[fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.



Hi all,

I am a newbie and would like assistance on an asa.

I have a cisco asa factory default that i configured.

this is my configuration, thank you.


1. I cannot ping the gw ip when connected on console though from teh gw
which is a cisco router i can pick the asa mac address.

2. I have the two acls 101 and cmd icmp permit any outside which should
enable me to ping from any outside host to the outside interface of the asa
to no avail.

3. public ip and gw are public ips.

Q. Any assistance to get this working so that i can configure an ra vpn will
be appreciated.



SA Version 7.0(8)
!

domain-name ciscoasa.co.ke

names
dns-guard
!
interface Ethernet0/0
description Link to Service Provider
nameif outside
security-level 0
ip address publicip 255.255.255.252
!
interface Ethernet0/1
description Link to Local LAN
nameif inside
security-level 100
ip address 192.168.168.11 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list ANY extended permit ip any any
access-list ANY extended permit icmp any any echo-reply
access-list ANY extended permit icmp any any time-exceeded
access-list ANY extended permit icmp any any unreachable
access-list ANY extended permit icmp any any
access-list OUT extended permit icmp any any echo-reply
access-list OUT extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp permit any outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.168.0 255.255.255.0
access-group ANY in interface inside
route outside 0.0.0.0 0.0.0.0 gw 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae

Rocker
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.
    ... guessing that you want the OUT ACL to be applied to the outside interface. ... ASA# access-group OUT in interface outside ... access-list ANY extended permit icmp any any time-exceeded ... mtu management 1500 ...
    (Firewall-Wizards)
  • Re: [fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.
    ... e) Can you ping from the ASA to the router? ... access-list ANY extended permit icmp any any time-exceeded ... mtu management 1500 ... access-group ANY in interface inside ...
    (Firewall-Wizards)
  • Re: Allow smtp traffic from DMZ to Inside, without DMZ loosing Internet connection?
    ... interface) and thereby can't send mails outside the organisation. ... access-list fra-remote extended permit icmp any any time-exceeded ... access-list fra-remote extended permit tcp any interface outside eq ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] PIX 515 7.1 vs: 8.0
    ... traffic originating from the inside interface to the outside interface, ... want ping and traceroute to work. ... access-list Inbound extended permit icmp any any time-exceeded ... You would need to do the same with an ACL applied to the DMZ interface. ...
    (Firewall-Wizards)
  • Re: ACK! This ASA 5500 is kicking my butt!
    ... interface Ethernet0/0 ... description Connection to Internet ... access-list Inside_access_in extended permit icmp interface Inside interface ...
    (comp.dcom.sys.cisco)