Search This Blog

Thursday, June 09, 2011

firewall-wizards Digest, Vol 59, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: CISCO ASA 7.0(8) - internal users cannot browse.
(Farrukh Haroon)
2. Re: CISCO ASA 7.0(8) - internal users cannot browse.
(Christopher J. Wargaski)


----------------------------------------------------------------------

Message: 1
Date: Fri, 3 Jun 2011 14:53:24 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTikEvDGjDZv-aaLFfeG3cmZAv7pihQ@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hello

You could check the following:

a) Try running the packet-tracer command on the ASA (CLI or ASDM) and see
what exactly is happening

b) Running 'debug icmp trace' on the firewall to see if the request is
actually leaving the firewall, debug ip icmp can be run on the router as
well

c) Make sure the icmp echo reply is not filtered on the router itself

d) Make sure both devices have the correct subnet mask(s); I see you are
using a /30 here

e) Can you ping from the ASA to the router?

Regards

Farrukh Haroon
CCIE Security, CISSP

On Wed, May 25, 2011 at 11:04 AM, Rocker Feller <
rocker.rockerfeller@gmail.com> wrote:

> Hi all,
>
> I am a newbie and would like assistance on an asa.
>
> I have a cisco asa factory default that i configured.
>
> this is my configuration, thank you.
>
>
> 1. I cannot ping the gw ip when connected on console though from teh gw
> which is a cisco router i can pick the asa mac address.
>
> 2. I have the two acls 101 and cmd icmp permit any outside which should
> enable me to ping from any outside host to the outside interface of the asa
> to no avail.
>
> 3. public ip and gw are public ips.
>
> Q. Any assistance to get this working so that i can configure an ra vpn
> will be appreciated.
>
>
>
> SA Version 7.0(8)
> !
>
> domain-name ciscoasa.co.ke
>
> names
> dns-guard
> !
> interface Ethernet0/0
> description Link to Service Provider
> nameif outside
> security-level 0
> ip address publicip 255.255.255.252
> !
> interface Ethernet0/1
> description Link to Local LAN
> nameif inside
> security-level 100
> ip address 192.168.168.11 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> ftp mode passive
> access-list ANY extended permit ip any any
> access-list ANY extended permit icmp any any echo-reply
> access-list ANY extended permit icmp any any time-exceeded
> access-list ANY extended permit icmp any any unreachable
> access-list ANY extended permit icmp any any
> access-list OUT extended permit icmp any any echo-reply
> access-list OUT extended permit icmp any any echo
> access-list 101 extended permit icmp any any echo-reply
> access-list 101 extended permit icmp any any source-quench
> access-list 101 extended permit icmp any any unreachable
> access-list 101 extended permit icmp any any time-exceeded
> pager lines 24
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu management 1500
> icmp permit any outside
> asdm image disk0:/asdm-508.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 192.168.168.0 255.255.255.0
> access-group ANY in interface inside
> route outside 0.0.0.0 0.0.0.0 gw 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 192.168.1.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.254 management
> dhcpd lease 3600
> dhcpd ping_timeout 50
> dhcpd enable management
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 512
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
> !
> service-policy global_policy global
> Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae
>
> Rocker
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110603/272e73d3/attachment-0001.html>

------------------------------

Message: 2
Date: Fri, 3 Jun 2011 09:19:09 -0500
From: "Christopher J. Wargaski" <wargo1@gmail.com>
Subject: Re: [fw-wiz] CISCO ASA 7.0(8) - internal users cannot browse.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BANLkTik50G9_DP9ymcoq96oCd6C8Nq07nA@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

Hey Rocker--


If you want to take this off-line and write me back directly, that is
fine.

Let's address one item at a time.

You are not explicitly permitting the ICMP echo replies on the outside
interface, so they are probably being dropped. Do the following to confirm:
ASA(config)# logging buffered 4
ASA(config)# ping gw
ASA(config)# sho log

You ought to see messages stating that ICMP echo replies were dropped. I am
guessing that you want the OUT ACL to be applied to the outside interface.
To do that, do the following:

ASA(config)# access-group OUT in interface outside
ASA(config)# ping gw

Does that work?


cjw


On Wed, May 25, 2011 at 3:04 AM, Rocker Feller <
rocker.rockerfeller@gmail.com> wrote:

> Hi all,
>
> I am a newbie and would like assistance on an asa.
>
> I have a cisco asa factory default that i configured.
>
> this is my configuration, thank you.
>
>
> 1. I cannot ping the gw ip when connected on console though from teh gw
> which is a cisco router i can pick the asa mac address.
>
> 2. I have the two acls 101 and cmd icmp permit any outside which should
> enable me to ping from any outside host to the outside interface of the asa
> to no avail.
>
> 3. public ip and gw are public ips.
>
> Q. Any assistance to get this working so that i can configure an ra vpn
> will be appreciated.
>
>
>
> SA Version 7.0(8)
> !
>
> domain-name ciscoasa.co.ke
>
> names
> dns-guard
> !
> interface Ethernet0/0
> description Link to Service Provider
> nameif outside
> security-level 0
> ip address publicip 255.255.255.252
> !
> interface Ethernet0/1
> description Link to Local LAN
> nameif inside
> security-level 100
> ip address 192.168.168.11 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> ftp mode passive
> access-list ANY extended permit ip any any
> access-list ANY extended permit icmp any any echo-reply
> access-list ANY extended permit icmp any any time-exceeded
> access-list ANY extended permit icmp any any unreachable
> access-list ANY extended permit icmp any any
> access-list OUT extended permit icmp any any echo-reply
> access-list OUT extended permit icmp any any echo
> access-list 101 extended permit icmp any any echo-reply
> access-list 101 extended permit icmp any any source-quench
> access-list 101 extended permit icmp any any unreachable
> access-list 101 extended permit icmp any any time-exceeded
> pager lines 24
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu management 1500
> icmp permit any outside
> asdm image disk0:/asdm-508.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 1 192.168.168.0 255.255.255.0
> access-group ANY in interface inside
> route outside 0.0.0.0 0.0.0.0 gw 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 192.168.1.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> dhcpd address 192.168.1.2-192.168.1.254 management
> dhcpd lease 3600
> dhcpd ping_timeout 50
> dhcpd enable management
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 512
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> inspect icmp
> !
> service-policy global_policy global
> Cryptochecksum:6f78bb9efb6b013ce7eb3cf8d77268ae
>
> Rocker
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110603/c750059c/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 59, Issue 2
***********************************************

No comments: