Problem with access lists - ASA 5505 v8.3

[spooks1982]

Hi all,

I'm fairly new to Cisco firewalls and I am really struggling to get even basic traffic running over it. The first thing I thought I would try would be to get http/https working. As you can see from the attached screen shots I am having problems with the access lists. I've been tinkering for a while and from what I can see the traffic should be allowed. I'm sure I've probably made a basic mistake, can someone with knowledge point it out? I would be very grateful for some help!

http://img833.imageshack.us/img833/2922/log1x.png

http://img508.imageshack.us/img508/4926/rulesqz.png

http://img190.imageshack.us/img190/7960/tracel.png

 

[hairlessupportmonkey]

by default the ASA doesnt create a default route.

under routes add 0.0.0.0 / 0.0.0.0 / your router IP

ACSS - SME
General Geek

 

[spooks1982]

Hi, thanks for your response. I already added that rule but it still doesn't work.

 

[hairlessupportmonkey]

did you configure from the startup wizard?

ACSS - SME
General Geek

 

[spooks1982]

Yep, I configured from the start up wizard. See this screen shot of my configured settings.



I've decided to manually remove the acl's and network objects that I made as they didn't work anyway. Please see my current config below. Would anyone be able to give me the necessary lines to put into my config that would allow internal network clients the ability to browse the web? I would be so grateful!

ASA Version 8.3(1)
!
hostname gilwoodasa
enable password EMPEikDfTZFZFI8m encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.70.231.53 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 212.23.3.100
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 82.70.231.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5610e4bda3436ef1e2db2db7d7bbdd9b
: end

Thanks!!!

 

[spooks1982]

Ok, so could someone maybe tell me the lines I will need to add in order to let my internal pc's get access to the internet?

I have literally tried everything I can think of, including allowing tcp, ip, http/https on the outside interface and inside interface from any source to any destination.

Is my ASA broken or am I missing someone fundamental?

Thanks, please help

 

[unclerico]

make sure that your NAT is setup properly:

object network obj_any 
  subnet 0.0.0.0 0.0.0.0
  nat (inside,outside) dynamic interface

no nat (inside,outside) source dynamic any interface

can you ping your ISP upstream router from the outside interface of the ASA?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[spooks1982]

Thanks unclerico. NAT seems to be fine and yes, I can ping my ISP's router.

I have also tried other stuff such as telnet, which also works. I can telnet on port 25 to one of my clients mail servers from a pc on my inside network with the gateway set to the ASA.

I'm having problems even connecting to the ASDM at present, doesn't want to play ball (this is with the correct networks added to the list of allowed asdm clients)

I'm stumped. Starting to think this ASA is faulty.

 

[unclerico]

ok, what is the topology of your network?? is the ASA the gateway for everything on the inside or do you have a different L3 device as the gateway?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[spooks1982]

Hi again,

At present, all but one test PC is connecting via the web through a Draytek Vigor router (with firewall disabled - while I config this ASA). I have configured the Draytek with a secondary public LAN IP address that the ASA can route through. See this screen shot.

http://imageshack.us/photo/my-images/845/vigord.png/

There is also a Cisco SLM2048 smart switch on the network, however I'm not sure of the configuration of it. I only have remote access to the network myself but I don't think they have anything else in the mix. DNS is provided by a Windows 2008 R2 domain controller.

Thanks very much for your help, let me know if you need any other info and I'll provide it.