- Posts: 9
- Thank you received: 0
Is my ASA 5505 faulty ?
15 years 9 months ago #29546
by hanapurna
Is my ASA 5505 faulty ? was created by hanapurna
Hi everybody,
I'm loosing my eyes on my screen configuring an ASA 5505 with ASDM but I have also read the CLI documentation. I work with ASDM 5.2(4)/ASA 7.2(4).
I renamed the outside interface in WAN and the inside interface in LAN.
I made this configuration but no trafic pass through the appliance. My first test was to ping from my workstation (in the inside/LAN subnet) the IP address of the outside/WAN interface, which doesn't work.
I can only ping the inside/LAN interface from a host connected to this interface. I cannot ping the DMZ interface from a host connected to it. Same problem with outside/WAN interface.
I also tested this ping scenario with the ASDM Packet Tracer with same result.
I also tried to configure each interface to the same security level (all to level 0 then all to level 100) with same-security-traffic permit inter-interface parameter : same result.
As you can see in my config file, I allowed IP and ICMP trafic from all interface to all interface in all direction.
I'm wondering if my ASA 5505 is not faulty
I hope someone can help with some advice. Thanks by advance !
PS : I'm french, sorry for my english.
Here is my configuration :
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XXXX encrypted
! different than previous line
passwd XXXX encrypted
names
!
! High Vlan ID to not conflict with one of my switchs
interface Vlan11
nameif WAN
security-level 0
ip address 10.50.0.10 255.255.255.0
!
interface Vlan12
nameif LAN
security-level 100
ip address 10.20.0.10 255.255.255.0
!
interface Vlan31
! I had to put this with my base licence (not Security plus)
no forward interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 31
!
interface Ethernet0/7
switchport access vlan 31
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
! It seems useless in my case
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
! I allowed all IP and ICMP trafic in all direction (in and out)(I have difficulties with these two words)
! Done from Configuration->Sucurity Policy->Acces Rules
access-list WAN_access_in extended permit ip any any
access-list WAN_access_in extended permit icmp any any
access-list WAN_access_in extended permit tcp any any eq ssh
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_access_out extended permit ip any any
access-list LAN_access_out extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq ssh
access-list WAN_access_out extended permit ip any any
access-list WAN_access_out extended permit icmp any any
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit icmp any any
access-list DMZ_access_out extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
! I also allow ICMP in all direction in Configuration->Properties->Device Administration->ICMP Rules
icmp permit any WAN
icmp permit 10.50.0.0 255.255.255.0 WAN
icmp permit 10.20.0.0 255.255.255.0 LAN
icmp permit any LAN
icmp permit any DMZ
icmp permit 10.40.0.0 255.255.255.0 DMZ
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
! Dynamic NAT rules to translate LAN and DMZ hosts to WAN IP interface address
global (WAN) 1 interface
nat (LAN) 1 10.20.0.0 255.255.255.0
nat (DMZ) 1 10.40.0.0 255.255.255.0
! A Static Nat rule with PAT to redirect SSH from the Internet to a DMZ host
! I would like someone connecting to 10.50.0.10:22 (WAN IP) to be redirected to 10.40.0.15:22. Is that right ?
static (DMZ,WAN) tcp interface ssh 10.40.0.15 ssh netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
! Static route to access the Internet (10.50.0.100 is my gateway for Internet access)
route WAN 0.0.0.0 0.0.0.0 10.50.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.20.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
username hanapurna password XXXX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b38f6bee0ff436a065512ede12ba5a6a
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
I'm loosing my eyes on my screen configuring an ASA 5505 with ASDM but I have also read the CLI documentation. I work with ASDM 5.2(4)/ASA 7.2(4).
I renamed the outside interface in WAN and the inside interface in LAN.
I made this configuration but no trafic pass through the appliance. My first test was to ping from my workstation (in the inside/LAN subnet) the IP address of the outside/WAN interface, which doesn't work.
I can only ping the inside/LAN interface from a host connected to this interface. I cannot ping the DMZ interface from a host connected to it. Same problem with outside/WAN interface.
I also tested this ping scenario with the ASDM Packet Tracer with same result.
I also tried to configure each interface to the same security level (all to level 0 then all to level 100) with same-security-traffic permit inter-interface parameter : same result.
As you can see in my config file, I allowed IP and ICMP trafic from all interface to all interface in all direction.
I'm wondering if my ASA 5505 is not faulty
I hope someone can help with some advice. Thanks by advance !
PS : I'm french, sorry for my english.
Here is my configuration :
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XXXX encrypted
! different than previous line
passwd XXXX encrypted
names
!
! High Vlan ID to not conflict with one of my switchs
interface Vlan11
nameif WAN
security-level 0
ip address 10.50.0.10 255.255.255.0
!
interface Vlan12
nameif LAN
security-level 100
ip address 10.20.0.10 255.255.255.0
!
interface Vlan31
! I had to put this with my base licence (not Security plus)
no forward interface Vlan12
nameif DMZ
security-level 50
ip address 10.40.0.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
switchport access vlan 31
!
interface Ethernet0/7
switchport access vlan 31
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
! It seems useless in my case
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
! I allowed all IP and ICMP trafic in all direction (in and out)(I have difficulties with these two words)
! Done from Configuration->Sucurity Policy->Acces Rules
access-list WAN_access_in extended permit ip any any
access-list WAN_access_in extended permit icmp any any
access-list WAN_access_in extended permit tcp any any eq ssh
access-list LAN_access_in extended permit ip any any
access-list LAN_access_in extended permit icmp any any
access-list LAN_access_out extended permit ip any any
access-list LAN_access_out extended permit icmp any any
access-list DMZ_access_in extended permit ip any any
access-list DMZ_access_in extended permit icmp any any
access-list DMZ_access_in extended permit tcp any any eq ssh
access-list WAN_access_out extended permit ip any any
access-list WAN_access_out extended permit icmp any any
access-list DMZ_access_out extended permit ip any any
access-list DMZ_access_out extended permit icmp any any
access-list DMZ_access_out extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm informational
mtu WAN 1500
mtu LAN 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
! I also allow ICMP in all direction in Configuration->Properties->Device Administration->ICMP Rules
icmp permit any WAN
icmp permit 10.50.0.0 255.255.255.0 WAN
icmp permit 10.20.0.0 255.255.255.0 LAN
icmp permit any LAN
icmp permit any DMZ
icmp permit 10.40.0.0 255.255.255.0 DMZ
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
! Dynamic NAT rules to translate LAN and DMZ hosts to WAN IP interface address
global (WAN) 1 interface
nat (LAN) 1 10.20.0.0 255.255.255.0
nat (DMZ) 1 10.40.0.0 255.255.255.0
! A Static Nat rule with PAT to redirect SSH from the Internet to a DMZ host
! I would like someone connecting to 10.50.0.10:22 (WAN IP) to be redirected to 10.40.0.15:22. Is that right ?
static (DMZ,WAN) tcp interface ssh 10.40.0.15 ssh netmask 255.255.255.255
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
access-group LAN_access_in in interface LAN
access-group LAN_access_out out interface LAN
access-group DMZ_access_in in interface DMZ
access-group DMZ_access_out out interface DMZ
! Static route to access the Internet (10.50.0.100 is my gateway for Internet access)
route WAN 0.0.0.0 0.0.0.0 10.50.0.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.20.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
username hanapurna password XXXX encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b38f6bee0ff436a065512ede12ba5a6a
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
15 years 9 months ago #29628
by ramasamy
Replied by ramasamy on topic Re: Is my ASA 5505 faulty ?
Hi, Your ASA is not a faulty one , by default the design of PIX and ASA firewall is that you can ping only the Interface to which you are connected and you cannot ping the other interface.
For example if your host behind the inside interface you will not be able to ping outside or DMZ interface, other than the inside interface.
but you will be able to ping other devices behind those interfaces.
For example if your host behind the inside interface you will not be able to ping outside or DMZ interface, other than the inside interface.
but you will be able to ping other devices behind those interfaces.
15 years 9 months ago #29641
by hanapurna
Replied by hanapurna on topic Re: Is my ASA 5505 faulty ?
Thanks very much for your reply.
I can understand that it's the default behaviour but why it is still like that when I allow all icmp trafic in both direction both in acces lists and with icmp rules ?
But with your help I can now ping hosts on the outside interface with an appropriate access rule.
What it don't understand is why should I allow trafic from inside interface to outside interface using "inbound" direction and not "outbound" which seems more logic.
Can anyone explain that or have a reference ?
I can understand that it's the default behaviour but why it is still like that when I allow all icmp trafic in both direction both in acces lists and with icmp rules ?
But with your help I can now ping hosts on the outside interface with an appropriate access rule.
What it don't understand is why should I allow trafic from inside interface to outside interface using "inbound" direction and not "outbound" which seems more logic.
Can anyone explain that or have a reference ?
15 years 9 months ago #29728
by hanapurna
Replied by hanapurna on topic Re: Is my ASA 5505 faulty ?
Now, I understand why I have to use "inbound" direction on inside interface to restrict outgoing traffic. As said in another post, "inbound" and "outbound" direction is from the ASA point of view.
If I want to restrict outgoing traffic from the inside interface, it's "inbound" direction because the traffic will go into the ASA.
It's the same to allow traffic from Internet to go through the ASA (using port direction or whatever) because the traffic will go into it.
If I want to restrict outgoing traffic from the inside interface, it's "inbound" direction because the traffic will go into the ASA.
It's the same to allow traffic from Internet to go through the ASA (using port direction or whatever) because the traffic will go into it.
Time to create page: 0.125 seconds