How to allow a subnet for a number of hosts to surf internet and ping from inside and outside in ASA in GNS3?
after tried to setup access list, it return drop in packet tracer and can not ping outside router too
is there an configuration example to show allow a subnet of class C IP address to surf internet in Cisco ASA ?
assume all works in GNS3, expect initial network setup too
inside outside
router A 192.168.1.2 <--->switch <---> 192.168.1.1 ASA 192.168.1.4 <---> switch <---> router B 192.168.1.3
ASA version: 8.42
when i try the following command,
ASA
conf t
interface GigabitEthernet 0
description INSIDE
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
no shut
end
conf t
interface GigabitEthernet 1
description OUTSIDE
no shutdown
nameif outside
security-level 100
ip address 192.168.1.4 255.255.255.0
no shut
end
conf t
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
end
conf t
access-list USERSLIST permit ip 192.168.1.0 255.255.255.0 any
access-group USERSLIST in interface inside
end
Router A
conf t
int fastEthernet 0/0
ip address 192.168.1.2 255.255.255.0
no shut
end
Router B
conf t
int fastEthernet 0/0
ip address 192.168.1.3 255.255.255.0
no shut
end
ASA-1# packet-tracer input inside tcp 192.168.1.1 1 192.168.1.4 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
current config can not ping, one of packet tracer allow all, another packet tracer drop
can not ping between Router A and Router B
ASA-1# packet-tracer input inside tcp 192.168.1.2 1 192.168.3.3 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.3.0 255.255.255.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network DYNAMIC-PAT
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.2/1 to 192.168.3.4/311
<--- More --->
<--- More --->
Phase: 4
<--- More --->
Type: IP-OPTIONS
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
<--- More --->
Phase: 5
<--- More --->
Type: FLOW-CREATION
<--- More --->
Subtype:
<--- More --->
Result: ALLOW
<--- More --->
Config:
<--- More --->
Additional Information:
<--- More --->
New flow created with id 14, packet dispatched to next module
<--- More --->
<--- More --->
Result:
<--- More --->
input-interface: inside
<--- More --->
input-status: up
<--- More --->
input-line-status: up
<--- More --->
output-interface: outside
<--- More --->
output-status: up
<--- More --->
output-line-status: up
<--- More --->
Action: allow
<--- More --->
ASA-1# packet-tracer input outside tcp 192.168.3.3 1 192.168.1.2 1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
<--- More --->
Drop-reason: (acl-drop) Flow is denied by configured rule
<--- More --->
ASA-1#
ASA-1# sh run |
: Saved
ASA Version 8.4(2)
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
description INSIDE
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface GigabitEthernet1
description OUTSIDE
nameif outside
security-level 0
ip address 192.168.3.4 255.255.255.0
interface GigabitEthernet2
shutdown
no nameif
no security-level
<--- More --->
no ip address
<--- More --->
<--- More --->
ftp mode passive
<--- More --->
object network DYNAMIC-PAT
<--- More --->
subnet 192.168.1.0 255.255.255.0
<--- More --->
access-list 101 extended permit icmp any any echo-reply
<--- More --->
access-list 101 extended permit icmp any any source-quench
<--- More --->
access-list 101 extended permit icmp any any unreachable
<--- More --->
access-list 101 extended permit icmp any any time-exceeded
<--- More --->
access-list ACL-OUTSIDE extended permit icmp any any
<--- More --->
pager lines 24
<--- More --->
mtu inside 1500
<--- More --->
mtu outside 1500
<--- More --->
icmp unreachable rate-limit 1 burst-size 1
<--- More --->
no asdm history enable
<--- More --->
arp timeout 14400
<--- More --->
<--- More --->
object network DYNAMIC-PAT
<--- More --->
nat (inside,outside) dynamic interface
<--- More --->
access-group ACL-OUTSIDE in interface outside
<--- More --->
timeout xlate 3:00:00
<--- More --->
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
<--- More --->
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
<--- More --->
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
timeout tcp-proxy-reassembly 0:01:00
<--- More --->
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
<--- More --->
user-identity default-domain LOCAL
<--- More --->
no snmp-server location
<--- More --->
no snmp-server contact
<--- More --->
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
telnet timeout 5
<--- More --->
ssh timeout 5
<--- More --->
console timeout 0
<--- More --->
threat-detection basic-threat
<--- More --->
threat-detection statistics access-list
<--- More --->
no threat-detection statistics tcp-intercept
<--- More --->
<--- More --->
<--- More --->
prompt hostname context
<--- More --->
no call-home reporting anonymous
<--- More --->
call-home
<--- More --->
profile CiscoTAC-1
<--- More --->
no active
<--- More --->
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
<--- More --->
destination address email [email protected]
<--- More --->
destination transport-method http
<--- More --->
subscribe-to-alert-group diagnostic
<--- More --->
subscribe-to-alert-group environment
<--- More --->
subscribe-to-alert-group inventory periodic monthly
<--- More --->
subscribe-to-alert-group configuration periodic monthly
<--- More --->
subscribe-to-alert-group telemetry periodic daily
<--- More --->
crashinfo save disable
<--- More --->
Cryptochecksum:8ee9b8e8ccf0bf1873cd5aa1efea2b64
<--- More --->
: end
ASA-1#
Similar Messages
-
How to allow ping from inside to outside in 2900 router?
Hi,
I have a Cisco router 2900 with firewall, i need to know how can i allow the ping from self zone to outside zone, i trried to create policy from self to outside but i still didn't allow ping or tracert, i get that message when i try to ping from cisco router:
"Unrecognized host or address, or protocol not running"
any help will be appreciated.
Thank youHi jcarvaja
here is the used configuration:
Building configuration...
Current configuration : 5584 bytes
! Last configuration change at 09:00:20 UTC Tue Apr 9 2013 by admin
version 15.1
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
hostname Router
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging console
enable secret 5
no aaa new-model
no ipv6 cef
ip source-route
ip gratuitous-arps
ip icmp rate-limit unreachable 1
ip cef
ip name-server 163.121.128.134
ip name-server 163.121.128.135
ip port-map user-custom-fleet port tcp 2000 list 1
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-324261422
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-324261422
revocation-check none
crypto pki certificate chain TP-self-signed-324261422
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323432 36313432 32301E17 0D313330 34303930 38343034
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3332 34323631
34323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B8ABD60F 8C879B3B BC1C1643 48059AD2 F940A700 6D58161E 37D53E6E E028B806
61EAA942 CED2A3C6 3FB3A47E 20E05B10 0941A9D8 38FFA6F9 D2B9E52C 225A57BA
14F8842A A26E7E02 38E9F7C8 328504D0 5C3EEE41 CC75B237 BBD07CBA 1A850540
2A5AAFAD 4553FB03 0E366211 9AC09967 4DC03082 0AF546A3 F6AA2739 1D8A8AA9
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801428 FEEB3910 B7A1D374 1F86BCD5 96CEDF75 8DF11E30 1D060355
1D0E0416 041428FE EB3910B7 A1D3741F 86BCD596 CEDF758D F11E300D 06092A86
4886F70D 01010405 00038181 006BBF7A 430905F6 D5B27B0D 96315504 87816DAA
B5EA86D9 6E9A1D58 7B328C88 A6A358D0 00D035A9 8CDDEC41 15AF0108 F5CB1072
B0485D7D CFC0D0CB 71E9B153 FB7B8B40 40C157E4 B254D01C 890D615F D8395545
F0B47E0B 57341EB2 C0CE0039 DC18EAD6 078986F0 A5A5D04F D5041DB6 23CAA002
4901248C 95B61A0B 3ED5B26A EF
quit
license udi pid CISCO2901/K9 sn FCZ1526C3JL
object-group service Outside-Reply
icmp echo-reply
username admin privilege 15 secret 5
redundancy
ip finger
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any Deny_ALL
match access-group name dwdwd
class-map type inspect match-any Inside-Outside
match protocol http
match protocol https
match protocol dns
class-map type inspect match-any ICMP_RQST
match protocol icmp
policy-map type inspect Inside-Outside
class type inspect Inside-Outside
inspect
class class-default
drop
policy-map type inspect Self_to_Outside
class type inspect ICMP_RQST
inspect
class class-default
drop
policy-map type inspect Outside_to_Self
class type inspect Deny_ALL
pass log
class class-default
drop
zone security IN
zone security OUT
zone-pair security Self_to_Outside source self destination OUT
service-policy type inspect Self_to_Outside
zone-pair security Outside_to_Self source OUT destination self
service-policy type inspect Outside_to_Self
zone-pair security Inside-Outside source IN destination OUT
service-policy type inspect Inside-Outside
interface GigabitEthernet0/0
ip address 101.101.100.245 255.255.255.0
ip mask-reply
ip directed-broadcast
ip flow ingress
duplex auto
speed auto
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 49.31.152.80 255.255.255.248
ip mask-reply
ip directed-broadcast
ip flow ingress
zone-member security IN
duplex auto
speed auto
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type q933a
interface Serial0/0/0.16 point-to-point
description $FW_OUTSIDE$
ip address 172.17.18.122 255.255.255.252
ip mask-reply
ip directed-broadcast
ip flow ingress
ip verify unicast reverse-path
zone-member security OUT
frame-relay interface-dlci 16
interface Serial0/0/1
no ip address
ip mask-reply
ip directed-broadcast
ip flow ingress
shutdown
clock rate 2000000
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.16
ip identd
ip access-list extended ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended deeef
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dwdwd
remark CCP_ACL Category=1
permit object-group Outside-Reply any any
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 196.219.234.77
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 101.101.100.0 0.0.0.255
access-list 2 permit 10.20.10.0 0.0.1.255
no cdp run
control-plane
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input all
line vty 5 15
login local
transport input all
scheduler allocate 20000 1000
end -
How to change Org Unit for larg number of emplyees
Dear Guru's,
My client has uploaded wrong Org Units while hiring, now that has to be changed for larg number of employees.
Can any one suggest me how can we do this for larg number of employees?
Thanks in advance for your kind suggestions.
Regards,
SrinivasHello Srinivas;
By saying uploaded wrong organizational units, do you mean that organizational structure in PPOME is wrong or employee - position assignment is wrong?
If employee - position assignment is wrong then I suggest you to use batch input program or use LSMW as you have to change it via personnel action - PA40
If organizational structure is wrong, then do you have correct organizational structure in another system like test or qa?
If you have correct organizational structure then you can directly transport it from one system to other but if you don't then you first need to correct the organizational structure and then run LSMW or batch input.
Regards;
Okan -
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks -
How can I remove all my preferences and settings from mail and do a clean install of mail app?
How can I remove all my preferences and settings from mail and do a clean install of mail app?
Open mail > Preferences > Accounts
Select the account and click the minus button at the bottom of the column.
Quit mail
~/Library/Preferences/com.apple.mail.plist move this file to the trash and empty it.
~/Library/Mail/ and move all of the items in that folder to the trash and then empty it. -
i got tis ipad 4 wifi and cellular from ireland and i wish to go on my holidays to india with it and use a micro sim from a local carrier for network courage as i dont have wifi in the place tat i am staying so i want to know the steps involed to activate the micro sim in my ipad.
What roaming charges? If you have a local plan there are no roaming charges. This is a major reason for using a local plan.
Contact, or visit the website, whatever local provider you are considering and get their plan details. -
I purchase iPhone 3GS and 4 and 4s from eBay and Amazone sometime from best buy all of that is ok but now befor 3 or 5 week I purchase one white iPhone 4s is locked and I can't active it i don't know why serial number c39*****dtd0
<Personal Information Edited by Host>Only the Apple Store sells unlocked iphones in the U.S
-
I bought some ringtones and alerts from itunes and it won't let me use them for text alerts or voicemail. Am I doing something wrong? Other ringtones I have downloaded work.
What does won't let you use them mean exactly?
-
Which Mac is best for music purposes? I want to mix music recorded from MIDI and live sound, and also want to use Sibelius to play music in. I'm looking at MacBook Pros; any tips? 13" or 15"?
I would think a 15" with the i7 CPU. You can get a 13" with the i7 CPU but the 15" has a dedicated graphic chip along with the intergrated one.
You will also need to upgrade the hard drive to a faster 7200RPM model instead of the standard 5400RPM model that comes with all MBPs. The Sibelius website recommends the 7200RPM or a SSD. You will also be better off installing 8GBs of RAM.
Both of those upgrades can be made after you buy a MBP for much less then Apple charges for the same upgrades and you get to keep the original RAM and hard drive. -
How to allow the location for faces and places with iOS 4 on an iPhone 3GS?
I installed ios4 on my iphone 3gs, it went well, then the first time i open the camera app it asked me to allow tha application to know the location, firs i said no... now that i really know what this feature does, i would like to allow it, any idea how to allow it again? if i open the camera application again it doesn't ask for it again
thanksThanks "justinphilly", following is the solution:
Settings > General > Location Services > Scroll down to camera, and click yes. -
How to change the space for check number using OT45?
How to use OT45 to change the check no.of FF68 Check Deposit? I want to change the variant so that I can increase the space for check number as have come up with a special case can someone please help me out how can I do it via OT45?
Thanks in advance...
Regards
NitinHi Amit,
Yes, I agree that we can create a new variant and can assign it after activating it. But, what I want is that I have created a new variant and check space in FF68 is 3 digits and how can I make changes in OT45's new variant so that cheque space gets changed to 10digit or more.
Please Help.
Thanks in advance...
Regards
Nitin -
How to allow suspense olny for a specific source and category
Hi all
I am using GL, AP, FA and CM. I have another system that i import a journal once a month. I want the users to be able to post this journal, even it is not balanced. I can do that by allowing suspense posting.
My question is: Can i allow suspense posting only for journals that has specific source and category, and not allow suspense posting for all other journals created in GL??
Thank you and best regards
E.There does not appear to be a way to derive the internal id of a table that is not part of the interface. Instead of concentrating on getting the internal id, why do not you define flex fields for the fact table and specify internal ids of the relevant dimensions in it.
-
I have gotten as far as adding a new app, naming the folder and going into CRD, for the report we need online and attempted to enter the settings information for our sharepoint site. The issue is no matter how I enter the credentials it will not authorize
and finish the connection. We have tried a couple of different things when it comes to the user name and domain line. we tried:
corporate\username;
corporate-traffic.com\username;
[email protected]..
we are trying to figure out the correct way to enter this information, mainly what the domain name should be since Sharepoint 2013 is all cloud based.
My issue is when I get to entering credentials none of my admins credentials work... I think it may be the domain name that is throwing it off. I keep getting the error: server was unable to process request ---> Access is denied. (Exception
From HRESULT: 0x80070005 ((E_ACCESSDENIED))
So can anyone point me in the right direction to fix this error and enable the report to email to my sharepoint site documents folder?
Just to clarify...
I need the correct domain info per office 365's Sharepoint to enter the info into our report options on CRD seven report. And how we can enable SMTP to our documents folder on our SharePoint site.I asked Christian Steven's Support staff about this and they came out with a fix to allow us to do exactly what I asked in the first post.
We then had an issue with an error saying Crystal Reports couldn't find the rasauditingw.dll. After a few months of going back and forth they finally looked deeper into the issue and informed me other businesses are having the same issue with the add in
they designed. They still claim it is not there software but Crystal Reports software that is the issue.
Just to clarify, the error only appeared after the add in was put in place. Anyways, after they dug some more the following post was the end game.
"The development team was finally able to get into this issue (seems other businesses are seeing this same issue now). It was in fact an issue with SAP Business Objects and where it was looking for the rasauditingw.dll.
****WARNING THIS IS DONE AT YOUR OWN RISK!!****
I AM NOT RESPONSIBLE FOR DAMAGES TO YOUR PROGRAMS OR SYSTEM THIS FIX MAY CAUSE
BACKUP YOUR SERVER OR TAKE A SNAP SHOT (VM) BEFORE ATTEMPTING ANY OF THE FOLLOWING
We copied the rasauditngw.dll file into the system32 folder and the sysWOW64 folder and then renamed the original rasauditingw.dll to rasauditingw.dll.bak (Original file in this directory: C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise
XI 4.0\win32_x86).
So far so good. We have not seen any errors in the last couple of days since the fix. I hope this helps others who run into this mystery problem. Christen Steven was gracious enough to dig into this problem and quell my frustrations and issues with the
"crd.exe - Entry Point Not Found" error" "
We haven't seen any issue with our CRD server since we moved the copies of that .dll file over into our sys32 folder and sysWOW64 folder on the CRD server (our server where the Christian Steven software resides). -
How to mark PCI devices for pass through in host using Powercli?
PCi devices in host can be retrieved using Get-VMHost command . How do i mark the device for pass through in host?
Please help on how this can be done. Thanks in advance.Hi,
I don't think supressing through Global Personalization will change the business logic. Within the Business Logic it checks for the mandatory field.
After the changes I guess you need to make the changes accordingly.
The below link might be of some help.
http://wiki.sdn.sap.com/wiki/pages/viewpage.action?spaceKey=profile&title=ESSPersonalInformationUIenhancementwithoutmodification&decorator=printable
Please correct if I am wrong.
Cheers-
Pramod -
How long does it take for the storage to be upgraded? I bought some 12 hours ago and it still hasn't gone on my iPhone 4
Hi Katie,
Where are you looking on your phone to determine how much storage you now have? Are you looking under Settings>iCloud>Storage & Backup?
If so, and it still doesn't show the correct storage, try resetting your phone. Hold down the Home and Power buttons and continue to hold them down until the Silver Apple appears. Then check your storage again.
Post back with questions!
Cheers,
GB
Maybe you are looking for
-
OLAP Universes - Based on BEx Query - Month and Previous Month Functions
Hi, I created a Universe based on SAP BEx queries and I like to create a filter so that I use in Web Intelligence report to run for "Previous Month" data always. There are "Date" filelds in BEx Query(No Month info only date data). I have no knowled
-
Different departure country per item in a sales order
Hi all, I have a tricky issue. We need to set a different departure country on each item of a sales order. Departure country is one of the key elements used by SAP to find the right tax condition record. Usually you have either to type a country in h
-
Is an XML document only "information" on a song and not the song itself? I burned my "iTunes Music Library" to a CD thinking I saved all my songs. Can it be transformed into a usable file or did I just save "info"? Can anyone help a PC 1st grader? in
-
Error while trying to install AIA3.0 - Managed Server not found
Hi, I am trying to install AIA3.0 on soa suite 11g. I have installed soa suite 11g and started the weblogic server, soa_server1 and BAM server (these were 2 managed servers), also the Node manager is running. However on the screen "Soa Server Details
-
Spotlight has stopped working in finder!!!!
I'm having a major Spotlight problem. This morning I tried to perform a search in the finder but no results came up, so I tried another one. Again nothing. So I checked my smart folders, all empty. This despite the fact spotlight is working fine ever