ASA 5505 config
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
in CCNP
Alright guys. What Am I missing with this config?
I can't get on the internet with this and I've officially looked at it too long to be of any use....
Any ideas?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.24 00:36:52 =~=~=~=~=~=~=~=~=~=~=~=
show run
: Saved
:
ASA Version 8.0(2)
!
names
!
interface Vlan2
no forward interface Vlan3
nameif private
security-level 100
ip address 172.16.0.1 255.255.255.248
!
interface Vlan3
nameif wtf
security-level 100
ip address 172.20.0.1 255.255.255.248
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside.accessto.private extended permit icmp any any echo-reply
access-list outside.accessto.private extended permit icmp any any traceroute
access-list outside.accessto.private extended permit icmp any any time-exceeded
access-list outside.accessto.private extended deny tcp any any eq 135
access-list outside.accessto.private extended deny tcp any any eq 137
access-list outside.accessto.private extended deny tcp any any eq 138
access-list outside.accessto.private extended deny tcp any any eq netbios-ssn
access-list outside.accessto.private extended deny udp any any eq netbios-ns
access-list outside.accessto.private extended deny udp any any eq netbios-dgm
access-list outside.accessto.private extended deny udp any any eq 139
access-list outside.accessto.private extended deny tcp any any eq 445
access-list outside.accessto.private extended deny udp any any eq 445
access-list outside.accessto.private extended permit tcp any any eq ssh
access-list outside.accessto.private extended permit udp any any eq 22
access-list outside.accessto.private extended deny tcp any any
access-list outside.accessto.private extended deny udp any any
access-list private.accessto.outside extended permit icmp any any
access-list private.accessto.outside extended permit ip 172.16.0.0 255.255.255.248 any
no pager
logging enable
logging asdm informational
mtu private 1500
mtu outside 1500
mtu wtf 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
icmp permit any outside
icmp permit any wtf
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (private) 101 0.0.0.0 0.0.0.0
nat (wtf) 101 0.0.0.0 0.0.0.0
access-group private.accessto.outside in interface private
access-group outside.accessto.private in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.0.0 255.255.255.248 wtf
http 172.16.0.0 255.255.255.248 private
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.16.0.0 255.255.255.248 private
ssh 172.20.0.0 255.255.255.248 wtf
ssh timeout 5
console timeout 0
dhcpd address 172.16.0.2-172.16.0.6 private
dhcpd auto_config outside interface private
dhcpd enable private
!
dhcpd address 172.20.0.2-172.20.0.6 wtf
dhcpd auto_config outside interface wtf
dhcpd enable wtf
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:88cc80cf63fd8d787735b35dea3776a3
: end
I can't get on the internet with this and I've officially looked at it too long to be of any use....
Any ideas?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2008.05.24 00:36:52 =~=~=~=~=~=~=~=~=~=~=~=
show run
: Saved
:
ASA Version 8.0(2)
!
names
!
interface Vlan2
no forward interface Vlan3
nameif private
security-level 100
ip address 172.16.0.1 255.255.255.248
!
interface Vlan3
nameif wtf
security-level 100
ip address 172.20.0.1 255.255.255.248
!
interface Vlan100
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside.accessto.private extended permit icmp any any echo-reply
access-list outside.accessto.private extended permit icmp any any traceroute
access-list outside.accessto.private extended permit icmp any any time-exceeded
access-list outside.accessto.private extended deny tcp any any eq 135
access-list outside.accessto.private extended deny tcp any any eq 137
access-list outside.accessto.private extended deny tcp any any eq 138
access-list outside.accessto.private extended deny tcp any any eq netbios-ssn
access-list outside.accessto.private extended deny udp any any eq netbios-ns
access-list outside.accessto.private extended deny udp any any eq netbios-dgm
access-list outside.accessto.private extended deny udp any any eq 139
access-list outside.accessto.private extended deny tcp any any eq 445
access-list outside.accessto.private extended deny udp any any eq 445
access-list outside.accessto.private extended permit tcp any any eq ssh
access-list outside.accessto.private extended permit udp any any eq 22
access-list outside.accessto.private extended deny tcp any any
access-list outside.accessto.private extended deny udp any any
access-list private.accessto.outside extended permit icmp any any
access-list private.accessto.outside extended permit ip 172.16.0.0 255.255.255.248 any
no pager
logging enable
logging asdm informational
mtu private 1500
mtu outside 1500
mtu wtf 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any private
icmp permit any outside
icmp permit any wtf
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (private) 101 0.0.0.0 0.0.0.0
nat (wtf) 101 0.0.0.0 0.0.0.0
access-group private.accessto.outside in interface private
access-group outside.accessto.private in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.20.0.0 255.255.255.248 wtf
http 172.16.0.0 255.255.255.248 private
no snmp-server location
no snmp-server contact
no snmp-server enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto isakmp nat-traversal
telnet timeout 5
ssh 172.16.0.0 255.255.255.248 private
ssh 172.20.0.0 255.255.255.248 wtf
ssh timeout 5
console timeout 0
dhcpd address 172.16.0.2-172.16.0.6 private
dhcpd auto_config outside interface private
dhcpd enable private
!
dhcpd address 172.20.0.2-172.20.0.6 wtf
dhcpd auto_config outside interface wtf
dhcpd enable wtf
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:88cc80cf63fd8d787735b35dea3776a3
: end
Comments
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Yeah, you really need to pay attention to your NAT and access-lists..
Apparently I was on the ganja yesterday..... -
redwarrior Member Posts: 285I deal with ASA's almost every day at work and it seems like any time I even see a config for them I start to get a migraine! I often wimp out and use the ASDM when troubleshooting an issue, particularly if it involves VPN. The packet tracker (I think it's called that, it's in the tools section) is great for at least giving you a place to start by showing at which step your traffic is dropped.
I'm hoping after I study for ISCW I'll be such a badass I won't need the GUI anymore!
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□redwarrior wrote:I deal with ASA's almost every day at work and it seems like any time I even see a config for them I start to get a migraine! I often wimp out and use the ASDM when troubleshooting an issue, particularly if it involves VPN. The packet tracker (I think it's called that, it's in the tools section) is great for at least giving you a place to start by showing at which step your traffic is dropped.
I'm hoping after I study for ISCW I'll be such a badass I won't need the GUI anymore!
I know the feeling man. I had a cryptomap somehow catching all my traffic and I sure as hell couldn't figure out why. I finally deleted the damn thing to restore service....I'm hoping to get back to studying soon, but I've been busy getting up to speed in a new job so I haven't studied much lately.