Firewall Wizards mailing list archives

Re: CISCO ASA 7.0(8) - internal users cannot browse.

From: Farrukh Haroon <farrukhharoon () gmail com>
Date: Fri, 3 Jun 2011 14:53:24 +0300

Hello

You could check the following:

a) Try running the packet-tracer command on the ASA (CLI or ASDM) and see
what exactly is happening

b) Running 'debug icmp trace' on the firewall to see if the request is
actually leaving the firewall, debug ip icmp can be run on the router as
well

c) Make sure the icmp echo reply is not filtered on the router itself

d) Make sure both devices have the correct subnet mask(s); I see you are
using a /30 here

e) Can you ping from the ASA to the router?

Regards

Farrukh Haroon
CCIE Security, CISSP

On Wed, May 25, 2011 at 11:04 AM, Rocker Feller <
rocker.rockerfeller () gmail com> wrote:

Hi all,

I am a newbie and would like assistance on an asa.

I have a cisco asa factory default that i configured.

this is my configuration,  thank you.


1. I cannot ping the gw ip when connected on console though from teh gw
which is a cisco router i can pick the asa mac address.

2. I have the two acls 101 and cmd  icmp permit any outside which should
enable me to ping from any outside host to the outside interface of the asa
to no avail.

3. public ip and gw are public ips.

Q. Any assistance to get this working so that i can configure an ra vpn
will be appreciated.



SA Version 7.0(8)
!

domain-name ciscoasa.co.ke

names
dns-guard
!
interface Ethernet0/0
 description Link to Service Provider
 nameif outside
 security-level 0
 ip address publicip 255.255.255.252
!
interface Ethernet0/1
 description Link to Local LAN
 nameif inside
 security-level 100
 ip address 192.168.168.11 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
access-list ANY extended permit ip any any
access-list ANY extended permit icmp any any echo-reply
access-list ANY extended permit icmp any any time-exceeded
access-list ANY extended permit icmp any any unreachable
access-list ANY extended permit icmp any any
access-list OUT extended permit icmp any any echo-reply
access-list OUT extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.168.0 255.255.255.0
access-group ANY in interface inside
route outside 0.0.0.0 0.0.0.0 gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae

Rocker


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

CISCO ASA 7.0(8) - internal users cannot browse. Rocker Feller (Jun 02)
- Re: CISCO ASA 7.0(8) - internal users cannot browse. Farrukh Haroon (Jun 09)
- Re: CISCO ASA 7.0(8) - internal users cannot browse. Christopher J. Wargaski (Jun 09)