- Posts: 1
- Thank you received: 0
Asa 5505 problem
15 years 9 months ago #28290
by cycad321
Asa 5505 problem was created by cycad321
Hi Guys,
Little bit of a newbie at this. but i thought that I had everything setup correctly on my ASA 5505, but when I delivered to a production server setup: NLB on 192.168.0.10 and my three web servers on the inside vlan1 (192.168.0.15,192.168.0.16,192.168.0.20) could not connect to the outside vlan2 (x.x.x.146). Also, could not ping from a third computer not connected to the ASA 5505.
Any help would be appreciated. Below is the current show running-config.
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name taltopia.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 TT1
name 192.168.0.16 TT2
name 192.168.0.20 TT3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.146 255.255.255.240
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.130.2
name-server x.x.150.2
domain-name taltopia.com
object-group service TT1-vnc tcp-udp
description tt1-vnc
port-object eq 5801
object-group service tt1-vnc1 tcp-udp
port-object eq 5901
object-group service tt2-vnc tcp-udp
port-object eq 5802
object-group service tt2-vnc1 tcp-udp
port-object eq 5902
object-group service tt3-vnc tcp-udp
port-object eq 5803
object-group service tt3-vnc1 tcp-udp
port-object eq 5903
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service tt1-ftp tcp-udp
port-object eq 2100
object-group service tt1-ftp-p tcp-udp
port-object eq 2101
object-group service tt1-test tcp
port-object eq 8080
object-group service tt2-ftp tcp-udp
port-object eq 2200
object-group service tt2-ftp-p tcp-udp
port-object eq 2201
object-group service tt3-ftp tcp-udp
port-object eq 2300
object-group service tt3-ftp-p tcp-udp
port-object eq 2301
access-list outside_access_in extended permit tcp any eq https host 192.168.0.10 eq https
access-list outside_access_in extended permit tcp any eq www host 192.168.0.10 eq www
access-list outside_access_in extended permit object-group TCPUDP any object-group TT1-vnc host TT
1 object-group TT1-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-vnc1 host T
T1 object-group tt1-vnc1
access-list outside_access_in extended permit tcp any object-group tt1-test host TT1 object-group
tt1-test
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-ftp host TT
1 object-group tt1-ftp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-ftp-p host
TT1 object-group tt1-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-ftp host TT
2 object-group tt2-ftp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-ftp-p host
TT2 object-group tt2-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-vnc host TT
2 object-group tt2-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-vnc1 host T
T2 object-group tt2-vnc1
access-list outside_access_in extended permit tcp any eq pop3 host TT2 eq pop3
access-list outside_access_in extended permit tcp any eq imap4 host TT2 eq imap4
access-list outside_access_in extended permit tcp any eq smtp host TT2 eq smtp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-vnc host TT
3 object-group tt3-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-vnc1 host T
T3 object-group tt3-vnc1
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-ftp-p host
TT3 object-group tt3-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-ftp host TT
3 object-group tt3-ftp
access-list outside_access_in extended permit tcp any object-group tt3-ftp host TT3 eq ftp
access-list inbound extended permit tcp any interface outside eq smtp
access-list outside_access_out extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 eq ww
w any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.10 https netmask 255.255.255.255
static (inside,outside) tcp interface 8080 TT1 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 2100 TT1 2100 netmask 255.255.255.255
static (inside,outside) udp interface 2100 TT1 2100 netmask 255.255.255.255
static (inside,outside) udp interface 2101 TT1 2101 netmask 255.255.255.255
static (inside,outside) tcp interface 2101 TT1 2101 netmask 255.255.255.255
static (inside,outside) udp interface 5901 TT1 5901 netmask 255.255.255.255
static (inside,outside) tcp interface 5901 TT1 5901 netmask 255.255.255.255
static (inside,outside) udp interface 5801 TT1 5801 netmask 255.255.255.255
static (inside,outside) udp interface 5902 TT2 5902 netmask 255.255.255.255
static (inside,outside) tcp interface 5902 TT2 5902 netmask 255.255.255.255
static (inside,outside) udp interface 5802 TT2 5802 netmask 255.255.255.255
static (inside,outside) tcp interface 5802 TT2 5802 netmask 255.255.255.255
static (inside,outside) tcp interface 5801 TT1 5801 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 TT2 pop3 netmask 255.255.255.255
static (inside,outside) udp interface 2201 TT2 2201 netmask 255.255.255.255
static (inside,outside) tcp interface 2201 TT2 2201 netmask 255.255.255.255
static (inside,outside) udp interface 2200 TT2 2200 netmask 255.255.255.255
static (inside,outside) tcp interface 2200 TT2 2200 netmask 255.255.255.255
static (inside,outside) tcp interface smtp TT2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 TT2 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 5803 TT3 5803 netmask 255.255.255.255
static (inside,outside) udp interface 5803 TT3 5803 netmask 255.255.255.255
static (inside,outside) tcp interface 5903 TT3 5903 netmask 255.255.255.255
static (inside,outside) udp interface 5903 TT3 5903 netmask 255.255.255.255
static (inside,outside) udp interface 2301 TT3 2301 netmask 255.255.255.255
static (inside,outside) tcp interface 2301 TT3 2301 netmask 255.255.255.255
static (inside,outside) udp interface 2300 TT3 2300 netmask 255.255.255.255
static (inside,outside) tcp interface ftp TT3 2300 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 x.x.17.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd dns x.x.130.2 x.x.150.2 interface inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d88a352d91889ec01b9f81cb1a3cf2b
: end
Little bit of a newbie at this. but i thought that I had everything setup correctly on my ASA 5505, but when I delivered to a production server setup: NLB on 192.168.0.10 and my three web servers on the inside vlan1 (192.168.0.15,192.168.0.16,192.168.0.20) could not connect to the outside vlan2 (x.x.x.146). Also, could not ping from a third computer not connected to the ASA 5505.
Any help would be appreciated. Below is the current show running-config.
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name taltopia.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.15 TT1
name 192.168.0.16 TT2
name 192.168.0.20 TT3
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.146 255.255.255.240
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.130.2
name-server x.x.150.2
domain-name taltopia.com
object-group service TT1-vnc tcp-udp
description tt1-vnc
port-object eq 5801
object-group service tt1-vnc1 tcp-udp
port-object eq 5901
object-group service tt2-vnc tcp-udp
port-object eq 5802
object-group service tt2-vnc1 tcp-udp
port-object eq 5902
object-group service tt3-vnc tcp-udp
port-object eq 5803
object-group service tt3-vnc1 tcp-udp
port-object eq 5903
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service tt1-ftp tcp-udp
port-object eq 2100
object-group service tt1-ftp-p tcp-udp
port-object eq 2101
object-group service tt1-test tcp
port-object eq 8080
object-group service tt2-ftp tcp-udp
port-object eq 2200
object-group service tt2-ftp-p tcp-udp
port-object eq 2201
object-group service tt3-ftp tcp-udp
port-object eq 2300
object-group service tt3-ftp-p tcp-udp
port-object eq 2301
access-list outside_access_in extended permit tcp any eq https host 192.168.0.10 eq https
access-list outside_access_in extended permit tcp any eq www host 192.168.0.10 eq www
access-list outside_access_in extended permit object-group TCPUDP any object-group TT1-vnc host TT
1 object-group TT1-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-vnc1 host T
T1 object-group tt1-vnc1
access-list outside_access_in extended permit tcp any object-group tt1-test host TT1 object-group
tt1-test
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-ftp host TT
1 object-group tt1-ftp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt1-ftp-p host
TT1 object-group tt1-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-ftp host TT
2 object-group tt2-ftp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-ftp-p host
TT2 object-group tt2-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-vnc host TT
2 object-group tt2-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt2-vnc1 host T
T2 object-group tt2-vnc1
access-list outside_access_in extended permit tcp any eq pop3 host TT2 eq pop3
access-list outside_access_in extended permit tcp any eq imap4 host TT2 eq imap4
access-list outside_access_in extended permit tcp any eq smtp host TT2 eq smtp
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-vnc host TT
3 object-group tt3-vnc
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-vnc1 host T
T3 object-group tt3-vnc1
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-ftp-p host
TT3 object-group tt3-ftp-p
access-list outside_access_in extended permit object-group TCPUDP any object-group tt3-ftp host TT
3 object-group tt3-ftp
access-list outside_access_in extended permit tcp any object-group tt3-ftp host TT3 eq ftp
access-list inbound extended permit tcp any interface outside eq smtp
access-list outside_access_out extended permit object-group TCPUDP 192.168.0.0 255.255.255.0 eq ww
w any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.0.10 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.10 https netmask 255.255.255.255
static (inside,outside) tcp interface 8080 TT1 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 2100 TT1 2100 netmask 255.255.255.255
static (inside,outside) udp interface 2100 TT1 2100 netmask 255.255.255.255
static (inside,outside) udp interface 2101 TT1 2101 netmask 255.255.255.255
static (inside,outside) tcp interface 2101 TT1 2101 netmask 255.255.255.255
static (inside,outside) udp interface 5901 TT1 5901 netmask 255.255.255.255
static (inside,outside) tcp interface 5901 TT1 5901 netmask 255.255.255.255
static (inside,outside) udp interface 5801 TT1 5801 netmask 255.255.255.255
static (inside,outside) udp interface 5902 TT2 5902 netmask 255.255.255.255
static (inside,outside) tcp interface 5902 TT2 5902 netmask 255.255.255.255
static (inside,outside) udp interface 5802 TT2 5802 netmask 255.255.255.255
static (inside,outside) tcp interface 5802 TT2 5802 netmask 255.255.255.255
static (inside,outside) tcp interface 5801 TT1 5801 netmask 255.255.255.255
static (inside,outside) tcp interface pop3 TT2 pop3 netmask 255.255.255.255
static (inside,outside) udp interface 2201 TT2 2201 netmask 255.255.255.255
static (inside,outside) tcp interface 2201 TT2 2201 netmask 255.255.255.255
static (inside,outside) udp interface 2200 TT2 2200 netmask 255.255.255.255
static (inside,outside) tcp interface 2200 TT2 2200 netmask 255.255.255.255
static (inside,outside) tcp interface smtp TT2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 TT2 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface 5803 TT3 5803 netmask 255.255.255.255
static (inside,outside) udp interface 5803 TT3 5803 netmask 255.255.255.255
static (inside,outside) tcp interface 5903 TT3 5903 netmask 255.255.255.255
static (inside,outside) udp interface 5903 TT3 5903 netmask 255.255.255.255
static (inside,outside) udp interface 2301 TT3 2301 netmask 255.255.255.255
static (inside,outside) tcp interface 2301 TT3 2301 netmask 255.255.255.255
static (inside,outside) udp interface 2300 TT3 2300 netmask 255.255.255.255
static (inside,outside) tcp interface ftp TT3 2300 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 x.x.17.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd dns x.x.130.2 x.x.150.2 interface inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d88a352d91889ec01b9f81cb1a3cf2b
: end
Time to create page: 0.122 seconds