- Posts: 1390
- Thank you received: 0
cisco asa 5510 - unable to ping outside from inside
17 years 7 months ago #21241
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: cisco asa 5510 - unable to ping outside from inside
Have you resolved the issue now or are you still unable to connect through the ASA ? If you are still having problems then its best to post the config ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #21242
by sazzy
Replied by sazzy on topic Re: cisco asa 5510 - unable to ping outside from inside
still having issues ...
!
ASA Version 7.2(2)8
!
hostname *****
domain-name *******.**.**
enable password ************* encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 95
ip address 10.0.1.2 255.255.0.0
ospf cost 10
!
interface Ethernet0/1
nameif outsideASA
security-level 0
ip address ***.***.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Management0/0
nameif management
security-level 100
ip address ***.***.***.*** 255.255.255.0
ospf cost 10
management-only
!
passwd *********** encrypted
boot system disk0:/asa722-8-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name *************.**.**
object-group service TCP_ALLOW tcp
description lists all allowed tcp outgoings
port-object eq www
port-object eq domain
port-object eq whois
port-object eq ftp-data
port-object eq ftp
port-object eq 63
port-object eq smtp
object-group service UDP_ALLOW udp
description lists all allowed udp outgoings
port-object eq ntp
port-object eq domain
object-group network svr_access
description allows these full access
network-object host 10.0.0.10
network-object host 10.0.1.10
access-list inside_outbound extended permit tcp object-group svr_access any object-group TCP_ALLOW
access-list inside_outbound extended permit udp object-group svr_access any object-group UDP_ALLOW
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outsideASA 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outsideASA) 1 interface
access-group inside_outbound in interface inside
route outsideASA 0.0.0.0 0.0.0.0 ***.***.2.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http ***.***.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
compression http-comp
Cryptochecksum:eed0c90c28a68f8402db4cb23f3df53c
: end
thanks!
!
ASA Version 7.2(2)8
!
hostname *****
domain-name *******.**.**
enable password ************* encrypted
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 95
ip address 10.0.1.2 255.255.0.0
ospf cost 10
!
interface Ethernet0/1
nameif outsideASA
security-level 0
ip address ***.***.2.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Management0/0
nameif management
security-level 100
ip address ***.***.***.*** 255.255.255.0
ospf cost 10
management-only
!
passwd *********** encrypted
boot system disk0:/asa722-8-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name *************.**.**
object-group service TCP_ALLOW tcp
description lists all allowed tcp outgoings
port-object eq www
port-object eq domain
port-object eq whois
port-object eq ftp-data
port-object eq ftp
port-object eq 63
port-object eq smtp
object-group service UDP_ALLOW udp
description lists all allowed udp outgoings
port-object eq ntp
port-object eq domain
object-group network svr_access
description allows these full access
network-object host 10.0.0.10
network-object host 10.0.1.10
access-list inside_outbound extended permit tcp object-group svr_access any object-group TCP_ALLOW
access-list inside_outbound extended permit udp object-group svr_access any object-group UDP_ALLOW
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outsideASA 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outsideASA) 1 interface
access-group inside_outbound in interface inside
route outsideASA 0.0.0.0 0.0.0.0 ***.***.2.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http ***.***.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ssh timeout 5
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
compression http-comp
Cryptochecksum:eed0c90c28a68f8402db4cb23f3df53c
: end
thanks!
17 years 7 months ago #21244
by sazzy
Replied by sazzy on topic Re: cisco asa 5510 - unable to ping outside from inside
not to worry. all fixed. read another article about NAT - and was missing one line ... woops !
17 years 7 months ago #21246
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: cisco asa 5510 - unable to ping outside from inside
lol, was just going to say that.
Sorry, i hadn't noticed that you had already posted your config in an earlier post.
Cheers
Wayne
Sorry, i hadn't noticed that you had already posted your config in an earlier post.
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #21257
by alpine
Replied by alpine on topic Re: cisco asa 5510 - unable to ping outside from inside
can inside clients ping the outside interface? What is the sysmon error ?
I would get no route to x.x.x.x, I had a similar issue with my clients, unable to ping the outside interface. I resolved it by changing the default gateway to my inside ip address,
I would get no route to x.x.x.x, I had a similar issue with my clients, unable to ping the outside interface. I resolved it by changing the default gateway to my inside ip address,
17 years 7 months ago #21259
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: cisco asa 5510 - unable to ping outside from inside
In the Pix firewall (ASA is built on the Pix Code), you are unable to ping one of the firewalls interface if its going through the firewall.
i.e. If you were on the inside network and pinged the inside interface, that would work because its not going through the firewall. If however you were on the inside network and pinged the outside ip address, then it would fail.
This is a security mechanism for some reason ?
i.e. If you were on the inside network and pinged the inside interface, that would work because its not going through the firewall. If however you were on the inside network and pinged the outside ip address, then it would fail.
This is a security mechanism for some reason ?
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.131 seconds