Another n00b ASA5505 post (sorry)

Hi Guys,

Network scenario is simple

Two internal must be statically mapped to two external IP's

Internal IP range is /24
External IP range is /29

Traffic from outside must be able to talk to inside
Traffic from inside must be able to talk to outside

The external IP's must be visable from the outside network

Here's my sh run (with modified IP's) Only one shown here, and a few bits chopped outs that are irrelevant.

ASA Version 7.2(4)
!
hostname ASA
domain-name cisco.com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.x.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.80.36.235 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list ACLIN extended permit ip any any
access-list ACLIN extended permit tcp any any
access-list ACLIN extended permit icmp any any
access-list ACLOUT extended permit ip any any
access-list ACLOUT extended permit icmp any any
access-list ACLOUT extended permit tcp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
static (inside,outside) 70.80.36.230 192.168.x.10 netmask 255.255.255.255
access-group ACLIN in interface inside
access-group ACLOUT in interface outside
route outside 0.0.0.0 0.0.0.0 70.80.36.231 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.x.10 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:40d93da336e7f0e09e5ea5e7fc2b2542
: end


Please note the IP's aren't genuine (not that I don't trust you guys )

In the current config the packet flow (via ping) from inside to outside is fine.

However in this configuration packet flow (via ping) from outside to inside doesn't work.

What am I doing wrong?

Do I have to make the security levels the same and then permit intra interface communication?

Once I get the communication established then I have to move on to the precise ports of the inside and outside communicating.

Any hints of where to go would be appreciated

Thanks,

Iser

Few points that you might wana consider:

1. In the lines:
[code:1]static (inside,outside) 70.80.36.230 192.168.x.10 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 70.80.36.231 1[/code:1]
IP addresses 70.80.36.230 and 70.80.36.231 are not in the 70.80.36.235/29 range. Assuming that 70.80.36.235/29 is correct, the range is from 70.80.36.233 to 70.80.36.238. Use any IP in this range except of-course 70.80.36.235 which is your vlan2 interface's. I know these are not your real IPs, but I'm saying just in case you have the same problem.

2. Upto this point, I see no reason why it shouldn't work, still the config is not very safe. For example, the lines:

[code:1]access-list ACLOUT extended permit ip any any
access-list ACLOUT extended permit icmp any any
access-list ACLOUT extended permit tcp any any [/code:1]

It's allowing all traffic from outside to go in. It's better to allow only your servers and configure NAT. NAT lets replies from the outside to enter in without an allowing ACL at the outside.

To configure NAT:
[code:1]nat (inside) 1 192.168.x.0 255.255.255.0
global (outside) 1 interface[/code:1]
And to allow your inside servers to be reachable from outside, add some thing like this:
[code:1]access-list ACLOUT extended permit tcp any 70.80.36.x eq 80[/code:1]
Here I'm assuming you have a web server, hence port 80. Change it to the specific port you use on your server. Sure you can add icmp too for ping to work.

3. I don't see the need for ACLIN. The ASA by default allows traffic to flow from a higher security interface (inside) to a lower security interface (outside) unless another ACL denies it. Try removing the line access-group ACLIN in interface inside and you'll probably see that it still works.

4. No you don't need to set the interfaces to the same security levels.

Hope that helps.