Announcement

Collapse
No announcement yet.

CISCO ASA 5520 doesn't working

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CISCO ASA 5520 doesn't working

    hello All,

    Have a good day!!

    Before describing the problem, have a brief look at my network diagram. I have an INSIDE (192.168.107.0/24) and a DMZ (192.168.109.0/24). My OUTSIDE interface (10.11.10.2) is directly connected to a Linux PC (10.11.10.1) which acts as a router.

    Its another interface IP is 192.168.108.1 which is connected to another CISCO ASA 5520 (192.168.108.2) and this firewall is connected to OFFICE_LAN and WAN.

    My objective is from INSIDE (192.168.107.0) and DMZ (192.168.109.0) we wanna access the OFFICE_LAN (billing and other application) and WAN after CISCO ASA 5520 (192.168.108.2) firewall. And from the OFFICE_LAN we wanna have the access (e.g. ping, remote desktop, icmp, www) in INSIDE and DMZ zone.

    here is the current configuration:
    --------------------------------------------
    FW# sh running-config

    : Saved

    :

    ASA Version 7.0(

    !

    hostname FW

    domain-name default.domain.invalid

    enable password 2KFQnbNIdI.2KYOU encrypted

    passwd 2KFQnbNIdI.2KYOU encrypted

    names

    dns-guard

    !

    interface GigabitEthernet0/0

    description WAN_Interface

    duplex full

    nameif outside

    security-level 0

    ip address 10.11.10.2 255.255.255.0

    !

    interface GigabitEthernet0/1

    description LAN_Interface

    duplex full

    nameif inside

    security-level 100

    ip address 192.168.107.1 255.255.255.0

    !

    <--- More --->

    interface GigabitEthernet0/2

    description DMZ_Interface

    duplex full

    nameif dmz

    security-level 100

    ip address 192.168.109.1 255.255.255.0

    !

    interface GigabitEthernet0/3

    shutdown

    no nameif

    no security-level

    no ip address

    !

    interface Management0/0

    nameif management

    security-level 100

    ip address 192.168.1.1 255.255.255.0

    management-only

    !

    ftp mode passive

    dns domain-lookup outside

    dns name-server 192.168.104.7

    dns name-server 4.2.2.1

    same-security-traffic permit inter-interface

    <--- More --->

    same-security-traffic permit intra-interface

    access-list 101 extended permit ip any any

    access-list 102 extended permit ip any any

    access-list 103 extended permit ip any any

    pager lines 24

    mtu outside 1500

    mtu inside 1500

    mtu dmz 1500

    mtu management 1500

    no failover

    asdm image disk0:/asdm-508.bin

    no asdm history enable

    arp timeout 14400

    access-group 101 in interface outside

    access-group 102 in interface inside

    access-group 103 out interface dmz

    route outside 0.0.0.0 0.0.0.0 10.11.10.1 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    http server enable

    http 192.168.107.29 255.255.255.255 inside

    <--- More --->

    http 192.168.1.0 255.255.255.0 management

    snmp-server enable traps snmp authentication linkup linkdown coldstart

    snmp-server enable traps syslog

    crypto ipsec security-association lifetime seconds 28800

    crypto ipsec security-association lifetime kilobytes 4608000

    telnet 192.168.107.29 255.255.255.255 inside

    telnet timeout 5

    ssh 192.168.107.29 255.255.255.255 inside

    ssh timeout 5

    console timeout 0

    dhcpd address 192.168.107.31-192.168.107.230 inside

    dhcpd address 192.168.1.2-192.168.1.254 management

    dhcpd dns 192.168.109.23

    dhcpd lease 259200

    dhcpd ping_timeout 50

    dhcpd option 3 ip 192.168.107.1

    dhcpd enable inside

    dhcpd enable management

    <--- More --->

    !

    class-map inspection_default

    match default-inspection-traffic

    !

    !

    policy-map global_policy

    class inspection_default

    inspect dns maximum-length 512

    inspect ftp

    inspect h323 h225

    inspect h323 ras

    inspect netbios

    inspect rsh

    inspect rtsp

    inspect skinny

    inspect esmtp

    inspect sqlnet

    inspect sunrpc

    inspect tftp

    inspect sip

    inspect xdmcp

    !

    service-policy global_policy global

    Cryptochecksum:7ef747454f7cfe45658b4a34ca283d56

    <--- More --->

    : end


    FW#


    --------------------------------------------------


    With this config, INSIDE and DMZ communication is ok, but i cant go OUTSIDE that means i cant ping 10.11.10.1. In reverse way from the OFFICE_LAN, i can able to ping up-to 10.11.10.2 (OUTSIDE of CISCO ASA 5520). INSIDE and DMZ are not ping able.


    Sorry for the long mail.


    Thanks in Advance

    Regards,
    r3linquish3d

  • #2
    Re: CISCO ASA 5520 doesn't working

    Objectives:
    1. INSIDE can access OFFICE and INTERNET
    2. DMZ can access OFFICE and INTERNET
    3. INSIDE and DMZ can access each other (all permissive)
    4. OFFICE can access DMZ especially http
    5. OFFICE can access INSIDE's web

    Is there no one else to help me out there??
    Attached Files

    Comment


    • #3
      Re: CISCO ASA 5520 doesn't working

      resolved by myself.

      Comment


      • #4
        Re: CISCO ASA 5520 doesn't working

        Could you please share your resolution so others can benefit from it.

        Comment


        • #5
          Re: CISCO ASA 5520 doesn't working

          Also your drawing is incomplete.
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X