- Posts: 2
- Thank you received: 0
PROBLEM CISCO ASA 5505
14 years 9 months ago #33476
by mdgm02
PROBLEM CISCO ASA 5505 was created by mdgm02
HI,
I have an ASA 5505 firewall, configured with "inside" 81.192.120.6 and "outside" 10.31.213.42. I have enabled nat rules and corresponding access list. Gateway of 10.31.213.41 is 10.31.213.41 other firewall.
The system is working well, but after approximately 4 hours or falls "inside" the network, ie, from any host 81.192.120.0 do not see the firewall 81.192.120.6, and from "inside" the firewall console does not see any team 81.192.120.0, yet if I see any host that is beyond 10.31.213.42. When I ping from 81.192.120.6 console also answered me.
If I change 81.192.120.0 network to another network interface ASA5505 start work until after a further 4 hours, I have to turn off and turn on the firewall.
The truth is taht no what is happening, and I need help urgently.
Configuration ASA:
ASA Version 7.2(4)
!
hostname CCFW01
domain-name nombre.domain
names
name 81.192.120.46 HOST1 description SERVWEBFTP
name 81.192.120.64 HOST2 description FLOTAS
!
interface Vlan1
nameif inside
security-level 100
ip address 81.192.120.6 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.31.213.42 255.255.0.0
!
interface Vlan4
nameif gestion
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 4
shutdown
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name nombre.domain
object-group icmp-type ICMPGRUPO
description icmpgrupo
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group service TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq sqlnet
port-object eq www
port-object eq 445
port-object eq exec
port-object eq 137
port-object eq 150
port-object eq netbios-ssn
port-object eq sunrpc
port-object eq 3389
port-object eq ssh
port-object eq telnet
object-group service TCL_2 tcp
port-object eq 8050
port-object eq telnet
object-group service UDP_1 udp
port-object eq 389
port-object eq 445
port-object eq 139
port-object eq 150
port-object eq netbios-ns
port-object eq sunrpc
port-object eq 3389
access-list outside_access_in extended permit tcp any any object-group TCP_1
access-list outside_access_in extended permit tcp any any object-group TCL_2
access-list outside_access_in extended permit udp any any object-group UDP_1
access-list outside_access_in extended permit icmp any any object-group ICMPGRUPO
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu gestion 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface gestion
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 HOST1 255.255.255.255
static (inside,outside) tcp interface ftp HOST1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface www HOST1 www netmask 255.255.255.255
static (inside,outside) tcp interface 8050 HOST2 8050 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data HOST1 ftp-data netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.31.213.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 81.192.120.66 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 gestion
http 81.191.120.66 255.255.255.255 inside
http 81.191.120.18 255.255.255.255 inside
snmp-server host inside 81.192.120.153 community public version 2c
snmp-server location Sala ROOM
snmp-server contact contact vst
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps remote-access session-threshold-exceeded
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f70ec3de0c4bb8db9b56d76c66c627a6
I have an ASA 5505 firewall, configured with "inside" 81.192.120.6 and "outside" 10.31.213.42. I have enabled nat rules and corresponding access list. Gateway of 10.31.213.41 is 10.31.213.41 other firewall.
The system is working well, but after approximately 4 hours or falls "inside" the network, ie, from any host 81.192.120.0 do not see the firewall 81.192.120.6, and from "inside" the firewall console does not see any team 81.192.120.0, yet if I see any host that is beyond 10.31.213.42. When I ping from 81.192.120.6 console also answered me.
If I change 81.192.120.0 network to another network interface ASA5505 start work until after a further 4 hours, I have to turn off and turn on the firewall.
The truth is taht no what is happening, and I need help urgently.
Configuration ASA:
ASA Version 7.2(4)
!
hostname CCFW01
domain-name nombre.domain
names
name 81.192.120.46 HOST1 description SERVWEBFTP
name 81.192.120.64 HOST2 description FLOTAS
!
interface Vlan1
nameif inside
security-level 100
ip address 81.192.120.6 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.31.213.42 255.255.0.0
!
interface Vlan4
nameif gestion
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 4
shutdown
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name nombre.domain
object-group icmp-type ICMPGRUPO
description icmpgrupo
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group service TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq sqlnet
port-object eq www
port-object eq 445
port-object eq exec
port-object eq 137
port-object eq 150
port-object eq netbios-ssn
port-object eq sunrpc
port-object eq 3389
port-object eq ssh
port-object eq telnet
object-group service TCL_2 tcp
port-object eq 8050
port-object eq telnet
object-group service UDP_1 udp
port-object eq 389
port-object eq 445
port-object eq 139
port-object eq 150
port-object eq netbios-ns
port-object eq sunrpc
port-object eq 3389
access-list outside_access_in extended permit tcp any any object-group TCP_1
access-list outside_access_in extended permit tcp any any object-group TCL_2
access-list outside_access_in extended permit udp any any object-group UDP_1
access-list outside_access_in extended permit icmp any any object-group ICMPGRUPO
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu gestion 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
monitor-interface gestion
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 HOST1 255.255.255.255
static (inside,outside) tcp interface ftp HOST1 ftp netmask 255.255.255.255
static (inside,outside) tcp interface www HOST1 www netmask 255.255.255.255
static (inside,outside) tcp interface 8050 HOST2 8050 netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data HOST1 ftp-data netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.31.213.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 81.192.120.66 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 gestion
http 81.191.120.66 255.255.255.255 inside
http 81.191.120.18 255.255.255.255 inside
snmp-server host inside 81.192.120.153 community public version 2c
snmp-server location Sala ROOM
snmp-server contact contact vst
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps remote-access session-threshold-exceeded
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f70ec3de0c4bb8db9b56d76c66c627a6
14 years 9 months ago #33523
by S0lo
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Replied by S0lo on topic Re: PROBLEM CISCO ASA 5505
I'm not positive that I fully understand what the problem is, but for a starter, consider changing this command:
nat (inside) 1 HOST1 255.255.255.255
Because of the /32 subnet mask used, This NATs only HOST1 (81.192.120.46) from the inside, no other hosts from inside would be NATed to the outside. Is this meant to be? I believe it should be some thing like this:
nat (inside) 1 81.192.0.0 255.255.0.0
nat (inside) 1 HOST1 255.255.255.255
Because of the /32 subnet mask used, This NATs only HOST1 (81.192.120.46) from the inside, no other hosts from inside would be NATed to the outside. Is this meant to be? I believe it should be some thing like this:
nat (inside) 1 81.192.0.0 255.255.0.0
Studying CCNP...
Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.117 seconds