Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Outside interface ? 2

Status
Not open for further replies.
rswift

rswift

Technical User
Oct 14, 2002
55
US
Does the outside interface of an ASA5510 have to be Ethernet0/0?

The reason for asking is I have two ASA5510s'. One production and one to use as needed. I want to swap the DMZ interface (Ethernet0/2), which is only capable of 100Mbps, with my outside interface (Ethernet0/0) which is capable of 1 gig throughput. This will give my .net server in the DMZ more bandwidth to the internal data base server.

I backed up the config from my original ASA and restored it to my new ASA, changed the interface configs on Ethernet0/0 and Ethernet0/2 and reapplied my access groups to the appropriate interfaces. I could reach the DMZ from my PC inside the network but not the outside world. I could ping the outside world from my ASA but not from my PC inside the network. I reverted back to the original config and everything worked.
 
Sort by date Sort by votes
The syslog shows this error:
portmap translation creation failed for icmp src inside:10.125.1.71 dst outside:150.186.6.129 (type 8, code 0)
 
Upvote 0 Downvote
post a scrubbed config and we'll have a look

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Scrubbed. Thanks

ASA Version 8.2(1)
!
hostname pix-Atkins
domain-name dbs.doe.state.fl.us
enable password ***********************
passwd **************** encrypted
names
name 152.175.6.142 owa-outside
dns-guard
!
interface Ethernet0/0
nameif dmz
security-level 50
ip address 10.105.4.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.105.1.3 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif outside
security-level 0
ip address 152.175.6.130 255.255.255.240
!
interface Ethernet0/3
shutdown
nameif vpn
security-level 60
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.50 255.255.255.0
management-only
!
banner motd Access to this device is limited to authorized persons only. All efforts to achieve access, whether direct or
indirect, are subject to monitoring activities. Unauthorized access is prohibited and will be subject to incident report
ing procedures including notification of local, state and federal authorities.
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name dbs.doe.state.fl.us
access-list FROM_INSIDE extended permit tcp host 10.105.1.89 host 10.105.4.139 range 8400 8403
access-list FROM_INSIDE extended permit tcp host 10.105.1.89 host 10.105.4.139 range 8600 8620
access-list FROM_INSIDE extended permit tcp host 10.105.1.89 host 10.105.4.139 range 5000 5020
access-list FROM_INSIDE extended permit tcp host 10.105.1.89 host 10.105.4.139
access-list FROM_INSIDE extended permit icmp any any
access-list FROM_INSIDE extended deny udp any any eq netbios-ns
access-list FROM_INSIDE extended deny udp any any eq netbios-dgm
access-list FROM_INSIDE extended deny udp any any eq 15118
access-list FROM_INSIDE extended deny udp any any eq 445
access-list FROM_INSIDE remark *** Permit Any ***
access-list FROM_INSIDE extended permit ip 10.105.1.0 255.255.255.0 any
access-list FROM_INSIDE remark *** End of ACL ***
access-list FROM_INSIDE extended permit ip 10.0.0.0 255.0.0.0 any
access-list nat extended permit ip 10.105.1.0 255.255.255.0 any
access-list nat extended permit ip 10.0.0.0 255.0.0.0 any
access-list nonat extended permit ip 10.105.1.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list nonat extended permit ip 10.34.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.34.9.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.34.8.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.34.7.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.105.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 172.17.2.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.17.2.0 255.255.255.0
access-list nonat extended permit ip host 10.105.1.0 10.34.7.0 255.255.255.0
access-list crypto extended permit ip 10.105.1.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list crypto extended permit ip 10.34.7.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list crypto extended permit ip 10.105.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list crypto extended permit ip 10.34.8.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list crypto extended permit ip 10.34.9.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list crypto extended permit ip 10.34.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list no-nat-dmz extended permit ip 10.105.4.0 255.255.255.0 10.105.1.0 255.255.255.0
access-list from-dmz remark ACL to Allow DMZ server Internal Network Resources
access-list from-dmz extended permit icmp any any
access-list from-dmz extended permit ip host 10.105.4.134 host 10.105.1.76
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.76 eq 8082
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.76 eq 8081
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.76 eq 8443
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.76 eq 8801
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.76 eq 8000
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.89 range 5000 5005
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.89 range 5000 5020
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.89 range 8600 8620
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.89 range 8400 8403
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.76 eq 8443
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.76 eq 8801
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.76 eq 8000
access-list from-dmz extended permit ip host 10.105.4.139 host 10.105.1.76
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.125 eq 8080
access-list from-dmz extended permit tcp host 10.105.4.137 host 10.105.1.61 eq 1433
access-list from-dmz extended permit ip host 10.105.4.137 host 10.105.1.61
access-list from-dmz extended permit tcp host 10.105.4.139 host 10.105.1.61 eq 1433
access-list from-dmz extended permit ip host 10.105.4.139 host 10.105.1.61
access-list from-dmz extended permit ip host 10.105.4.138 host 10.105.1.61
access-list from-dmz extended permit tcp host 10.105.4.138 host 10.105.1.61 eq 1433
access-list from-dmz extended permit tcp host 10.105.4.138 host 10.105.1.125 eq 8080
access-list from-dmz extended permit ip host 10.105.4.134 host 10.105.1.71
access-list from-dmz extended permit tcp host 10.105.4.134 host 10.105.1.9 eq smtp
access-list from-dmz extended permit ip host 10.105.4.134 host 10.105.1.72
access-list from-dmz extended permit ip host 10.105.4.139 host 10.105.1.72
access-list from-dmz extended permit ip host 10.105.4.137 host 10.105.1.71
access-list from-dmz extended permit ip host 10.105.4.137 host 10.105.1.72
access-list from-dmz extended permit ip host 10.105.4.138 host 10.105.1.71
access-list from-dmz extended permit ip host 10.105.4.138 host 10.105.1.72
access-list from-dmz extended permit ip host 10.105.4.139 host 10.105.1.71
access-list from-dmz extended deny tcp any any eq 5900
access-list from-dmz extended deny ip 10.105.4.0 255.255.255.0 10.105.1.0 255.255.255.0
access-list from-dmz extended permit ip any any
access-list FROM_OUTSIDE remark *** ACL FOR OUTSIDE INT ***
access-list FROM_OUTSIDE remark *** Bogon address blocking ***
access-list FROM_OUTSIDE remark *** ICMP Filtering ***
access-list FROM_OUTSIDE extended permit icmp any any
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE extended deny tcp any any eq 5900
access-list FROM_OUTSIDE remark deny icmp any any
access-list FROM_OUTSIDE remark *** Permit Core-specific app-requests ***
access-list FROM_OUTSIDE extended permit tcp any eq pptp any
access-list FROM_OUTSIDE extended permit tcp host 199.44.72.2 host 152.175.6.133 eq lpd
access-list FROM_OUTSIDE extended permit tcp host 152.175.47.8 host 152.175.6.132 eq ssh
access-list FROM_OUTSIDE extended permit tcp 208.65.144.0 255.255.248.0 host 152.175.6.132 eq smtp
access-list FROM_OUTSIDE extended permit tcp any host owa-outside eq https
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.139 eq https
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.139 eq ftp-data
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.134 eq www
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.134 eq 7260
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.139 eq ftp
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.139 eq ssh
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.130 eq ssh
access-list FROM_OUTSIDE remark *** END OF ACL ***
access-list FROM_OUTSIDE extended permit tcp any host 152.175.6.138 eq https
access-list cap extended permit ip host 10.105.1.50 host 152.175.6.139
access-list cap extended permit ip host 152.175.6.139 host 10.105.1.50
access-list cap extended permit ip host 171.68.225.212 any
access-list cap extended permit ip any host 171.68.225.212
access-list policy1 extended permit ip host 10.105.4.139 any
access-list policy1b extended permit ip host 10.105.4.139 any
access-list policy2 extended permit ip host 10.105.1.86 any
access-list policy2b extended permit ip host 10.105.1.86 any
access-list Split_Tunnel_List standard permit 10.105.1.0 255.255.255.0
access-list Split_Tunnel_List remark VPN web access
access-list doe-link extended permit ip 10.105.1.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list doe-link extended permit ip 10.105.1.0 255.255.255.0 10.10.14.0 255.255.255.0
access-list doe-link extended permit ip 10.105.1.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list doe-link extended permit ip 10.34.7.0 255.255.255.0 10.10.3.0 255.255.255.0
access-list doe-link extended permit ip 10.34.7.0 255.255.255.0 10.10.1.0 255.255.255.0
access-list doe-link extended permit tcp 10.105.1.0 255.255.255.0 host 10.10.70.37 eq www
access-list doe-link extended permit tcp 10.105.1.0 255.255.255.0 host 10.10.70.37 eq https
access-list vpn_1_cryptomap extended permit ip host 10.105.1.0 10.34.7.0 255.255.255.0
access-list policyT1 extended permit ip host 10.105.4.138 any
access-list policyT1b extended permit ip host 10.105.4.138 any
pager lines 24
logging enable
logging asdm errors
mtu dmz 1500
mtu inside 1500
mtu outside 1500
mtu vpn 1500
mtu management 1500
ip local pool ippool 172.17.2.1-172.17.2.254
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.105.1.0 255.255.255.0 inside
icmp permit any inside
no asdm history enable
arp timeout 60
nat-control
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.0.0.0
access-group from-dmz in interface dmz
access-group FROM_INSIDE in interface inside
access-group FROM_OUTSIDE in interface outside
access-group FROM_INSIDE in interface management
route inside 10.1.14.0 255.255.255.0 10.105.1.2 1
route inside 10.8.10.0 255.255.255.0 10.105.1.2 1
route inside 10.18.24.0 255.255.255.0 10.105.1.2 1
route inside 10.18.25.0 255.255.255.0 10.105.1.2 1
route inside 10.26.10.0 255.255.255.0 10.105.1.2 1
route inside 10.34.7.0 255.255.255.0 10.105.1.2 1
route inside 10.34.8.0 255.255.255.0 10.105.1.2 1
route inside 10.34.9.0 255.255.255.0 10.105.1.2 1
route inside 10.34.10.0 255.255.255.0 10.105.1.2 1
route inside 10.42.24.0 255.255.255.0 10.105.1.2 1
route inside 10.50.55.0 255.255.255.0 10.105.1.2 1
route inside 10.50.56.0 255.255.255.0 10.105.1.2 1
route inside 10.50.57.0 255.255.255.0 10.105.1.2 1
route inside 10.58.15.0 255.255.255.0 10.105.1.2 1
route inside 10.66.52.0 255.255.255.0 10.105.1.2 1
route inside 10.66.53.0 255.255.255.0 10.105.1.2 1
route inside 10.66.54.0 255.255.255.0 10.105.1.2 1
route inside 10.66.55.0 255.255.255.0 10.105.1.2 1
route inside 10.105.2.0 255.255.255.0 10.105.1.2 1
route inside 10.105.3.0 255.255.255.0 10.105.1.2 1
timeout xlate 6:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto map clientmap 2 match address doe-link
crypto map clientmap 2 set pfs
crypto map clientmap 2 set peer 152.175.8.253
crypto map clientmap 2 set transform-set myset
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map vpn_map 1 match address vpn_1_cryptomap
crypto map vpn_map 1 set pfs
crypto map vpn_map 1 set peer 74.191.68.18
crypto map vpn_map 1 set transform-set myset
crypto map vpn_map interface vpn
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable vpn
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.9.176.30
ntp server 209.81.9.7
webvpn
group-policy 3000client internal
group-policy 3000client attributes
wins-server value 10.105.1.71 10.105.1.72
dns-server value 10.105.1.71 10.105.1.72
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
default-domain value fldbs.net
username blank password *************** encrypted
tunnel-group 152.175.8.253 type ipsec-l2l
tunnel-group 152.175.8.253 ipsec-attributes
pre-shared-key *
tunnel-group 3000client type remote-access
tunnel-group 3000client general-attributes
address-pool ippool
default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
pre-shared-key *
tunnel-group Daytona type ipsec-l2l
tunnel-group Daytona ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect http
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:***************************
: end
 
Upvote 0 Downvote
Your missing a static to reach the DMZ from the outside world. You are also enforcing nat-control but you don't have a global statement for the outside.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Thanks Brent

I entered the global command yesterday for the outside "global (outside) 1 interface". Still no access to the outside
 
Upvote 0 Downvote
you need a default route route outside 0.0.0.0 0.0.0.0 <next-hop-ip>

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Found it. There was a problem with the next hop. They had my edge switch interface setting in the wrong vlan.

One thing I learned doing this is when you change an interface as explained in my opening statement, everything that uses the tag for your interfaces,(outside) (dmz), you need to reapply static entries, access groups and route statements. It also helps if your downstream router is set up to accept your traffic too.

Thank you all for the input. This site is a great resource.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ttrsux
  • Locked
  • Question
Error opening IKE port 4500 on Interface outside
Replies
0
Views
248
ttrsux
ttrsux
TierOneTech
  • Locked
  • Question
TZ105 - can I define a second WAN interface for failover?
Replies
1
Views
117
jcarmichael1203
jcarmichael1203
shmideo
  • Locked
  • Question
How to set up a wireless LAN on X5 interface TZ500
Replies
1
Views
116
shmideo
shmideo
Shad0wguy
  • Locked
  • Question
Unable to ping specific IP across interfaces, can ping on same interface
Replies
6
Views
304
Shad0wguy
Shad0wguy
xylax
  • Locked
  • Question
Redirecting HTTP traffic from INSIDE to OUTSIDE using ASA NATs
Replies
0
Views
82
xylax
xylax

Part and Inventory Search

Sponsor

Back
Top