ASA access from inside to outside interface
Hi
We need to make acces on our ASA device from inside network to outside interface.
The situation is next:
We have public external ip address and we need to access it from our inside network.
Can you please tell me if it is possible to do this?
Thank you.
That's right, the solution is named Hairpinning aka U-turn.
The dynamic rule was the one suggested in my first reply:
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one - See more at: https://supportforums.cisco.com/message/3867660#3867660
global (inside) 1* interface *Assume you are using number one
Similar Messages
-
Internet Access from Inside to Outside ASA 5510 ver 9.1
Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.
I get errors like this when I try Packet Tracer:
(nat-xlate-failed) NAT failed
(acl-drop) Flow is denied by configured rule
Version Information:
Cisco Adaptive Security Appliance Software Version 9.1(4)
Device Manager Version 7.1(5)
Compiled on Thu 05-Dec-13 19:37 by builders
System image file is "disk0:/asa914-k8.bin"
Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:
Thank You!
Config:
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
domain-name
inside.int
enable password <redacted> encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd <redacted> encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.199.199.123 255.255.255.240
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.199.199.4
domain-name
inside.int
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
access-group INSIDE-IN in interface Inside
access-group OUTSIDE-IN in interface Outside
router rip
network 10.0.0.0
network 199.199.199.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username <redacted> password <redacted> encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:
<redacted>
: end
SH NAT:
ASA5510# sh nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic inside-net interface
translate_hits = 0, untranslate_hits = 0
SH RUN NAT:
ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
object network inside-net
nat (Inside,Outside) dynamic interface
SH RUN OBJECT:
ASA5510(config)# sh run object
object network inside-net
subnet 10.0.0.0 255.255.255.0
description Inside Network Object
Hi all,Hello everyone, I need some help before my head explodes. IddddddddHello Mitchell,
First of all how are you testing this:
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
Take in consideration that the netmask is /30
The Twice NAT is good, ACLs are good.
do the following and provide us the result
packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80
packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80
And provide us the result!
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com -
Access from Inside to Outside ASA 5510 ver 9.1
Hi All,
I need some help in getting an ASA up and processing traffic from the inside network to the internet. I have a Cisco 2811 Router behind a Cisco ASA 5510. From the ASA I can ping the 2811 and I can ping IP addresses on the internet. I have updated the IOS and ASDM on the router to the newest versions. 9.1(4) and 7.1. I believe the problem is in the Objects, ACL and getting those together, but I don't know much about the ASA and I don't know how the post 8.2 setup works. I am hoping I can get some help here to get me up and running so I can access the internet from behind the ASA.
Here is my ASA Config and I will post some of the 2811 Router config as well, though I am not sure thati s where the issue lies, but at this point, I haven't a clue. Both are up to date for the newest versions of the respective IOS.
I need to know what objects / ACL's et cetera to put in to get traffic flowing inside / out.
Thank you for the help!
ASA5510(config)# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.100 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username redacted password vj4PdtfGNFrB.Ksz encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
CISCO 2811:
Current configuration : 2601 bytes
! Last configuration change at 07:24:32 UTC Fri Jan 3 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
hostname RouterDeMitch
boot-start-marker
boot system flash
boot-end-marker
! card type command needed for slot/vwic-slot 0/0
no aaa new-model
dot11 syslog
ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 172.16.10.1 172.16.10.49
ip dhcp excluded-address 172.16.20.1 172.16.20.49
ip dhcp pool Mitchs_Network
network 192.168.1.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 192.168.1.1
ip dhcp pool VLAN10
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
ip dhcp pool VLAN20
network 172.16.20.0 255.255.255.0
dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8
default-router 172.16.20.1
no ip domain lookup
ip name-server 199.195.168.4
ip name-server 205.171.2.65
ip name-server 205.171.3.65
ip name-server 8.8.8.8
multilink bundle-name authenticated
crypto pki token default removal timeout 0
redundancy
interface FastEthernet0/0
description CONNECTION TO INSIDE INT. OF ASA
ip address 10.10.1.2 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
interface FastEthernet0/1.3
description Trunk Interface VLAN 1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
interface Dialer0
no ip address
router rip
version 2
network 172.16.0.0
network 192.168.1.0
network 199.195.168.0
no auto-summary
ip default-gateway 10.10.1.1
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
access-list 1 permit any
dialer-list 1 protocol ip permit
control-plane
line con 0
exec-timeout 0 0
password encrypted
login
line aux 0
line vty 0 4
exec-timeout 0 0
transport input all
scheduler allocate 20000 1000
endI made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.
ASA5510# sh running-config
: Saved
ASA Version 9.1(4)
hostname ASA5510
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd liqhNWIOSfzvir2g encrypted
names
dns-guard
interface Ethernet0/0
description LAN Interface
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
interface Ethernet0/1
description WAN Interface
nameif Outside
security-level 0
ip address 199.195.168.123 255.255.255.240
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
shutdown
nameif management
security-level 0
no ip address
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name internal.int
object-group network PAT-SOURCE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 10.10.1.0 255.255.255.252
access-list USERS standard permit 10.10.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface
router rip
network 10.0.0.0
network 199.195.168.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
Message was edited by: Mitchell Tuckness -
ASA 5510 traffic from inside to outside
Hello,
I'm working on a basic configuration of a 5510 ASA.
inside network of 192.168.23.0 /24
outside network 141.0.x.0 /24
config is as follows:
interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 141.0.x.0 255.255.255.0
interface Ethernet0/1
nameif INSIDE
security-level 50
ip address 192.168.23.1 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_access_in extended permit icmp any any
access-list OUTSIDE_access_in extended permit tcp any interface OUTSIDE eq https
access-list INSIDE_access_in extended permit icmp any any
global (OUTSIDE) 1 interface
nat (INSIDE) 1 192.168.23.0 255.255.255.0
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 141.0.x.57 1
In the LAB When I plug a laptop into the outside interface with address 141.0.x.57 I can ping it from a laptop from the inside interface and I can even access the IIS page. However, when I connect the ISP's firewall into the outside interface with the same address that I used the testing laptop with, I cannot seem to be able to access the outside world.
I can ping from the ASA's outside interface (x.58, to the ISP's x.57), but I cannot ping from the inside 192.168.23.x to it or access anything.
So traffic between inside and outside interface is not going through when in live setup. However, when in the lab it works fine.
Any ideas please?Version of FW:
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.3(1)
Output of Packet-Trace Command is:
SDH-PUBLIC-ASA(config)# packet-tracer input INSIDE icmp 192.168.23.10 8 0 1xpacket-tracer input INSIDE icmp 192.168.23.10 8 0 141.$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 141.0.x.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit icmp any any
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 104, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.23.10/0 to 192.168.23.10/0 using netmask 255.255.255.255
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (INSIDE) 0 192.168.23.0 255.255.255.0
match ip INSIDE 192.168.23.0 255.255.255.0 OUTSIDE any
identity NAT translation, pool 0
translate_hits = 107, untranslate_hits = 0
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 141, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow -
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks -
Permit traffic from Inside to Outside, but not Inside to medium security interface
Can someone just clarify the following. Assume ASA with interfaces as :
inside (100) (private ip range 1)
guest (50) (private ip range 2)
outside (0) (internet)
Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
What’s the best practice way to achieve this?Hi,
The "security-level" alone is ok when you have a very simple setup.
I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
Create and "object-group" containing all of the other network
Create an ACL for the "inside" interface
First block all traffic to other networks using the "object-group" created
After this allow all rest of the traffic
In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
For example a situation where you have interfaces and networks
WAN
LAN-1 = 10.10.10.0/24
LAN-2 = 10.10.20.0/24
DMZ = 192.168.10.0/24
GUEST = 192.168.100.0/24
You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
object-group network BLOCKED-NETWORKS
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
object-group network BLOCKED-NETWORKS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
access-list LAN-1-IN remark Block Traffic to Other Local Networks
access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-1-IN remark Allow All Other Traffic
access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
access-list LAN-2-IN remark Block Traffic to Other Local Networks
access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
access-list LAN-2-IN remark Allow All Other Traffic
access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
access-list DMZ-IN remark Block Traffic to Other Local Networks
access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
access-list DMZ-IN remark Allow All Other Traffic
access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
access-list GUEST-IN remark Block Traffic to Other Local Networks
access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
access-list GUEST-IN remark Allow All Other Traffic
access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
Hope this helps
- Jouni -
after tried to setup access list, it return drop in packet tracer and can not ping outside router too
is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
assume all works in GNS3, expect initial network setup too
inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
ASA version: 8.42
when i try the following command,
ASA
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
Router A
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
Router B
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->current config can not ping, one of packet tracer allow all, another packet tracer drop
can not ping between Router A and Router B
ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
<--- More --->
Phase: 4
<--- More --->
Type: IP-OPTIONS
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
<--- More --->
Phase: 5
<--- More --->
Type: FLOW-CREATION
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
New flow created with id 14, packet dispatched to next module
<--- More --->
<--- More --->
Result:
<--- More --->
input-interface: inside
<--- More --->
input-status: up
<--- More --->
input-line-status: up
<--- More --->
output-interface: outside
<--- More --->
output-status: up
<--- More --->
output-line-status: up
<--- More --->
Action: allow
<--- More --->
ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
ASA-1#
ASA-1# sh run |
: Saved
ASA Version 8.4(2)
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->
no ip address
<--- More --->
<--- More --->
ftp mode passive
<--- More --->
object network DYNAMIC-PAT
<--- More --->
subnet 192.168.1.0 255.255.255.0
<--- More --->
access-list 101 extended permit icmp any any echo-reply
<--- More --->
access-list 101 extended permit icmp any any source-quench
<--- More --->
access-list 101 extended permit icmp any any unreachable
<--- More --->
access-list 101 extended permit icmp any any time-exceeded
<--- More --->
access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->
pager lines 24
<--- More --->
mtu inside 1500
<--- More --->
mtu outside 1500
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
<--- More --->
arp timeout 14400
<--- More --->
<--- More --->
object network DYNAMIC-PAT
<--- More --->
nat (inside,outside) dynamic interface
<--- More --->
access-group ACL-OUTSIDE in interface outside
<--- More --->
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
<--- More --->
<--- More --->
<--- More --->
prompt hostname context
<--- More --->
no call-home reporting anonymous
<--- More --->
call-home
<--- More --->
profile CiscoTAC-1
<--- More --->
no active
<--- More --->
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
destination address email [email protected]
<--- More --->
destination transport-method http
<--- More --->
subscribe-to-alert-group diagnostic
<--- More --->
subscribe-to-alert-group environment
<--- More --->
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
<--- More --->
crashinfo save disable
<--- More --->
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
: end
ASA-1# -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
ASA NAT/Traceroute Inside to Outside Issues
Hi All,
Product in question: ASA5512-x in HA Active/Standby Failover mode
When running a ping from the inside network to a device on the internet I recieve replies and all is good. However when running a traceroute from inside the network to a device on the internet I receive timeouts which look to be caused by a ACL deny rule, that being "outside/internet_access_in" If I quickly add an access rule for "outside/internet" incoming rule and allow any any with ICMP_Group then I get replies and the ACL is allowing it, however the replies for the traceroute are always the same, which is the device IP your tracing. I wouldn't think you would want an outside/internet incoming rule for this kind of service as it would open you up and kinda defeat the purpose of firewal etc.
To me it sounds like NAT is certainly causing some weirdness here, possilby they way it's setup...
The following is the explanation from the Deny message on syslog.
%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)]
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)]
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]
A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.
Following are the 2 NAT rules in place at the moment - The first one was auto created when configuration a site-to-site VPN which is meant to tell the traffice over the VPN not to NAT.
nat (inside,internet) source static Private_Network_Classes Private_Network_Classes destination static Test_VPN_Site Test_VPN_Site no-proxy-arp route-lookup
nat (inside,internet) source dynamic any interface
I hope this gives some insight into the issue I am having and someone can suggest some fixes/reconfig's to work around this. It certainly hasn't been easy trying to explain what is occuring here in writting.
Thank you for your time.Hi Jouni,
I would agree with your comments as well after obtaining better understanding of the issue myself with your support.
As per request below is exact syslog message from traceroute.
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:21|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:17|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:13|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:00:02|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:00:00|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:57|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:55|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:53|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:51|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:50|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:48|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
Software Version:
Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(3) -
Allowing traffic from inside to outside ASA5505 7.2(3)
Hello,
Let me start by saying that I'm just starting to study for CCNA, so the ASA seems to be a bit above me yet. The ASA's we are using is for VPN to our corporate office and only allowing access to our Citrix environment, so no direct internet allowed. We have a person who works in the remote office who has need for a caption telephone that requires direct access to the internet. The phone only supports DHCP, and getting the ASA to do an ARP reservations is proving difficult. For now I wrote an access list to allow it's DHCP address out but it still isn't working. The access list I wrote is:
access-list 101 extended permit ip host xxx.xxx.xxx.124 any log
access-list 101 extended permit ip any any
access-group 101 out interface outside
When I do a show access-list I'm seeing that traffic is hitting the access list as the hit counter has increased. When I do a show conn I'm seeing one of the IP's that the phone should have access to, however the flags are: saA, so I'm assuming they are not getting a response. According to the manufacturer, only outbound connections are needed, no incoming ports required. All traffic is TCP.
Any help would be greatly appreciated. Thank you.Hi Kevin,
I can ping the outside world from the ASA itself. Unfortunately, I cannot assign DNS manually, it only accepts DHCP. I have set up a PC there with the same access list for testing purposes. I assigned public DNS to the test PC and that is unable to get out. When i do a show conn, this is what i get:
UDP out 8.8.8.8:53 in x.x.x.113:64918 idle 0:00:14 flags -
UDP out 8.8.4.4:53 in x.x.x.113:64458 idle 0:00:29 flags -
UDP out 8.8.8.8:53 in x.x.x.113:64458 idle 0:00:29 flags -
Here is my scrubbed config.
ASA Version 7.2(3)
hostname
domain-name .org
names
dns-guard
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address y.y.y.y
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
***Banner Removed***
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.34
name-server x.x.x.5
domain-name .org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ALLOWED_ICMP
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
icmp-object traceroute
icmp-object echo
icmp-object timestamp-reply
object-group icmp-type ALLOWED_ICMP_RESTRICTED
icmp-object echo-reply
access-list tempacl extended permit ip any any
access-list inside_out extended permit icmp any any object-group ALLOWED_ICMP
access-list inside_out extended permit ip any any
access-list outside_in extended permit icmp any any object-group ALLOWED_ICMP_RESTRICTED
access-list outside_in extended permit tcp any any eq ssh
access-list 101 extended permit ip host x.x.x.124 any log
access-list 101 extended permit ip host x.x.x.113 any log
access-list 101 extended permit ip any any
pager lines 40
logging enable
logging timestamp
logging buffer-size 256000
logging asdm-buffer-size 512
logging buffered notifications
logging trap errors
logging history informational
logging asdm errors
no logging message 400014
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name attack action alarm
ip audit name info action alarm
ip audit interface inside
ip audit interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group 101 out interface outside
route outside 0.0.0.0 0.0.0.0 y.y.y.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
***http, SNMP, SSH info removed***
management-access inside
dhcpd dns x.x.x.5 x.x.x.34
dhcpd ping_timeout 750
dhcpd domain .org
dhcpd auto_config outside
dhcpd update dns
dhcpd address x.x.x.100-x.x.x.227 inside
dhcpd enable inside
vpnclient server xy.xy.xy.xy xy.xy.xy.xy
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup password
vpnclient username password
vpnclient management clear
vpnclient enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Thanks for all your help! -
Manage ASA via VPN on its outside interface
I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet. VPN is setup on outside interfaces of those ASAs. Now my trouble is to manage those region offices' ASAs from headquater network. I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA. My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.
How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?
I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map. Will it work?
Cisco Supermen have an idea?
Thanks a lot.I am by no means any Superman, but i think i can help
You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).
Eg:
For SSH:
ssh inside
For Syslog:
logging host inside
For SNMP:
snmp host inside
Plus, you would also need to configure: management-access inside on all your regional offices ASA.
Hope that helps. -
How to allow ping from inside to outside in 2900 router?
Hi,
I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
"Unrecognized host or address, or protocol not running"
any help will be appreciated.
Thank youHi jcarvaja
here is the used configuration:
Building configuration...
Current configuration : 5584 bytes
! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging console
enable secret 5
no aaa new-model
no ipv6 cef
ip source-route
ip gratuitous-arps
ip icmp rate-limit unreachable 1
ip cef
ip name-server 163.121.128.134
ip name-server 163.121.128.135
ip port-map user-custom-fleet port tcp 2000 list 1
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-324261422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-324261422
revocation-check none
crypto pki certificate chain TP-self-signed-324261422
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
4901248C 95B61A0B 3ED5B26A EF
quit
license udi pid CISCO2901/K9 sn FCZ1526C3JL
object-group service Outside-Reply
icmp echo-reply
username admin privilege 15 secret 5
redundancy
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any Deny_ALL
match access-group name dwdwd
class-map type inspect match-any Inside-Outside
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any ICMP_RQST
match protocol icmp
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
drop
policy-map type inspect Self_to_Outside
class type inspect ICMP_RQST
inspect
class class-default
drop
policy-map type inspect Outside_to_Self
class type inspect Deny_ALL
pass log
class class-default
drop
zone security IN
zone security OUT
zone-pair security Self_to_Outside source self destination OUT
service-policy type inspect Self_to_Outside
zone-pair security Outside_to_Self source OUT destination self
service-policy type inspect Outside_to_Self
zone-pair security Inside-Outside source IN destination OUT
service-policy type inspect Inside-Outside
interface GigabitEthernet0/0
ip address 101.101.100.245 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 49.31.152.80 255.255.255.248
ip mask-reply
ip directed-broadcast
ip flow ingress
zone-member security IN
duplex auto
speed auto
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type q933a
interface Serial0/0/0.16 point-to-point
description $FW_OUTSIDE$
ip address 172.17.18.122 255.255.255.252
ip mask-reply
ip directed-broadcast
ip flow ingress
ip verify unicast reverse-path
zone-member security OUT
frame-relay interface-dlci 16
interface Serial0/0/1
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
shutdown
clock rate 2000000
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
ip identd
ip access-list extended ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended deeef
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dwdwd
remark CCP_ACL Category=1
permit object-group Outside-Reply any any
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 196.219.234.77
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 101.101.100.0 0.0.0.255
access-list 2 permit 10.20.10.0 0.0.1.255
no cdp run
control-plane
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
scheduler allocate 20000 1000
end -
RDP from inside to outside using PAT?
I have several client machines( inside) that needs to have an RDP access to one server(outside) reside on customer site. The challenge is that the clinet machines can be anywhere/any subnet at any given time and will have different IP address from DHCP.Because of this i can't use the static NAT. Also, I only need RDP access from my network to the customer server only. So will it work if i use PAT? Thanks for the help in advance
Hello Sandeep,
In my opinion there shouldnt be any issue since you are Natiing the RDP clients to a single IP. As long as we have static nat and permission at the destination ( Server Side) it should work
Hope it helps
Harish. -
From inside to outside cannot share desktop
Dear All,
I have a VC system "Tandberg C60 Model", and ASA firewall. C60 unit is in the inside zone of the firewall and mapped to real IP, from the outside anyone can call me and make a video call and share his presentation "desktop" without any problem, and also when I make a call is works well, but the problem when trying to share my desktop to the other site, he didn't see the presentation and the call will disconnect after a few seconds.
Hint:
when the VC system put directly to the router with real IP it works well bidirectional.
ASA Config:
ASA Version 7.0(8)
hostname CRFW
domain-name CR.org
enable password ja7JlGww/OCQtJ0v encrypted
passwd zv/jqe4Rp2ry75// encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 196.221.68.97 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.65 255.255.255.0
interface Ethernet0/2
nameif DMZ
security-level 40
ip address 10.0.0.1 255.255.255.0
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
ftp mode passive
access-list vc_daks_acl extended permit tcp any host 196.221.68.100 eq https
access-list vc_daks_acl extended permit tcp any host 196.221.68.100 eq h323
access-list vc_daks_acl extended permit udp any host 196.221.68.100 eq 1719
access-list vc_daks_acl extended permit udp any host 196.221.68.100 range 2326 2485
access-list vc_daks_acl extended permit tcp any host 196.221.68.100 range 5555 5574
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp permit any echo-reply outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 196.221.68.100 192.168.10.30 netmask 255.255.255.255
access-group vc_daks_acl in interface outside
route outside 0.0.0.0 0.0.0.0 196.221.68.96 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password 78oT4ziTSBGKRwvH encrypted privilege 15
username shereif password biVxeeF8XD3bj8xW encrypted privilege 15
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
Cryptochecksum:877d1f83588a0db98a4e9db5eee70038
: end
Please, everyone help me to solve this issue...
Thanks
Omar MahmoudHello Mahmoud,
Could you try to disable the h323 inspection as follows and give a try
configure terminal
policy-map global_policy
class inspection_default
no inspect h323 h225
no inspect h323 ras
exi
exi
clear local-host all
regards
Harish -
Inspect on the inside or outside interface?
For IOS Firewall, which is better to inspect on the inside interface or the outside, it appears you can go wither way.
Hi,
This should help you on this:-
http://packetlife.net/blog/2009/mar/10/ios-context-based-access-control-cbac/
Thanks and Regards,
Vibhor Amrodia
Maybe you are looking for
-
In CRM web: pricing document cannot be saved
Hi All, In CRM web getting error like pricing document cannot be saved. but order was saved and we got order no also. when i checked in in CRM server its showing 1)The configuration is inconsistent 2)Configuration for product PACKAGE is missing
-
Cannot mount root during Solaris install on SPARCengine ULTRA axi
I use boot cdrom which sucessfully formats swp partition and copies files to hd. But then when I reboot I get the following: SPARCengine(tm)Ultra(tm) AXi (UltraSPARC-IIi 440MHz), PS/2 Keyboard OpenBoot 3.10.10 ME, 512 MB memory installed, Serial #106
-
"The person you are trying to reach...."
Whenever people try to call me, they often receive the following automated message, "The person you are trying to reach is not accepting calls at this time. Please try your call again later." The message is repeated in Spanish, and then an error co
-
Existing Backup Drive re-mounted; now TM creates DMG on my desktop
What am I doing wrong? I decided to unplug my external drive that had been backing up TM for about 2 days. When I re-mounted it, although TM still recognized it as my backup drive, it started a new backup file on my desktop. Clearly I want it to not
-
Upgrade from 9.2.1 to 10
My phone just got replaced and when it did they upgraded the software on the phone. Now my new phone wont work with my itunes because I haven't updated itunes to 10. Every time I try to upgrade it tells me I have no new software or downloads. Any hel