This article gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance. This device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.
Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.
The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:
Step1: Configure a privileged level password (enable password)
By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:
ASA5510(config)# enable password mysecretpassword
Step2: Configure the public outside interface
ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut
Step3: Configure the trusted internal interface
ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut
Step 4: Configure PAT on the outside interface
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
UPDATE for ASA Version 8.3
From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)
ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP
ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside
The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration I suggest you to read the “Cisco ASA Firewall Fundamentals – Second Edition” ebook at the link HERE.
Related posts:
- How to Configure VLAN subinterfaces on Cisco ASA 5500 Firewall
- Cisco ASA Virtual Firewall Configuration
- ASA Firewall Active-Standby interface configuration
- Using the Management Interface of the Cisco ASA Firewall
- ASA Firewall NAT Control Feature
- Cisco ASA Firewall with PPPoE
- How to configure Cisco Router with IOS Firewall Functionality – CBAC
88 Responses to 'How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial'
Leave a Reply
Configuration Tutorial For Cisco ASA 5500 Firewalls
With FREE ASA 5505 Configuration Tutorial Bonus
CLICK HERE TO DOWNLOAD EBOOKS
Hi, Congratulations to the site owner for this marvelous work you’ve done. It has lots of useful and interesting data.
Thanks for sharing your knowledge. I just downloaded your ebook, legally of course
, and I can’t wait to try out all the scenarios contained in the book. One question that I have so far is how I can use my current Linksys router with my firewall. What I would like to do is just plug my firewall behind my current router instead of directly connect it to the internet (ISP) as show in your diagrams. I guess all I would have to do is configure default gateway (my router) on the firewall. Any comment regarding this set up would be appreciated.
Thanks again for a great guide.
Well, why don’t you connect your ASA directly to the ISP? Anyway, if for any reason you need to have the Linksys connected to the ISP, then configure a static IP address on the outside interface of the ASA and assign as default gateway the internal IP of the Linksys router. Assume that your linksys has internal LAN IP 192.168.1.1. Assign an IP address for the outside of ASA 192.168.1.10 and then configure a default route (gateway) for the ASA as following:
asa(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1
Also, if the Linksys does the NAT translation, then you can avoid using NAT on the ASA firewall.
I hope I clarified your question.
Regards
Harris
thanks for your response. Just to answer your question, about why I am not using my ASA as an edge device, I currently have a couple of people using the linksys for wireless connection and I have a voip phone hooked up to it as well…so I felt hesitant about having to deal with that right off the bat.
OK, that makes sense then.
I have my ASA connected directly to my ISP’s cable box. The ASA keeps dropping the ip on the outside interface. I had to call the ISP several times to refresh my ip and it would work until I reboot the cable box or the ASA and then the on the outside interface of the ASA is gone. “show ip” shows “unassigned” for outside interface. I googled around to see if anybody else has experienced this but nothing so far. Anybody has any idea why this might happen? Thanks.
One suggestion would be to fix the speed and duplex settings on your ASA outside interface. Maybe its a hardware speed negotiation problem between the ASA and the cable box. If the cable box is 100Mbps full duplex, then make the ASA interface the same:
hostname(config)# interface Ethernet0/1
hostname(config-if)# speed 100
hostname(config-if)# duplex full
Hello, I was looking around for a while searching for operational security training and I happened upon this site and your post regarding Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial | CiscoTips, I will definitely this to my operational security training bookmarks!
Hi, I bought your books to setup my ASA-5505 for VPN access. The scenario that best fits my setup is static outside interface with 2 servers in the dmz. You state that this requires a Security Plus license. In my case, I don’t need any servers in the dmz, just the inside lan with vpn users connecting to access services on the inside lan. Would I still need a Security Plus license? Would I have to do anything different from your example or just leave out the dmz settings?
Thanks in advance,
Arif
Hello Arif,
The scenario you mention above requires Security Plus license because there is communication between the DMZ and Internal network. For such a communication to work, you need to have a Security Plus license for the ASA5505 firewall. Now, in your case you don’t need a security plus license. Just leave out the DMZ settings in the example and configure VPN on the ASA for your users. Please let me know if you need more clarifications.
Harris
Harris,
Thank you! It worked once I configured it the way you had it in the book. Now I will see how to port forward ssh port to a box on the inside vlan.
-arif
Arif,
I’m glad it worked. For the port redirection I have a specific section in the ebook which describes exactly what you need to do. Please let me know if you find any problems.
Dear Friends,
I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on doubt we the firewall directly connected to my thomson ADSl router(modem) and then we have one public ip wher i want configure,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X my thomson gateway is 192.168.1.254 by default, so what is my question is basically if we configure any router and firewall we should configure default to communicate out side network so how i want configure the default route.
Dear Friends,
I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on more doubt we connected the firewall directly to my Thomson ADSl router(modem) and then we have one public ip,what is my question here? where i want configure this ip address,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X by default my Thomson gateway is 192.168.1.254 , so what is my question here? basically if we configure any router and firewall we should configure default route to communicate out side network so how i want configure the default route in this scenario.
There should be a link under the administration section for reloading. Regarding the scenario with the Thomson ADSL router, if I understand it correctly, the default route for the ASA will be 192.168.1.254. You should assign an IP address to the outside interface (eth0 port) of the ASA in the range 192.168.1.1 – 192.168.1.253.
[...] is a Cisco ASA 5510 basic configuration tutorial. The ASA 5510 is one of the most popular ASA models since is mostly [...]
Thanks for the update!!!!!
Thanks for this. As for the Step 6, I have an internal DNS to resolve internal addresses and DHCP assigning addresses internally. Do I still need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on which I had a stub copy of DNS and forwards queries to external DNSs. I would like to continue using ISA server with ASA 5510, the latter will be at the perimeter. How can I accommodate both? Also, I have several global IPs and I do not know how to define sub-interfaces to assign several global IPs to a single physical interface. Please help!
Andrew,
If you have a dedicated DHCP server in your network, then you must not activate DHCP service on the ASA appliance. If you have an ISA server, you can connect the ISA server in the internal network (or preferably on a DMZ) and force all internal users to use the ISA as proxy for their HTTP traffic. You can configure an access-list which allows only the ISA server to access the internet for ports 80/443.
Regarding the global IPs, you don’t need to configure sub-interfaces to assign them. With sub-interfaces you just create separate network security zones. If the global IPs are routed towards your outside interface, you can create static NAT commands and redirect those IP addresses to internal hosts for example.
Blog Admin,
Thanks. Regarding the access lists, well i have exchange server on the internal network as well and I am also planning to add an MS SQL 2008 internally. On the DMZ, I was thinking of putting up a web/ftp server. How do I treat this in access list as well? Excuse my ignorance, i am novice to Cisco.
Thanks
To allow communication between any two ASA interfaces (security zones) you need two things: 1) proper NAT 2)proper access lists.
So, yes if you have the proper nat in place between DMZ and inside (provided that nat-control is enabled) then you just need to apply the correct access list on the DMZ interface to allow web server to communicate with the internal SQL server.
Dear BlogAdmin,
You say i do not need to have sub-interfaces to assign global IPs. I will have, say, global IP x.x.x.91 255.255.255.248 assigned to outside and on interface 0/0. Can I use the same interface to route traffic destined to other global IPs, say x.x.x.90 255.255.255.248 for web that I will place in DMZ etc without having to define them anywhere?
Thanks
Andrew,
YES Absolutely you can do this. As long as these public IP addresses are routable on the outside interface (e.g you have a subnet x.x.x.88 255.255.255.248 assigned to you on the outside from your ISP) you can use any IP address within that subnet and do static NAT to redirect traffic from outside to an internal DMZ server via the ASA.
I change the subnet mask to a computer ASA 5510.
When you make a change before I lose all the policies configured.
This is correct or am I doing something wrong.
Would have some “how to” about it?
Sorry my bad English, I am using a translator.
Greetings!
I did not understand fully what you mean. Before doing any changes, you must save the running configuration by using “wr mem”. Then you can make changes on the running configuration which are applied immediately. If the changes are successful, you save them again with the same command as above.
I am trying to configure dmz so I can place our web server in the dmz network and have our users access out on my asa 5510, here is the current scenario;
Ethernet0/0 (Outside)x.x.x.185
Ethernet0/1 (Inside) 192.168.75.0/24
Ethernet0/2 (DMZ) 192.168.10.0/24
I can get it to work with a private ip but I would like to use one of our public ip addresses to access the server, I also need to access an sql server on the inside interface. How will i go about placing a web server in dmz and making it accessible via public ip? Any help will be greatly appreciated
Justinian,
You will have to configure static NAT for the DMZ web server to permanently map its private IP address to a public IP. Then you will have to allow HTTP from outside using an access control list applied on the outside interface.
The configurarion depends on the ASA version you have. If its version 8.3 and up the config is different. Let me know the version to help you.
Thank you for the prompt reply, the ASA 5510 is running version 8.2, I have following config for http;
access-list inbound extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
(Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 interface, the static NAT will look something like this;
Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
mtu dmz 1500
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list ACL_dmz outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
I am by far not an expert when it comes to cisco,I greatly appreciate your help
***Correction*** (please ignore my earlier post I noticed an error in the information I provided)
Thank you for the prompt reply, the ASA 5510 is running version 8.2. The server has not been placed in dmz yet, so I have following config for http;
access-list inbound extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
(Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 subnet, the static NAT will look something like this;
Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
mtu dmz 1500
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list ACL_dmz outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
I am by far not an expert when it comes to cisco,I greatly appreciate your help
If the dmz interface is on 192.168.10.x, the static NAT will be exactly as you mention above:
static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
you also need to apply the inbound ACL to the outside interface:
access-group inbound in interface outside
What about tying a public ip to the private address (lets say 192.168.10.6) of the server in dmz?
Then you replace the “interface” command with the actual public address:
static (dmz,outside) tcp 100.100.100.1 www 192.168.10.6 www netmask 255.255.255.255
Thanks again for the responding, one last question;
I have a block of 5 static ips 100.100.100.5 to 100.100.100.9 if the interface “outside” is configured to use 100.100.100.5 255.255.255.248 will it accept the following:
static (dmz,outside) tcp 100.100.100.6 www 192.168.10.6 www netmask 255.255.255.255
to tie 100.100.100.6 to the internal ip of the web server and accept connections?
Justinian,
Yes, what you say above is correct. You will need also to configure an access list which should be allowing traffic from outside to 100.100.100.6 on port 80. This access list must be applied on the outside interface.
Thanks for the e-book, I download it legally of course. I have a question? I ran out of Public IP’s The only available IP that I can use is the IP assigned to the external interface, when I attempt to use it then I cannot ssh to my ASA510 version 7.0 firewall, internally or externally, I PAT the outside Interface to port http/https, Below is my NAT statements and access-list
access-list acl_outside extended permit tcp any host X.X.X.213 eq www
access-list acl_outside extended permit tcp any host X.X.X.213 eq https
static (inside,outside) X.X.X.213 10.10.6.44 netmask 255.255.255.255
I added “access-list acl_outside extended permit tcp any host X.X.X.213 eq ssh” and that still did not allow me ssh access,
If I add “access-list acl_outside extended permit tcp any any” Then everything works, which means my firewall is wide open. I know I do not want to do so…
Is what I’m trying to achive doable? Or is there some limitations?
Thanks,
Okay I figured it out what I need to do to fix the issue and still maintain ssh to the firewall without compromising security. I’m reposting just in case someone else had a similiar issue.
Remove old Rules/NAT
no access-list acl_outside permit tcp any host x.x.x.213 eq www
no access-list acl_outside permit tcp any host x.x.x.213 eq https
no static (inside,outside) x.x.x.213 10.10.6.44 netmask 255.255.255.255
Add new rules/NAT
static (inside,outside) tcp interface 80 10.10.6.44 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.10.6.44 443netmask 255.255.255.255
access-list acl_outside permit tcp any interface outside eq www
access-list acl_outside permit tcp any interface outside eq https
Thanks you guys….
Mohammed,
I was going to reply to your initial comment but I just saw that you’ve figured out the correct solution
Yeap, doing port redirection is the way to go. The way you had it at the beginning (full static NAT) was redirecting ALL traffic to your internal web server, including SSH traffic as well. Now, with port redirection you redirect only HTTP/HTTPs traffic.
I’m trying to block GoToMyPC LogMeIn and GoToMeeting.
I have tried using regex however whenever I apply the policy it somehow blocks a lot of http and IM (instant Messaging) traffic:
FW01(config)#show running-config regex
FW01(config)# regex contenttype50 “Content-Type”
FW01(config)# regex domainlist50 “\.gotomeeting\.com”
FW01(config)# regex domainlist51 “\.logmein.\com”
FW01(config)# regex domainlist52 “\.GoToMyPC.\com”
FW01(config)#
FW01(config)# show running-config class-map
!
class-map IPS
match access-list TEM-F-IPS
class-map type regex match-any DomainBlockList
match regex domainlist51
match regex domainlist50
match regex domainlist52
class-map type inspect http match-all BlockDomainsClass
description This will block Access to GoToMeeting and LogMeIn
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map HttpTraffic
match access-list inside_mpc
class-map Netflow_class
match any
FW01(config)# show running-config policy-map type inspect http
policy-map type inspect http Http_inspection_policy
description Inspecting GoToMeeting and LogMeIn
parameters
protocol-violation action drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
FW01(config)# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect ip-options
class Netflow_class
flow-export event-type all destination 10.13.50.48
class IPS
ips inline fail-open
policy-map type inspect http Http_inspection_policy
description Inspecting GoToMeeting and LogMeIn
parameters
protocol-violation action drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map inside-policy
description Policy created to Block GoToMeeting LogMeIn
class HttpTraffic
inspect http Http_inspection_policy
show running-config service-policy
FW01(config)# show running-config service-policy
service-policy global_policy global
service-policy inside-policy interface inside
Would anyone have an Idea what I need to do to fix the issue? Or if you have a better way to block GoToMyPC, LogMeIn please let me know.
Thanks,
hmmm…..your configuration needs some careful consideration. Let me see if I find some time to check it out.
Blog Admin,
If I want to up-grade my ASA image file and ASDM image file, and I use Cisco.com Wizard to automatically upgrade these files, will it keep my Configuration Firewall Access Rules?
Or will I have to reload these rules after up-graded to the next ASA images?
Reed,
Yes, the configuration access rules will be retained on the firewall. The ASA image upgrade affects the OS image and not the ASA configuration.
Hello,
How would I go about having a failover internet connection for our asa? We have a connection coming in from a Comcast and anther from CenturyLink in case Comcast goes down (which is happening very frequently nowadays) My asa has an open port that I could use for it but not sure how I would go about setting it up, any help will be greatly appreciated.
Hi ,
You can use the “sla monitor” feature to track the connections to the two ISPs. See the link below:
http://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/
Thank you for responding and the article is VERY helpful, forgive my ignorance but I would like to know how I would configure the translations for static ips from ISP-1 on ISP-2 interface. For example currently for email I have
static (Inside,Outside) 100.100.100.186 192.168.20.8 netmask 255.255.255.255
how would this work with ISP#2 since the public address belongs to ISP-1?
Lets say the interface to the second ISP is named outside2:
you will have another public IP address from that ISP, lets say 200.200.200.1 assigned for your mail server:
static (Inside,outside2) 200.200.200.1 192.168.20.8 netmask 255.255.255.255
Awesome! I didn’t think one ip (192.168.20.8 in this case) could be bound to different public addresses. I will test and post the results
Thanks again
Cuurently I ran out of public IP’s on my ASA5510, I was able to aquire a new block /24 however this block is not on the same subnet as my existing /28 block. Is there a way that I can use this new block on my ASA5510 to NAT to internal IP’s? If yes what do I need to get use this new Block?
Mohammed,
yes you can use a different /24 block. Your ISP must route this new block towards your ASA external IP. Then you can use normal static commands on the ASA to assign the new IP addresses to internal hosts.
So do I have to assign an ip address from the new block to one of my interfaces on the ASA. Would it be possible to show an example of how the config would look like?
Thanks,
No you don’t have to assign an ip address from the new block to the ASA interface. You will keep the old IP address that you had. Just use static nat commands to statically map the new outside public IP addresses to inside addresses.
So based on what would the firewall accept the traffic? It only know’s about the IP’s since they are used in the static nat commands!!! Is this secure??
Hi,
Thanks for sharing the wealth of information on this blog. Since I’m new to firewalls, a new task I found in my basket this week, I’m trying not to drown in the information. However, Is there a way, one can create a virtual ASA5510, to test the set of rules, prior to posting them to the firewall? The firewall is not in-house, but on another continent, so flying up and down all the time until all settings are correct, is not my favourite occupation. Thanks for the help.
Regards,
Paul
Paul,
I would suggest to rent a ccie security rack and get actual access to real asa devices where you can test anything you want. Its pretty cheap. search for ccie security rank rentals on Google.
in addition to the static nat, you will also configure access-list rules to control what traffic will be allowed from internet to the public IP. the access list will be applied on the outside interface
I am trying to follow your example to get basic internet connectivity on my asa5510.
I have my DSL modem set to automatically push my static IP to my asa’s Ethernet0/0 port.
When I try and configure the port with my 1.1.1.1 IP and my subnet mask of 255.255.255.255 I get bad mask for address 1.1.1.1.
I don’t want the asa to do the pppoe when I can get my modem to do it. I will also be changing my IP in the future (I’m using a backup IP for deploying this asa on my lan).
Thanks.
Thomas,
You can use a subnet mask of 255.255.255.0 for the outside interface. You need to find out what the default gateway will be (i.e the router gateway of your ISP provider) and make sure that the outside ASA address falls in the same subnet as your default gateway. You will achieve this by choosing the correct subnet mask.
Hi,
I’m in the process of implementing Active/Standby redundancy on my ASA5510 firewall. all interfaces are of the speed 10/100. I would like to use the management interface 0/0 as the failover link, do you see any problems/issues or disadvantages of using the management interface?
Mohammed,
I have not seen such a configuration before. I have seen the “management” interface to be used as normal data interface, but not as failover. Just try it and let us know how it goes. Run the command “no management-only” under the management interface configuration and then configure it as failover. If it works then I don’t see any disadvantages.
I am trying to access the web server on the DMZ segment from the inside segment by using the public URL. When looking at the log I see:
=========
TCP access denied by ACL from 192.168.1.5/57320 to inside:94.255.161.102/80
TCP request discarded from 192.168.1.5/57320 to inside:93.255.163.XXX/80
==========
192.168.1.5 is the host on the inside network and “93.255.163.XXX/80″ is the IP address on the outside interface (dynamic) even when the log says “inside”.
What I am doing wrong/missing? Please advice.
Sorry, I paste wrong outside addresses above (comment #59). They show different but both are the same in fact.
Okay another question is it best practice to use two interfaces for HA failover? I read somewhere online the ASA550x firewalls will continuously fail over if both the heartbeat traffic and the stateful traffic go through a single interface.
This would only make since to me if you have a lot of traffic going through your firewall, and by a lot I mean having hundreds of IPSec tunnels and any other crazy traffic, then maybe. Since The heartbeat data needs to be of low latency and not a lot of packet loss due to a lot of traffic.
Would like to get your thoughts on this?
Mohammed,
I always use just one interface for HA failover and everything works OK with no problems. Ofcourse I try to use a 10/100/1000 Mbps interface so that to utilize the gigabit speed. However, if your firewall’s traffic is not much, then 10/100 as failover will be fine.
Tamadite,
I assume that the actual IP address configured on the DMZ web server is not the public IP you mention here. I assume it is a private IP and then you do a NAT translation on the ASA to translate the dmz IP to a public one. If this is the case, then you must access the DMZ web server from inside using the private IP address of the web server (i.e the one configured on the network interface of the server).
Blog Admin
DMZ has 172.16.1.X, inside has 192.168.1.X and outside 94.255.161.102. I can access the web server in DMZ from inside if I use the DMZ host IP address. What I would like to do is to access the DMZ using the URL to my web server. The web server can be accessed from the Internet by Internet hosts without problems. So you say that I can not access the web server in the DMZ from inside using the URL but only using the DMZ IP address of the host (172.16.1.X).
I get it to work:
static (dmz,inside) netmask 255.255.255.255
On 8.3 or above
object network inside-dmz-web
host
nat (dmz,inside) static
But one question remains: I want “nat (dmz,inside) static ” to use the dynamic ip address of the outside interface. How can I do this?
Opps! it seems the blog does not accept some symbols. I repeat it here using another symbols:
static (dmz,inside) [public.ip] [dmz.host.ip] netmask 255.255.255.255
On 8.3 or above
object network inside-dmz-web
host [dmz.host.ip]
nat (dmz,inside) static [public.ip]
But one question remains: I want “nat (dmz,inside) static [public.ip]” to use the dynamic ip address of the outside interface. How can I do this?
You can NOT access the translated public IP of the web server from inside of the ASA. You need to access the private IP. You can change the “host” file of your computer and make the URL domain point to the private IP.
e.g
webserverdomainname.com 172.16.1.1
Well, somehow I get it to work. Don’t ask me why because I have read in many places that it is not possible. What I tried is DNS doctoring. With the solution given on comment #66 I can reach the web server in the DMZ from inside using the URL only, not via real IP (web server IP in the DMZ). Now with the solution I give below I can reach the web server in the DMZ from inside using both, the URL and the real web server IP in the DMZ.
object network web_dmz_inside
host 172.16.1.2
nat (dmz,outside) static interface dns
The strangest thing is that I am using PAT and for what I have read it should not work either.
I thought about modifying the local host file on my inside clients but as last resource. Now, unless I am doing something really stupid, I will keep it like this.
Please advice.
Hi,
Can anyone please help what went wrong in this config, webserver is accessible from outside but not from inside using FDQn, i can only access the webserver from inside using internal ip address but not with the public address. I tried with my old non cisco firewall and it works fine. Please help. thanks…
User Access Verification
Password:
Type help or ‘?’ for a list of available commands.
TID> en
Password: ******
TID# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname TID
enable password hNoJA51JsYfVzHT6 encrypted
passwd hNoJA51JsYfVzHT6 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network remote
host 192.168.1.199
object network https
host 192.168.1.199
object network http
host 192.168.1.199
object network smtp
host 192.168.1.199
object network pop3
host 192.168.1.199
object network imap
host 192.168.1.199
object network 81
host 192.168.1.197
object network 82
host 192.168.1.197
access-list internet_access_in extended permit icmp any any
access-list lan_access_in extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit icmp any interface outside time-exceeded
access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list External_access_in extended permit tcp any interface outside eq https
access-list External_access_in extended permit tcp any interface outside eq www
access-list External_access_in extended permit tcp any interface outside eq imap4
access-list External_access_in extended permit tcp any interface outside eq smtp
access-list External_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network remote
nat (inside,outside) static interface service tcp 3389 3389
object network https
nat (inside,outside) static interface service tcp https https
object network http
nat (inside,outside) static interface service tcp www www
object network smtp
nat (inside,outside) static interface service tcp smtp smtp
object network pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network imap
nat (inside,outside) static interface service tcp imap4 imap4
object network 81
nat (inside,outside) static interface service tcp 81 81
object network 82
nat (inside,outside) static interface service tcp 82 82
access-group External_access_in in interface outside
access-group Internal_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 203.162.0.181
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80467bad3c53ad2084876331274a7779
: end
Hi;
Thank you so much for your continued efforts in responding to many ASA related questions.
I actually bought your eBook about a year ago but has just started using it to configure our ASA5510.
Now I ran into two separate problems with the Mgmt port IP assignment.
First, Whenever I change the IP address from the default to anything else (from: 192.168.1.1 to 192.168.11.100), the ASDM will no longer connect to the unit using the newly changed IP. Even though I also changed my PC’s IP to correspond to the Mgmt’s.
But once I change it back to the default, everything works again. Note that I am able to gain access thru the console to undo whatever changes I have made.
Also, must the ASA Management port be separated from the rest of the LAN?
2nd; I will like to have the Management port reside on the same subnet as the rest of my secure hosts. So far the ASA5510 is insisting that the two Cannot coexist on the same subnet.
Example: 192.168.2.1=ASA-Mgmt-port ; 192.168.2.5-50=LAN-hosts; 192.168.1.1=outside-port-ISP-router.
Am I missing something here? Please advise. Thanx
@MDGeek,
1st Problem: Have you also changed the subnet range allowed to use http?
e.g:
http server enabled
http 192.168.11.0 255.255.255.0 management
2nd Problem: The ASA management port is a different layer3 interface, so it MUST be on a separate layer3 subnet from the rest of the interfaces. So, yes, you must assign a different subnet for the management (which is better for security reasons as well)
Thanks a million!
http server was already enabled (used with the default ip), however, the 192.168.11.0 was not associated to the management interface.
It now works with my set subnet. Also, i now understand the interface separation thing with the mgmt port.
Thanks again.
Please one quick question. How can i configure a Port-forwarding for Remote Desktop connection (RDP – port 3389) and http connection to Security camera?
Both will have to translate standard tcp port from outside to custom tcp port inside-LAN.
We already have both services working fine off of the broadband router and will like to maintain that when the ASA5510 is deployed.
Thanks always
This is called “port redirection” with Cisco ASA. Try Googling this and you will find several examples.
Hi,
I have purchased you ebook and have been using it to learn Cisco ASA. I have a ASA5505 and have setup a remote vpn worker. My problem is that the PC running VPN client connects OK and can ping to the ASA inside interface but not to the PC on the inside interface. The PC on the inside interface can ping the VPN client
ping VPN Client – ASA Inside I/f 192.168.44.160 Yes
ping VPN Client to PC on inside 192.168.44.82 NO
ping PC on inside to VPN Client 192.168.50.1 Yes
My config is below. Please are you able to tell me what I have done wrong?
ASA Config
: Saved
: Written by cisco at 10:08:15.679 UTC Fri Dec 16 2011
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.44.160 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
ftp mode passive
object network internal_lan
subnet 192.168.44.0 255.255.255.0
object network support-vpn-subnet
subnet 192.168.50.0 255.255.255.0
description IP address assigned to Support VPN User
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any echo
access-list global_access extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool-support-vpn 192.168.50.0-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static support-vpn-subnet support-vpn-subnet no-proxy-arp route-lookup
!
object network internal_lan
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.1.98 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.44.0 255.255.255.0 inside
http 192.168.1.96 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.44.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.96 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tg-vpn-support internal
group-policy tg-vpn-support attributes
wins-server value 192.168.44.1
dns-server value 192.168.44.1
vpn-tunnel-protocol ikev1
default-domain value bhls.com
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group tg-vpn-support type remote-access
tunnel-group tg-vpn-support general-attributes
address-pool pool-support-vpn
default-group-policy tg-vpn-support
tunnel-group tg-vpn-support ipsec-attributes
ikev1 pre-shared-key 1qazxsw2
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:488a018c60162a057b66a31071a38917
: end
Martin,
It seems that the PC firewall maybe is blocking your pings. If the PC is windows, enable remote desktop access on the PC and try to connect with RDP from the VPN client to the PC. If you manage to connect, then VPN works fine. Pinging is not always the best way to test connectivity
hii…its working .. thanx
Hi,
I want to connect to an CISCO ASA 5510 3 different routers (also CISCO equipment). All routers have different outside networks connected to them. But I want to the inside network to be same 10.10.0.xxx. Is it possible to have the ASA 5510 with an IP 10.10.0.xxx and the routers also with 10.10.0.xxx IPs? Or do I have to assign different network IPs for the routers for example for router 1 10.10.1.xxx?
Many thanks,
Adolfo
Adolfo,
Yes you can have all routers connected to the same inside network as the ASA (10.10.0.x). However, you should know that traffic between the three outside networks will be allowed to communicate with the other outside networks though the routers with no restrictions. If you want to control traffic flow between the three outside networks, then you must connect each router into a different inside subnet (you should create different inside vlans on the ASA).
The book is excellent and was a great help in configuring my ASA 5505 and 5510 but I did have a problem with the examples for site-to-site VPN and Remote Access VPN. When you enter the access-list and nat commands as shown it wipes out any others that you have already you entered. Same with the crypto commands. I was able to get around by using the ASDM interface for those commands but is there something to the command that will allow you to add without wiping out previous commands?
Steve,
This is normal with Cisco configurations. There are some commands that if you execute the same command with different parameters then it overrides the existing one. On access-list commands, you need to enter the line number if you want to add additional entries without overriding existing entries.
e.g:
access-list access_list_name [line line_number] [extended] [permit/deny]
Please help me out regarding this issue, this is my first project.
my client send me these addresses
IP: 173.68.176.210 – 215
Default Gateway: 173.168.176.1
Subnet Mask: 255.255.255.0
Primary DNS: 68.237.161.12
Secondary DNS: 71.243.0.12
i will pick on of the public ip and set if to the e0 interface well i dont know if i have to set default gateway ip address to internal interface that will connect the firewall to switch, i am very confused and secondly how do i set the ip for doman.
ip name-server and then the ip address
Please help me out
Muhammad,
The default gateway is always pointing towards the Internet and NOT towards the inside network. So pick one of the available IP address for the outside ASA interface and set the default gateway to point to the ISP IP.
First off I’m enjoying your ebook. Its great!
I have the same setup instead I have a L3 3550 switch and I’m doing subinterfaces on my Pix 515 (unrestricted). Everything works fine as far as DHCP, internet, and ASDM. The only thing is I can’t seem to ping my internal clients from my ASA. I can ping my L3 switch vlan IP but not my internal client IP. My client PC’s can ping both L3 switch IP and ASA inside interface. Is there ACL that’s blocking? I did an packet tracer and it tells me it dropped due to an access list but I have them in place. I feel I’m missing something simple. Information below
Internet Pix515 L3switch PC’s
MYFIREWALL# sh run
: Saved
:
PIX Version 8.0(4)28
!
hostname MYFIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 173.14.214.114 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet1.10
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1.20
vlan 20
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 173.14.214.118 1
timeout xlate 3:00:00
timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.68.162 68.87.74.162
dhcpd domain aejg.net
!
dhcpd address 10.10.10.105-10.10.10.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f
: end
————————
MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.105 detail$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4392f78, priority=1, domain=permit, deny=false
hits=130328, user_data=0×0, cs_id=0×0, l3_type=0×8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4397fb8, priority=500, domain=permit, deny=true
hits=0, user_data=0×6, cs_id=0×0, reverse, flags=0×0, protocol=0
src ip=10.10.10.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0×0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
——————————–
MYFIREWALL# ping 10.10.10.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.105, timeout is 2 seconds:
?????
——————————-
MYSWITCH#sh run
Building configuration…
Current configuration : 2518 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname MYSWITCH
!
!
no aaa new-model
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
duplex full
speed 100
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.10.10.100 255.255.255.0
ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
—————————
Edwin,
Try the following command:
icmp permit any inside
Also, do your internal PCs have any windows firewall configured on them (maybe it blocks the ASA pings?)
Thanks for your response. This is what I get.
MYFIREWALL(config)# icmp permit any inside
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists
I also tried adding “same-security-traffic permit intra-interface” but no success.
Also, I disabled my windows firewall service. Is it a rule that the Cisco pix doesn’t accept return pings that it sends out on its inside interface? Because I get the question marks when I ping my internal pc
Problem resolved. It was the firewall on my Windows 7 pc. Weird, I stopped and disabled the firewall service and even restarted afterwards and it wasn’t getting ping responses. It wasn’t until I created an inbound rul on the firewall to allow all icmp is when it started working. Thanks for all your help and advice.