Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA can't get to Internet

Status
Not open for further replies.
makemorebeer

makemorebeer

Technical User
Jun 6, 2007
96
US
so i've got a rather complex setup but here goes. the basis here is to let the systems on an internal network get to the internet for updates. here's my problem. and i'm not sure it's the ASA but when i try to get to the internet it can't find anything. worse, i can't even see traffic hitting the ASA device. a little note on the setup:

we're running an ADSL connecitont o our domain, and then crossing from the primary domain to another domain, and using an ASA for communication between the two. it seems as thought here is something wrong with the default routes or some thing since it can't resolve the web address. this did work with a proxy server before but we removed the rpoxy for an inline solution. Any ideas. i've enclosed the configuration for the ASA.

: Saved
:
ASA Version 7.2(2)
!
hostname
domain-name citybrewery.com
enable password :: encrypted
names
name 192.168.120.201 :: description Backup domain controller/av server
name 192.168.120.200 :: description industrial network domain controller
name 10.1.254.87 :: description Corp domain AV server
name 10.0.0.21 :: description Internet Proxy Server
name 10.1.0.4 :: description Ryan Root pC
name 192.168.120.25 :: description Batch office engineering station 1
name 192.168.120.26 :: description Batch office Engineering station 2
name 10.1.200.127 :: description Corey Schlegel Laptop
!
interface Vlan1
nameif Industrial
security-level 100
ip address 192.168.120.1 255.255.255.0
!
interface Vlan2
nameif Corporate
security-level 100
ip address 10.1.254.248 255.255.0.0
!
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
passwd :: encrypted
banner exec you have reached a private secured network. Unauthorized access is prohibited.
banner login Please Login:
banner motd The external temperature is is a steamy 95 degrees....
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup Industrial
dns domain-lookup Corporate
dns server-group citybrewery
name-server 10.1.254.1
name-server 10.1.254.11
domain-name citybrewery.com
dns server-group DefaultDNS
domain-name citybrewery.com
dns server-group blend
name-server Indus-DC
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network CityBrew
description City Brewery Corporate Network
network-object 10.1.0.0 255.255.0.0
network-object 10.0.0.0 255.0.0.0
object-group network CityIndus
description CBC Industrial network
network-object 192.168.120.0 255.255.255.0
object-group network LatCityBrew
description Latrobe Citybrewery Network
network-object 172.21.0.0 255.255.0.0
access-list Corporate_access_in extended permit tcp any any eq domain
access-list Corporate_access_in extended permit tcp any eq domain any
access-list Corporate_access_in extended permit tcp any any range 137 netbios-ssn
access-list Corporate_access_in extended permit tcp any range 137 netbios-ssn any
access-list Corporate_access_in remark permit traffic from 10.0.0.0/8 network to industrial network Via RDP Protocol
access-list Corporate_access_in extended permit tcp 10.0.0.0 255.0.0.0 object-group CityIndus eq 3389
access-list Corporate_access_in remark permit traffic from 172.21.0.0/16 network to industrial network Via RDP Protocol
access-list Corporate_access_in extended permit tcp 172.21.0.0 255.255.0.0 object-group CityIndus eq 3389
access-list Corporate_access_in remark Permit traffic from 10.0.0.0/8 network to industrial network Via VNC port 5900
access-list Corporate_access_in extended permit tcp 10.0.0.0 255.0.0.0 object-group CityIndus eq 5900
access-list Corporate_access_in remark Permit traffic from 172.21.0.0/16 network to industrial network Via VNC port 5900
access-list Corporate_access_in extended permit tcp 172.21.0.0 255.255.0.0 object-group CityIndus eq 5900
access-list Corporate_access_in remark temp access for File transfers to do server setup
access-list Corporate_access_in extended permit ip host RROOT 192.168.120.0 255.255.255.0
access-list Corporate_access_in remark Maintenance access
access-list Corporate_access_in extended permit ip host CSCHLEGELLT 192.168.120.0 255.255.255.0
access-list Corporate_access_in remark permit 21 traffic back into indus for updates
access-list Corporate_access_in extended permit tcp any host Indus-BDC eq ftp
access-list Corporate_access_in remark permit 80 traffic back into indus for updates to 192.168.120.201
access-list Corporate_access_in extended permit tcp any host Indus-BDC eq access-list Corporate_access_in extended deny ip any any log
access-list Industrial_access_in extended permit tcp any any eq domain
access-list Industrial_access_in extended permit tcp any eq domain any
access-list Industrial_access_in extended permit tcp any any range 137 netbios-ssn
access-list Industrial_access_in remark permit traffic from industrial network to anywhere via RDP. Only port 3389(default)
access-list Industrial_access_in extended permit tcp object-group CityIndus eq 3389 any eq 3389
access-list Industrial_access_in remark permit traffic from industrial to anywhere via VNC port 5900
access-list Industrial_access_in extended permit tcp object-group CityIndus eq 5900 any eq 5900
access-list Industrial_access_in remark allow port 21 from 192.168.120.201 out to Pix Bypass 207.230.215.202
access-list Industrial_access_in extended permit tcp host Indus-BDC any eq ftp
access-list Industrial_access_in remark permit port 80(WWW) to corp for internet updates on 192.168.120.201
access-list Industrial_access_in extended permit tcp host Indus-BDC any log
access-list Industrial_access_in remark permit port 443(HTTPS) to corp for internet updates on 192.168.120.201
access-list Industrial_access_in extended permit tcp host Indus-BDC eq https any eq https log
access-list Industrial_access_in remark permit the APC battery to send e-mail notifications from indus to Corp.
access-list Industrial_access_in extended permit tcp host 192.168.120.20 eq smtp object-group CityBrew eq smtp
access-list Industrial_access_in remark temp access from indus to corp for ryan to do server setup
access-list Industrial_access_in extended permit ip 192.168.120.0 255.255.255.0 host RROOT
access-list Industrial_access_in extended deny ip any any log
access-list PLCNet_access_in remark permit all traffic from plc net to inductrial network. (temp rule for traffic capture and tuning)
access-list PLCNet_access_in extended permit ip any any log
pager lines 24
logging enable
logging trap notifications
logging asdm informational
mtu Industrial 1500
mtu Corporate 1500
mtu managment 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Industrial) 1 interface
global (Corporate) 2 interface
access-group Industrial_access_in in interface Industrial
access-group Corporate_access_in in interface Corporate
route Industrial 0.0.0.0 0.0.0.0 10.1.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
aaa-server Radius (Corporate) host 10.1.254.11
key ::
radius-common-pw ::
username administrator password :: privilege 15
aaa authentication http console Radius LOCAL
aaa authentication telnet console Radius LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Industrial
http 10.1.0.0 255.255.0.0 Corporate
http 192.168.120.0 255.255.255.0 Industrial
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 0
telnet 10.1.0.0 255.255.0.0 Corporate
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config Corporate
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 10.1.254.1 source Corporate
tftp-server Corporate 10.1.200.118 tftp
smtp-server 10.1.254.3
prompt hostname context
Cryptochecksum:::
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
 
Sort by date Sort by votes
Well for starters both your interfaces have the same security level. Additionally you have not configured NAT
 
Upvote 0 Downvote
I intentionally setup the security levels to be the same so i can pass traffic straight through. in hind site this may not have been a good idea but i'm not all that experianced with ASA or pix to begin with. as for the net I don't want to nat the traffic between the two if possible. I have gotten the DNS information from our primary network to propogate into the secondary network now though and i can see traffic going through. it's just a race tos ee where the traffic is getting blocked. i can also see the nat translations on the border router so i know the traffic is getting at least that far now. I know i'm going to sound like a bonehead here but what exactly does the security level do? any why is it necessary to Nat the traffic leaving this network anyway?
 
Upvote 0 Downvote
You will be better served installing the firewall in transparent mode.




Additionally you have a good number of duplicate ACLs applied to each interface. You first have to decide which traffic you are trying to block or permit. The security levels determine traffic flow on the ASA. You can go higher to lower (such as 100 to 0) by default, however you cant go from lower to higher (0 to 100) without a static and acl.
 
Upvote 0 Downvote
well that sucks. it does look like transparent mode is what i should have done when initally setting this up, however according to the configuration guide it clears the configuration when you change modes. I was thinking that's what security levels were but i couldn't remember. thanks. so hypothetically, if I were to assign Nat via interface Pat to both interfaces, setup a few statics, and clean up my ACL's, i could access the internet?(alot of the ACL's were me trying to see traffic while i was setting it up to make sure everythign was flowing properly. since then i've removed the logging statements from them and just never cleaned up the rules. the others are just my inexperiance with such devices) If i can't make it work like this i guess i'll need to look into going to transparent mode. the only problem with that is that it's in a production environment right now.
 
Upvote 0 Downvote
Yes, you will have to configure nat and I would change the security level on the interface that points to the internet connection
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
172
badwolf1686
B
Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
365
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
491
madwok
madwok
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
416
nt8d09
nt8d09
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
195
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top