normal way is i'd believe to use:
    Interface ethernet 0/1.1.... so using subinterfaces.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: help cisco asa 5505

      I'll try to do the subinterfaces

      thanks

      Comment

      Working...
      X