Skip to main content

Firewall ASA5505 Troubleshooting

More
13 years 5 months ago #37083 by Samley
Hi Team,

I am pretty new to the firewall and managed to configure and install one of the firewall at customer and it seemed to work fine but after a day customer complained that some of the users are able to connect to internet and some cannot. I have pasted the configurations of firewall and router and here below how the scenario looks like;


PCS....>Switch....>ASA5505....>Router.....>Internet


FIREWALL CONFIGURATION
ciscoasa# sho run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.40.225 Exchange description Mail Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.40.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.81.242 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service Mail_Ports tcp
description Mail ports
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any host XX.XX.81.243 object-group Mail_Ports
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) XX.XX.81.243 Exchange netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.81.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.40.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
!
prompt hostname context
Cryptochecksum:382f802d01f6e753de9b3d91bd0b9eda
: end




ROUTER CONFIGURATION


Router#show run
Building configuration...

Current configuration : 1200 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vpBv$gAXwQ2hlJRBBmgVZAewZO1
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode ansi-dmt
!
interface ATM0.1 point-to-point
ip address XX.XX.16.166 255.255.255.252
ip nat outside
ip virtual-reassembly
pvc 12/209
protocol ip XX.XX.16.165 broadcast
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address XX.XX.81.241 255.255.255.248
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XX.XX.16.165
!
no ip http server
no ip http secure-server
ip nat inside source list 2 interface Vlan1 overload
!
access-list 2 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password XXXXXXX
login
!
scheduler max-task-time 5000
end

Router#







I appreciate your support..
Thanks,
More
13 years 5 months ago #37087 by S0lo
As we talked by phone this could be an issue of the ASA's licence 10 user limit.

The configs seam fine to me. But your using NAT on both the ASA and router. This probably adds a little over head and might slow down the network a bit in peak times.

On second thought, infact the NAT on the router could be not working at all since your access list access-list 2 permit 192.168.0.0 0.0.255.255 NATs only the private range 192.168.0.0/16, but all traffic comming from the ASA has the source IP XX.XX.81.242 since it's already being NATed by the ASA.

Here's what I would do, Assuming that XX.XX.81.242 is a public IP, You can totally remove the NATing on the router. Just keep the default route ip route 0.0.0.0 0.0.0.0 XX.XX.16.165.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.113 seconds