No announcement yet.

help cisco asa 5505

  • Filter
  • Time
  • Show
Clear All
new posts

  • help cisco asa 5505


    I have an ASA 5505 firewall, configured with "inside" and "outside" I have enabled nat rules and corresponding access list. Gateway of is other firewall.

    The system is working well, but after approximately 4 hours or falls "inside" the network, ie, from any host do not see the firewall, and from "inside" the firewall console does not see any team, yet if I see any host that is beyond When I ping from console also answered me.

    If I change network to another network interface ASA5505 start work until after a further 4 hours, I have to turn off and turn on the firewall.

    The truth is taht no what is happening, and I need help urgently.

    Configuration ASA:

    ASA Version 7.2(4)
    hostname CCFW01
    domain-name nombre.domain
    name HOST1 description SERVWEBFTP
    name HOST2 description FLOTAS
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Vlan4
    nameif gestion
    security-level 100
    ip address
    interface Ethernet0/0
    switchport access vlan 4
    interface Ethernet0/1
    switchport access vlan 2
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 4
    ftp mode passive
    clock timezone CEST 1
    clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    dns server-group DefaultDNS
    domain-name nombre.domain
    object-group icmp-type ICMPGRUPO
    description icmpgrupo
    icmp-object alternate-address
    icmp-object conversion-error
    icmp-object echo
    icmp-object echo-reply
    icmp-object information-reply
    icmp-object information-request
    icmp-object mask-reply
    icmp-object mask-request
    icmp-object mobile-redirect
    icmp-object parameter-problem
    icmp-object redirect
    icmp-object router-advertisement
    icmp-object router-solicitation
    icmp-object source-quench
    icmp-object time-exceeded
    icmp-object timestamp-reply
    icmp-object timestamp-request
    icmp-object traceroute
    icmp-object unreachable
    object-group service TCP_1 tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq sqlnet
    port-object eq www
    port-object eq 445
    port-object eq exec
    port-object eq 137
    port-object eq 150
    port-object eq netbios-ssn
    port-object eq sunrpc
    port-object eq 3389
    port-object eq ssh
    port-object eq telnet
    object-group service TCL_2 tcp
    port-object eq 8050
    port-object eq telnet
    object-group service UDP_1 udp
    port-object eq 389
    port-object eq 445
    port-object eq 139
    port-object eq 150
    port-object eq netbios-ns
    port-object eq sunrpc
    port-object eq 3389
    access-list outside_access_in extended permit tcp any any object-group TCP_1
    access-list outside_access_in extended permit tcp any any object-group TCL_2
    access-list outside_access_in extended permit udp any any object-group UDP_1
    access-list outside_access_in extended permit icmp any any object-group ICMPGRUPO
    access-list inside_access_in extended permit ip any any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu gestion 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    no failover
    monitor-interface inside
    monitor-interface outside
    monitor-interface gestion
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 HOST1
    static (inside,outside) tcp interface ftp HOST1 ftp netmask
    static (inside,outside) tcp interface www HOST1 www netmask
    static (inside,outside) tcp interface 8050 HOST2 8050 netmask
    static (inside,outside) tcp interface ftp-data HOST1 ftp-data netmask
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http inside
    http gestion
    http inside
    http inside
    snmp-server host inside community public version 2c
    snmp-server location Sala ROOM
    snmp-server contact contact vst
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec start stop
    snmp-server enable traps remote-access session-threshold-exceeded
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context

  • #2
    Re: help cisco asa 5505

    You are using qute an unusual addressing scheme.
    Also I see don't see any port which is using VLAN1.

    Further, why are using such a setup? The normal way is i'd believe to use:
    Interface ethernet 0/1.1.... so using subinterfaces.
    Technical Consultant

    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"


    • #3
      Re: help cisco asa 5505

      I'll try to do the subinterfaces