Options
ASA problems
red1lert
Member Posts: 8 ■□□□□□□□□□
Hi everyone I have a base configuration on ASA and I cannot ping from pc1 to pc2 here is the show run any ideas
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet2
nameif OUTSIDE
security-level 0
ip address 8.0.0.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:07d7d02b99be4a5b4d3875ac78b907bf
: end
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif management
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet2
nameif OUTSIDE
security-level 0
ip address 8.0.0.1 255.255.255.0
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
mtu management 1500
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:07d7d02b99be4a5b4d3875ac78b907bf
: end
Comments
-
Options
Master Of Puppets
Member Posts: 1,210
The ASA does not allow ICMP echo by default. You can do it with an ACL or by turning on ICMP inspection.Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. -
OptionsLegacy User
Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
Going by your diagram and your config PC1 is on the outside interface. For starters by default the asa blocks ALL traffic unless its told not to do so. I don't see any policies inspecting any traffic.
i.e:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
You could also create a access list allowing that traffic in.
PC1 is on the outside interface you must look at it from a real world perspective. The outside interface would be pointing to the internet which means some computer on the internet can't just ping an internal host with a private ip address without specific rules allowing it to do so.
I also don't see a route or nat configured. In your exact setup you may have to setup static nat which will tie in PC2 to the address of the outside interface but that gets to complicated for a 'basic' config.
Google what you need to configure a basic configuration on a asa 5505 there are plenty of articles on it. You will learn how to properly configure it in the process because all you have configured is the password, asdm access and the ip addresses for the interfaces. Theres more that still needs to be configured on the ASA before it can be considered a "basic config".
Think of it this way if you were an electrician that was installing the power in a new house under construction all you did so far was install the outlets in the wall and light switches without running or connecting the cables going to the main and you are scratching your head wondering why when you try to turn on the light it doesn't work.
Good luck -
OptionsSecurityThroughObscurity
Member Posts: 212 ■■■□□□□□□□
and you might find this interesting.
Traceroute Through the ASA - PacketU -
Options
RouteMyPacket
Member Posts: 1,104
Welp, so much for answering this thread..the real Security masters are all over it. MoP, shouldn't you be focusing on IPS and letting me come across as somewhat of a Security guy here? lolModularity and Design Simplicity:
Think of the 2:00 a.m. test—if you were awakened in the
middle of the night because of a network problem and had to figure out the
traffic flows in your network while you were half asleep, could you do it? -
OptionsLegacy User
Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
Lol yep I was beat to punch as well. I was in a middle of a call when I was typing up my response and there weren't any replies yet but once I pressed submit I seen Master of Puppets replied.
-
OptionsMaster Of Puppets
Member Posts: 1,210
RouteMyPacket wrote: »Welp, so much for answering this thread..the real Security masters are all over it. MoP, shouldn't you be focusing on IPS and letting me come across as somewhat of a Security guy here? lol
I promise not to steal the spotlight anymore
I managed to arrange my schedule so that I can take the test tomorrow. I'll let you know how it goes. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. -
Optionsred1lert
Member Posts: 8 ■□□□□□□□□□
Hi again
now I have another problem I can ping to the outside device but no to the outside interface of the asa? How this think can happen ? -
Optionsbobfromfpl
Member Posts: 104
When you find a solution to the problem you asked for assistance with its generally appreciated to share your answers with the group if you want additional help. Just a suggestion!
-
OptionsSecurityThroughObscurity
Member Posts: 212 ■■■□□□□□□□
U can't ping outside interface from another interface network coz of asa architecture.Hi again now I have another problem I can ping to the outside device but no to the outside interface of the asa? How this think can happen ? -
Optionstheodoxa
Member Posts: 1,340 ■■■■□□□□□□
I don't know if it works on other ASAs, but on the 5505 there is a command to reset it to its original out of the box configuration. I use that as my base configuration and configure from there.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ]
