Question about Cisco ASA 5500 Firewall

1 Answer

Cisco asa5505 problem

Hi,
I have a problem to access Internet from inside host.
My internet settings are:
Range 89.215.168.64 - 127
Mask 255.255.255.192
Gateway 89.215.168.65
DNS 217.9.224.2; 217.9.224.3

The following is my configuration of the firewall:
ASA Version 7.2(2)
sh run
: Saved
:
ASA Version 7.2(2)
!
hostname DarrkoEOOD
domain-name default.domain.invalid
enable password my encrypted
names
!
interface Vlan1
nameif inside
security-level 50
ip address 89.215.168.65 255.255.255.192
!
interface Vlan2
nameif Evrokom
security-level 90
ip address 89.215.174.66 255.255.255.252
!
interface Vlan3
description Evrocom-DNS_Blackhole
nameif DNS
security-level 0
ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0/0
description LAN
!
interface Ethernet0/1
description Evrokom
switchport access vlan 2
!
interface Ethernet0/2
description Evrocom-DNS_Blackhole
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd my encrypted
ftp mode passive
clock timezone EEDT 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list IPSAllowedOutsideInterface extended permit ip host 71.169.2.10 any
access-list IPSAllowedOutsideInterface extended permit ip host 72.89.63.208 any
access-list IPSAllowedOutsideInterface extended permit ip 69.64.222.0 255.255.255.0 any
access-list IPSAllowedOutsideInterface extended permit ip host 77.85.217.18 any
access-list IPSAllowedOutsideInterface extended permit ip host 62.204.140.9 any
access-list IPSAllowedOutsideInterface extended permit tcp 213.226.0.0 255.255.0.0 any eq ssh
access-list IPSAllowedOutsideInterface extended deny tcp any any eq 3389
access-list IPSAllowedOutsideInterface extended deny tcp any any eq ssh
access-list IPSAllowedOutsideInterface extended permit ip any any
pager lines 24
logging timestamp
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu Evrokom 1500
mtu DNS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Evrokom
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Evrokom) 10 interface
nat (inside) 10 89.215.168.64 255.255.255.192
access-group IPSAllowedOutsideInterface in interface inside
access-group IPSAllowedOutsideInterface out interface inside
access-group IPSAllowedOutsideInterface in interface Evrokom
access-group IPSAllowedOutsideInterface out interface Evrokom
route Evrokom 0.0.0.0 0.0.0.0 89.215.174.65 1 track 1
route Evrokom 217.9.224.2 255.255.255.255 89.215.174.65 1 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:20:00 udp 1:00:00 icmp 0:00:05
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password rj3RJA7.tmoyw8bB encrypted privilege 15
username thegrave password my encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 62.204.140.9 255.255.255.255 Evrokom
http 213.226.0.0 255.255.255.0 Evrokom
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 206.190.56.229 interface Evrokom
num-packets 5
request-data-size 48
timeout 8000
frequency 30
sla monitor schedule 1 life forever start-time now
service resetinbound interface inside
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5
ssh 72.89.63.208 255.255.255.255 Evrokom
ssh 213.226.0.0 255.255.0.0 Evrokom
ssh 67.85.83.39 255.255.255.255 Evrokom
ssh 62.204.140.9 255.255.255.255 Evrokom
ssh 77.85.217.18 255.255.255.255 Evrokom
ssh timeout 5
ssh version 2
console timeout 0
dhcpd lease 32000
!
dhcpd address 89.215.168.66-89.215.168.125 inside
dhcpd dns 217.9.224.2 212.39.90.42 interface inside
dhcpd enable inside
!
!
!
ntp server 129.6.15.29 source Evrokom
ntp server 129.6.15.28 source Evrokom prefer
prompt hostname context
Cryptochecksum:1ac6d4d29acbcceab6b86a84561bb346
: end

Posted by on

1 Answer

  • Level 1:

    An expert who has achieved level 1.

    Hot-Shot:

    An expert who has answered 20 questions.

    Corporal:

    An expert that hasĀ over 10 points.

    Mayor:

    An expert whose answer gotĀ voted for 2 times.

  • Contributor
  • 42 Answers

You seem to have the last resort (o.o.o.o) set to VLAN1 which is set as an inside interface.
Is VLAN1 connected to the outside router or internet backbone?
If not, change the last resort to the outside Ethernet port.

Posted on May 09, 2008

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

GNS 3 , IOS images "quemo host" configuration help


Hi Jhonny583,
Im a Cisco certified Network Associate (CCNA) and im well versed with routers and GNS 3..i have included a video tutorial to show how to install qemu hostHope it helps
Goodluck :-)
was i helpfull ?, please rate me.

Apr 27, 2010 | Cisco Network Security & Firewall Devices

1 Answer

I have cisco asa 5510 firewall and i have dialup internet connection i want my asa 5510 between my LAN and my dial up internet


Your best bet is to place the ASA into 'transparent' mode, and letting the traffic pass through it and be inspected on the way through.

To do this you need to first do the following command:
firewall transparent

Once in transparent mode, the firewall will no longer look like a hop in the packets journey, and you can set rules to allow/disallow traffic using access lists on the inside and outside interfaces, plus you can perform packet inspections using policy-map and inspects.

Hope that helps!

Feb 12, 2010 | Cisco ASA 5510 Firewall

1 Answer

How to counfugre asa 5505 cisco Router


Use the Cisco ASDM or SDM software, that will give you an easy graphical interface to configure the ASA. One of them would have been shipped with the device.

Don't forget the ASA has to pre-configured, just a simple config. Have HTTPS enabled and telnet/SSH helps as well if you dont have a serial port or the console cable.

Cisco's website will give you quite a lot of info for free...

Jan 18, 2010 | Cisco ASA 5505 Firewall

1 Answer

Cisco ASA 5505 Firewall


1. Change your PCs default gateway to your firewalls' internal IP

2. configure the nameservers on your ASA

Then internet will work fine.

May 23, 2009 | Cisco ASA 5510 Anti-X Edition...

2 Answers

Pix 515 E allow few websites only.


Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Pix 515E inside to outside translation problem


Dear Kiran,

What is the name assigned for isp 1 as well as isp2.

for your reference kindly find the sample configuration......
ISP 1:
interface ethernet 0 100 full
nameif outside security-lvl 0
ip address outside 203.193.129.132 255.255.255.240.
nat (inisde) 1 (local network)
global (outside) 1 203.193.129.133
route outside 0 0 203.193.129.129.1.

regards,
mani.S

Mar 09, 2009 | Cisco PIX 515E Firewall

1 Answer

Ploblems with dmz-outside (webpage). pix


Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

Feb 28, 2009 | Cisco PIX Firewall 506

2 Answers

No power to cisco 5505 ASA


http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

From the US, you can call: 1.800.553.2447

From there, Cisco will be able to tell you what your warranty status is by the device's serial number, and can also provide you with a quote if your warranty has expired.

Oct 08, 2008 | Cisco ASA 5500 Firewall

1 Answer

Asa 5505 firewall problem


PPPoE is not supported when failover is configured on the security appliance, or in multiple context or transparent mode. PPPoE is only supported in single, routed mode, without failover.

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/pppoe.html

Jun 06, 2008 | Cisco ASA 5500 Firewall

Not finding what you are looking for?
Cisco ASA 5500 Firewall Logo

1,173 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Network Security & Firewall Devices Experts

Mark Taylor
Mark Taylor

Level 3 Expert

728 Answers

Candy

Level 2 Expert

82 Answers

Huseyin Huseyin
Huseyin Huseyin

Level 3 Expert

3462 Answers

Are you a Cisco Network Security and Firewall Device Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...