Announcement

Collapse
No announcement yet.

ASA5510 not passing traffic

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA5510 not passing traffic

    We are migrating from an aging OpenBSD firewall to an ASA 5510. I thought I had the ASA's configuration down, but it will not pass any traffic. Can someone take a look at this config and point me in the right direction? Thanks in advance!

    Code:
    Thor(config)# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname Thor
    domain-name **********
    enable password SONwpQoOW3UtF1xT encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
     nameif outside
     security-level 0
     ip address 38.104.x.x 255.255.255.252
    !
    interface Ethernet0/1
     nameif inside
     security-level 100
     ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
     nameif dmz
     security-level 50
     ip address 38.101.x.x 255.255.255.248
    !
    interface Ethernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    !
    interface Management0/0
     nameif management
     security-level 100
     ip address 10.1.1.1 255.255.255.0
     management-only
    !
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 66.28.0.45
     name-server 66.28.0.61
     domain-name ********
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq smtp
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 465
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq imap4
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 993
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq www
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq https
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq ssh
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3390
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3391
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit udp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq smtp
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 465
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq imap4
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 993
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq www
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq https
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq ssh
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3390
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3391
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq domain
    access-list outside_access_in extended permit udp any host 38.104.x.x eq domain
    access-list dmz_access_in extended permit ip any any
    access-list skip-nat-dmz extended permit ip any 38.101.x.x 255.255.255.248
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.0.0
    nat (dmz) 0 access-list skip-nat-dmz
    static (inside,outside) tcp interface imap4 192.168.1.4 imap4 netmask 255.255.255.255
    static (inside,outside) tcp interface 465 192.168.1.4 465 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface ssh 192.168.1.4 ssh netmask 255.255.255.255
    static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255
    static (inside,outside) tcp interface https 192.168.1.4 https netmask 255.255.255.255
    static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3391 192.168.1.210 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 38.104.x.x 1
    route inside 192.168.2.0 255.255.255.0 192.168.1.4 1
    route inside 192.168.4.0 255.255.255.0 192.168.1.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.1.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 10.1.1.2-10.1.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns migrated_dns_map_1
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83b7c85665f2d495da21c7e6a86fcef7
    : end

  • #2
    Re: ASA5510 not passing traffic

    Hi jsm0377,

    I would recommend installing asdm. The reason is that there is a utility called Packet Tracer. This will allow you to simulate sending a packet through the ASA and it will show you step by step decisions that the ASA made to determine how to handle packets that traverse different interfaces.

    As an alternative you can also use ASDM to configure packet captures directly off the ASA and then save the capture as a pcap and view the trace through wireshark or some other analyzer of choice.

    http://www.cisco.com/en/US/products/...80a9edd6.shtml

    Ryan

    Comment


    • #3
      Re: ASA5510 not passing traffic

      Can you ping your gateway?
      CCNA, Network+

      Comment


      • #4
        Re: ASA5510 not passing traffic

        can you describe what traffic is not flowing, or is it not working at all?



        access-list outside_access_in
        remove the private addresses, its not helping

        natting
        nat (inside) 1 192.168.0.0 255.255.0.0
        your subnet is a class B if your route inside is set correctly then you dont need to do it as a class B network
        try nat(inside) 1 192.168.1.0 255.255.255.0

        also, i do not understand your route statement. what is 192.168.1.4? its not an interface ip address on the asa5510. my guess is that its a server ip address...
        try this
        route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
        route inside 192.168.4.0 255.255.255.0 192.168.1.1 1

        lastly, i dont think you will need a nonat access-list, but i could be wrong. try this first then reply back...


        oh and here is the command to start with getting the asdm up and going. you already have it on the 5510

        http server enable
        http 192.168.1.0 255.255.255.0 inside

        Comment

        Working...
        X