Question about Cisco ASA 5500 Firewall

1 Answer

Cisco asa5505 problem

Hi,
I have a problem to access Internet from inside host.
My internet settings are:
Range 89.215.168.64 - 127
Mask 255.255.255.192
Gateway 89.215.168.65
DNS 217.9.224.2; 217.9.224.3

The following is my configuration of the firewall:
ASA Version 7.2(2)
sh run
: Saved
:
ASA Version 7.2(2)
!
hostname DarrkoEOOD
domain-name default.domain.invalid
enable password my encrypted
names
!
interface Vlan1
nameif inside
security-level 50
ip address 89.215.168.65 255.255.255.192
!
interface Vlan2
nameif Evrokom
security-level 90
ip address 89.215.174.66 255.255.255.252
!
interface Vlan3
description Evrocom-DNS_Blackhole
nameif DNS
security-level 0
ip address 10.0.0.1 255.255.255.252
!
interface Ethernet0/0
description LAN
!
interface Ethernet0/1
description Evrokom
switchport access vlan 2
!
interface Ethernet0/2
description Evrocom-DNS_Blackhole
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd my encrypted
ftp mode passive
clock timezone EEDT 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list IPSAllowedOutsideInterface extended permit ip host 71.169.2.10 any
access-list IPSAllowedOutsideInterface extended permit ip host 72.89.63.208 any
access-list IPSAllowedOutsideInterface extended permit ip 69.64.222.0 255.255.255.0 any
access-list IPSAllowedOutsideInterface extended permit ip host 77.85.217.18 any
access-list IPSAllowedOutsideInterface extended permit ip host 62.204.140.9 any
access-list IPSAllowedOutsideInterface extended permit tcp 213.226.0.0 255.255.0.0 any eq ssh
access-list IPSAllowedOutsideInterface extended deny tcp any any eq 3389
access-list IPSAllowedOutsideInterface extended deny tcp any any eq ssh
access-list IPSAllowedOutsideInterface extended permit ip any any
pager lines 24
logging timestamp
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu Evrokom 1500
mtu DNS 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any Evrokom
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Evrokom) 10 interface
nat (inside) 10 89.215.168.64 255.255.255.192
access-group IPSAllowedOutsideInterface in interface inside
access-group IPSAllowedOutsideInterface out interface inside
access-group IPSAllowedOutsideInterface in interface Evrokom
access-group IPSAllowedOutsideInterface out interface Evrokom
route Evrokom 0.0.0.0 0.0.0.0 89.215.174.65 1 track 1
route Evrokom 217.9.224.2 255.255.255.255 89.215.174.65 1 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:20:00 udp 1:00:00 icmp 0:00:05
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
username admin password rj3RJA7.tmoyw8bB encrypted privilege 15
username thegrave password my encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 62.204.140.9 255.255.255.255 Evrokom
http 213.226.0.0 255.255.255.0 Evrokom
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho 206.190.56.229 interface Evrokom
num-packets 5
request-data-size 48
timeout 8000
frequency 30
sla monitor schedule 1 life forever start-time now
service resetinbound interface inside
!
track 1 rtr 1 reachability
!
track 2 rtr 2 reachability
telnet timeout 5
ssh 72.89.63.208 255.255.255.255 Evrokom
ssh 213.226.0.0 255.255.0.0 Evrokom
ssh 67.85.83.39 255.255.255.255 Evrokom
ssh 62.204.140.9 255.255.255.255 Evrokom
ssh 77.85.217.18 255.255.255.255 Evrokom
ssh timeout 5
ssh version 2
console timeout 0
dhcpd lease 32000
!
dhcpd address 89.215.168.66-89.215.168.125 inside
dhcpd dns 217.9.224.2 212.39.90.42 interface inside
dhcpd enable inside
!
!
!
ntp server 129.6.15.29 source Evrokom
ntp server 129.6.15.28 source Evrokom prefer
prompt hostname context
Cryptochecksum:1ac6d4d29acbcceab6b86a84561bb346
: end

Posted by on

1 Answer

  • Level 1:

    An expert who has achieved level 1.

    Hot-Shot:

    An expert who has answered 20 questions.

    Corporal:

    An expert that hasĀ over 10 points.

    Mayor:

    An expert whose answer gotĀ voted for 2 times.

  • Contributor
  • 42 Answers

You seem to have the last resort (o.o.o.o) set to VLAN1 which is set as an inside interface.
Is VLAN1 connected to the outside router or internet backbone?
If not, change the last resort to the outside Ethernet port.

Posted on May 09, 2008

1 Suggested Answer

6ya6ya
  • 2 Answers

SOURCE: I have freestanding Series 8 dishwasher. Lately during the filling cycle water hammer is occurring. How can this be resolved

Hi,
a 6ya expert can help you resolve that issue over the phone in a minute or two.
best thing about this new service is that you are never placed on hold and get to talk to real repairmen in the US.
the service is completely free and covers almost anything you can think of (from cars to computers, handyman, and even drones).
click here to download the app (for users in the US for now) and get all the help you need.
goodluck!

Posted on Jan 02, 2017

Add Your Answer

Uploading: 0%

my-video-file.mp4

Complete. Click "Add" to insert your video. Add

×

Loading...
Loading...

Related Questions:

1 Answer

WHAT ARE THE PORT RANGES FOR ADDRESSES


Usable tcp and udp ports range from 1 to 65535. However you should not need to open any ports by default. Most routers include a stateful packet inspection (SPI) firewall. This is a fancy way of saying the router inspects the packet on it's way out to the internet when a computer on the inside of the firewall sends it out to the internet. The firewall will only allow connections from the internet on that TCP or UDP port if it returns from the original destination. For example, if you send a packet requesting the web page at cisco.com, the firewall will only allow traffic back into your network on TCP port 80 from the web server at cisco.com. If a packet from any other IP address tries to piggyback into your network through tcp port 80, the firewall will block it.

The only reason to open ports on your firewall is to allow a server inside your network to receive unsolicited traffic e.g. a web server inside your network may need TCP port 80 and 443 (HTTP and HTTPS) opened if you want to be able to access it from the internet. A mail server may need port 25 and 110 open for SMTP/POP e-mail. However, most home users do not host their own mail or web servers.

Mar 22, 2014 | Cisco Linksys Refurbished E3000...

1 Answer

Just brought a Sony Bravia HX 800 and added a wireless LAN adapter (UWA-BR100) to get Internet TV. After network set up NOT able to access internet. Message reads Wireless device OK Local Access FAILED...


Hi

I got the Bravia KDL-40EX713 and the uwa-br100 I had massive problems getting it to work with a BT home hub. Eventually I found manual setting that work. Firstly I logged on to the router and went the the advanced settings bit, then I went to the DHCP table that shows all the devices connected. I picked an unused Ip address from the range of existing ones being used (this sort of thing 192.168.1.73)


I then used the following settings for the other fields (I don't think the secondary dns setting is right but it still works)

ip 192.168.1.73

sn mask 255.255.255.0

default gateway 192.168.1.254

primary dns 192.168.1.254

secondary dns 192.168.22.23


If the DNS server ip is wrong then you get local access OK but internet access failed.


Hope this helps.


Ian

Jan 30, 2011 | Apple AirPort Extreme Base Station

1 Answer

Trying to connect with Cisco. VPN is connected then get error message of Clean Access Server is not available.


sniblett88:
This is most likely either a problem with the software running on your computer or the Cisco Clean Access Server is currently unavailable.
Some things that you can try with the Clean Access software to get it to start responding again include:

  1. Right-mouse clicking on the Cisco NAC agent icon in the tray (lower right-hand corner of the screen) and make sure that "Popup Login Window" is selected with a checkmark
  2. Right-mouse clicking on the Cisco NAC agent icon in the tray, and select Properties and check that the "Discovery Host" entry is filled in and not corrupted. If it is missing or corrupted, then you will need to contact your company's helpdesk for the host information.
If both of the above items seem to be in order, then most likely the host on your company network is unavailable. Call your company's helpdesk in order to determine if this is the case.
Thanks for using FixYa

Jan 15, 2011 | Cisco Clean Access Server

2 Answers

How do i establish a subnet with a B address


Subnet mask for 86 PCs is more than 64 and less than 128. it means that subnet mask is 255.255.255.128
You can have PC IP address in range 172.31.0.129 - 172.31.0.254

Apr 21, 2010 | Computers & Internet

1 Answer

How to counfugre asa 5505 cisco Router


Use the Cisco ASDM or SDM software, that will give you an easy graphical interface to configure the ASA. One of them would have been shipped with the device.

Don't forget the ASA has to pre-configured, just a simple config. Have HTTPS enabled and telnet/SSH helps as well if you dont have a serial port or the console cable.

Cisco's website will give you quite a lot of info for free...

Jan 18, 2010 | Cisco ASA 5505 Firewall

1 Answer

Wirless connection wont connect to network.


On the WLAN world, exist a encryption key for connection. You will be able to see the "antenna", but until you enter the key you will not be able to access the network or the internet. First, disable the wireless security and try. Once you have verified the connection to internet then you add security. Use WEP.

Jul 06, 2009 | NetGear WG602 802.11g/b Wireless Access...

1 Answer

Cisco ASA 5505 Firewall


1. Change your PCs default gateway to your firewalls' internal IP

2. configure the nameservers on your ASA

Then internet will work fine.

May 23, 2009 | Cisco ASA 5510 Anti-X Edition...

1 Answer

I am trying to set up PPTP connection to the internet on my WRV54G router (behind a cable modem). The set up calls for a fixed IP address, mask and gateway address, but my ISP is not providing those - only...


most cable companies are dhcp configured. so you would leave the wan config as default. the only thing i would do is mask the computer mac address. this should give you the access you need.

Mar 09, 2009 | Linksys Wireless-G VPN Broadband Router...

2 Answers

Need help with connect a d-link,dl 624 router


You wireless router/access point can host several simultaneous connections to the internet. Just connect your laptop to the wireless network as you would from your desktop computer.

Hope this helped.

MO

Jul 11, 2008 | D-Link AirPlus Xtreme G DI-624S Wireless...

2 Answers

Router cannot get IP with cisco 675 modem


Hi,

The issue may be due to the existence of two (2) DHCP servers; 1 in the Cisco 675 and the 2nd in the DLink DI-524. You need to disable the Cisco's DHCP server function and assign static IP add & config to the DLink WAN config. This way it will only be the DLink handing out IP adds to the network.

The workaround. Install your original configuration/setting without the DLink DI-524 - PC direct to the Cisco 675 (I am assuming through Ethernet ports). Verify that indeed you are connected to the Internet and can surf the net, check e-mails, etc. Check your Networking Connection Status. Log down your PC's IP Add, Subnet Mask, Default Gateway, DNS. For purposes of discussion, let's call this "N1".

After your Internet connection has been verified with your PC directly connected to the Cisco, remove the direct connection and connect the DLink DI-524 in between the Cisco router and your PC.

Log in to the DLink and modify WAN parameters using the "N1" configurations/settings.

It might be of help to disable any security (WEP WPA, MAC etc) at least while configuring.

Hope this be of help/idea. Pls post back how things turned out or should you need additional information.

Good luck and kind regards.

Feb 01, 2008 | Cisco 675 Router

Not finding what you are looking for?
Cisco ASA 5500 Firewall Logo

1,173 people viewed this question

Ask a Question

Usually answered in minutes!

Top Cisco Computers & Internet Experts

Prashant M
Prashant M

Level 3 Expert

2260 Answers

brian soufane

Level 3 Expert

693 Answers

Les Dickinson
Les Dickinson

Level 3 Expert

18343 Answers

Are you a Cisco Computer and Internet Expert? Answer questions, earn points and help others

Answer questions

Manuals & User Guides

Loading...