ASA5510 not passing traffic

Home Forums Networking Cisco Security – PIX/ASA/VPN ASA5510 not passing traffic

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    jsm0377
    Member
    #155369

    We are migrating from an aging OpenBSD firewall to an ASA 5510. I thought I had the ASA’s configuration down, but it will not pass any traffic. Can someone take a look at this config and point me in the right direction? Thanks in advance!

    Thor(config)# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname Thor
    domain-name **********
    enable password SONwpQoOW3UtF1xT encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 38.104.x.x 255.255.255.252
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 38.101.x.x 255.255.255.248
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    management-only
    !
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 66.28.0.45
    name-server 66.28.0.61
    domain-name ********
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq smtp
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 465
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq imap4
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 993
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq www
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq https
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq ssh
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3390
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3391
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit udp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq smtp
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 465
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq imap4
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 993
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq www
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq https
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq ssh
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3390
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3391
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq domain
    access-list outside_access_in extended permit udp any host 38.104.x.x eq domain
    access-list dmz_access_in extended permit ip any any
    access-list skip-nat-dmz extended permit ip any 38.101.x.x 255.255.255.248
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.0.0
    nat (dmz) 0 access-list skip-nat-dmz
    static (inside,outside) tcp interface imap4 192.168.1.4 imap4 netmask 255.255.255.255
    static (inside,outside) tcp interface 465 192.168.1.4 465 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface ssh 192.168.1.4 ssh netmask 255.255.255.255
    static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255
    static (inside,outside) tcp interface https 192.168.1.4 https netmask 255.255.255.255
    static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3391 192.168.1.210 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 38.104.x.x 1
    route inside 192.168.2.0 255.255.255.0 192.168.1.4 1
    route inside 192.168.4.0 255.255.255.0 192.168.1.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.1.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 10.1.1.2-10.1.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83b7c85665f2d495da21c7e6a86fcef7
    : end
    [/CODE][CODE]Thor(config)# show run
    : Saved
    :
    ASA Version 8.2(5)
    !
    hostname Thor
    domain-name **********
    enable password SONwpQoOW3UtF1xT encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 38.104.x.x 255.255.255.252
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Ethernet0/2
    nameif dmz
    security-level 50
    ip address 38.101.x.x 255.255.255.248
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    management-only
    !
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 66.28.0.45
    name-server 66.28.0.61
    domain-name ********
    access-list inside_access_in extended permit ip any any
    access-list outside_access_in extended permit icmp any any
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq smtp
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 465
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq imap4
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 993
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq www
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq https
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq ssh
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3390
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq 3391
    access-list outside_access_in extended permit tcp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit udp any host 192.168.1.4 eq domain
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq smtp
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 465
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq imap4
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 993
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq www
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq https
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq ssh
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3390
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq 3391
    access-list outside_access_in extended permit tcp any host 38.104.x.x eq domain
    access-list outside_access_in extended permit udp any host 38.104.x.x eq domain
    access-list dmz_access_in extended permit ip any any
    access-list skip-nat-dmz extended permit ip any 38.101.x.x 255.255.255.248
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 192.168.0.0 255.255.0.0
    nat (dmz) 0 access-list skip-nat-dmz
    static (inside,outside) tcp interface imap4 192.168.1.4 imap4 netmask 255.255.255.255
    static (inside,outside) tcp interface 465 192.168.1.4 465 netmask 255.255.255.255
    static (inside,outside) tcp interface smtp 192.168.1.4 smtp netmask 255.255.255.255
    static (inside,outside) tcp interface ssh 192.168.1.4 ssh netmask 255.255.255.255
    static (inside,outside) tcp interface www 192.168.1.4 www netmask 255.255.255.255
    static (inside,outside) tcp interface https 192.168.1.4 https netmask 255.255.255.255
    static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255
    static (inside,outside) tcp interface 3391 192.168.1.210 3389 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 38.104.x.x 1
    route inside 192.168.2.0 255.255.255.0 192.168.1.4 1
    route inside 192.168.4.0 255.255.255.0 192.168.1.4 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 10.1.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 10.1.1.2-10.1.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:83b7c85665f2d495da21c7e6a86fcef7
    : end
    [/CODE]

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.