Firewall Wizards mailing list archives
Re: CISCO ASA 7.0(8) - internal users cannot browse.
From: "Christopher J. Wargaski" <wargo1 () gmail com>
Date: Fri, 3 Jun 2011 09:19:09 -0500
Hey Rocker-- If you want to take this off-line and write me back directly, that is fine. Let's address one item at a time. You are not explicitly permitting the ICMP echo replies on the outside interface, so they are probably being dropped. Do the following to confirm: ASA(config)# logging buffered 4 ASA(config)# ping gw ASA(config)# sho log You ought to see messages stating that ICMP echo replies were dropped. I am guessing that you want the OUT ACL to be applied to the outside interface. To do that, do the following: ASA(config)# access-group OUT in interface outside ASA(config)# ping gw Does that work? cjw On Wed, May 25, 2011 at 3:04 AM, Rocker Feller < rocker.rockerfeller () gmail com> wrote:
Hi all, I am a newbie and would like assistance on an asa. I have a cisco asa factory default that i configured. this is my configuration, thank you. 1. I cannot ping the gw ip when connected on console though from teh gw which is a cisco router i can pick the asa mac address. 2. I have the two acls 101 and cmd icmp permit any outside which should enable me to ping from any outside host to the outside interface of the asa to no avail. 3. public ip and gw are public ips. Q. Any assistance to get this working so that i can configure an ra vpn will be appreciated. SA Version 7.0(8) ! domain-name ciscoasa.co.ke names dns-guard ! interface Ethernet0/0 description Link to Service Provider nameif outside security-level 0 ip address publicip 255.255.255.252 ! interface Ethernet0/1 description Link to Local LAN nameif inside security-level 100 ip address 192.168.168.11 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive access-list ANY extended permit ip any any access-list ANY extended permit icmp any any echo-reply access-list ANY extended permit icmp any any time-exceeded access-list ANY extended permit icmp any any unreachable access-list ANY extended permit icmp any any access-list OUT extended permit icmp any any echo-reply access-list OUT extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 icmp permit any outside asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.168.0 255.255.255.0 access-group ANY in interface inside route outside 0.0.0.0 0.0.0.0 gw 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp ! service-policy global_policy global Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae Rocker _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CISCO ASA 7.0(8) - internal users cannot browse. Rocker Feller (Jun 02)
- Re: CISCO ASA 7.0(8) - internal users cannot browse. Farrukh Haroon (Jun 09)
- Re: CISCO ASA 7.0(8) - internal users cannot browse. Christopher J. Wargaski (Jun 09)