Skip to main content

CISCO ASA 5505 firewall configuration

More
17 years 7 months ago #20775 by Smurf
Replied by Smurf on topic Re: CISCO ASA 5505 firewall configuration
Yeah, that makes more sense now. You can ping from network 2 (Inside) to Network 1 (Outside). Thats what i would expect so i miss interpreted your original posts as it seemed that you were able to ping from outside to inside but not the other way.

Right from the config you are perform PAT (See the global (outside) 1 interface) command. This is happeing for all traffic that originates inside the network (See the nat (inside) 1 0.0.0.0 0.0.0.0).

By default, the ASA will allow traffic to flow from the inside to the outside (using the Security-Level thats attached to the interfaces). i.e. the Inside is 100 and the outside is 0. This is a trust level, inside is more trusted then the outside, therefore traffic can flow from trusted to untrusted.

I must admit, i have not played with the ASA yet and i have never configured the Pix using VLAN's so that part of your config is new to me.

So, can you now just post what you want to do from here ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 7 months ago #20778 by lestat
Replied by lestat on topic Re: CISCO ASA 5505 firewall configuration
for the moment i only want to access to internet :lol:
it's to start. :roll:
More
17 years 7 months ago #20781 by Smurf
Replied by Smurf on topic Re: CISCO ASA 5505 firewall configuration
Ok, so you want to access the Internet from Network 2 ?

You have successfully pinged from network 2 to network 1 but cannot access the internet !

From looking at your config, i cannot see a default route on the Pix ? In order for the ASA to forward the traffic off to the internet, it needs to know where to send the traffic. You need to us the route command to add a route to the next hop address to get out. This will be the router (or what ever device you go through to get to the internet) of network 1.

Something like;

route outside 0.0.0.0 0.0.0.0 routers ip
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 7 months ago #20782 by Smurf
Replied by Smurf on topic Re: CISCO ASA 5505 firewall configuration
Also make sure you clients are able to resolve DNS correctly.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 7 months ago #20885 by lestat
Replied by lestat on topic Re: CISCO ASA 5505 firewall configuration
how can i configure the dns on the ASA ? and on the clients (is it automatic, do i configure it on the ASA ??)
Thank you for your help :)
More
17 years 7 months ago #20891 by Smurf
Replied by Smurf on topic Re: CISCO ASA 5505 firewall configuration
If you config DNS on the ASA then its only for the ASA to do Name Resolution (i don't think the ASA has a DNS Proxy Service?). If you don't have any internal DNS that can resolve DNS Externally then you will need to point your clients to your ISP's DNS. Usually however if you have a Windows 2000/2003 domain environment then you should be able to resolve DNS as the Microsoft DNS Server will have root hints to do external lookups. (although it may be better to setup forwarders to your ISPs DNS).

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.136 seconds