[c-nsp] ASA help configuration

Alasdair Gow alasdair.gow at lumison.net
Thu Mar 6 10:54:38 EST 2008 

Do you see anything interesting in the debug logging?

What kind of packets is it dropping?

> icmp unreachable rate-limit 1 burst-size 1  
is it dropping icmp packets?

have you checked the duplex settings?
everything talking the same?

can you do a mirror port on the switch to see via tcpdump whats getting switched?

Ally

Jorge Evangelista wrote:
> Hi guys,
>
> I have configured  a Cisco ASA 5505 with two LAN's one for inside (servers)
> and other for business  (users),  I can do a ping from business to inside
> and viceversa hosts, I can authenticate me in the domani MS only when I
> connect a PC in ports of ASA with access vlan 3, however when I connect a
> switch via crossover cable to interface business of
> ASA, and PCs connected to this switch,
> I can do a ping to my servers, but I start to lost packets, also I can
> not connect to domain controller.
> Is there some mismatch o error in my configuration?, thanks in advance, any
> help is appreciated.
>
>
>
>
> Here my configuration
>
> INFFRW01# sh run
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname INFFRW01
> domain-name infonet
> enable password TKDiZkUkxqC/29zO encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> pppoe client vpdn group infonet
> ip address pppoe setroute
> !
> interface Vlan3
> nameif business
> security-level 100
> ip address 172.16.1.1 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> description PCs INFONET LAN
> switchport access vlan 3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> passwd .tmIcdcvUoZGQ9bt encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> clock timezone PEST -5
> dns server-group DefaultDNS
> domain-name infonet
> same-security-traffic permit inter-interface
> object-group network LAN
> description network servers
> network-object 192.168.1.0 255.255.255.0
> object-group network Bussiness
> description network PCsINFONET
> network-object 172.16.1.0 255.255.255.0
> access-list inside_access_in extended permit ip host 192.168.1.21 any
> access-list inside_access_in extended permit ip host 192.168.1.100 any
> access-list inside_access_in extended permit ip host 192.168.1.105 any
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q www
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q https
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q ftp
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q ftp-data
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q smtp
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q pop3
> access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0any e
> q domain
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q sqlnet
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q netbios-ssn
> access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
> q 445
> access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0any
> echo
> access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0any
> echo-reply
> access-list outside_access_in extended permit ip host 64.76.95.138 interface
> out
> side
> access-list business_access_in extended permit ip 172.16.1.0 255.255.255.0
> 192.1
> 68.1.0 255.255.255.0
> access-list outside_access_out extended permit ip any any
> access-list business_outbound_nat0_acl extended permit ip object-group
> Bussiness
> object-group LAN
> access-list inside_outbound_nat0_acl extended permit ip object-group LAN
> object-
> group Bussiness
> pager lines 24
> logging enable
> logging timestamp
> logging monitor notifications
> logging buffered informational
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> mtu business 1500
> ip verify reverse-path interface outside
> ip audit name idsattack attack action alarm reset
> ip audit name idsinfo info action alarm
> ip audit interface outside idsinfo
> ip audit interface outside idsattack
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any echo inside
> icmp permit any echo-reply inside
> icmp permit host 64.76.95.138 echo outside
> icmp permit any echo-reply outside
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (business) 0 access-list business_outbound_nat0_acl
> nat (business) 1 0.0.0.0 0.0.0.0
> access-group inside_access_in in interface inside
> access-group business_access_in in interface business
> route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa local authentication attempts max-fail 10
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh 192.168.1.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 5
> vpdn group infonet request dialout pppoe
> vpdn group infonet localname xxxxx at speedyplus
> vpdn group infonet ppp authentication chap
> vpdn username xxxxx at speedyplus password *********
> dhcpd auto_config outside
> !
> dhcpd address 192.168.1.2-192.168.1.254 inside
> dhcpd enable inside
> !
>
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> class-map type inspect im match-all InstantMSN
> match protocol msn-im yahoo-im
> !
> !
> policy-map type inspect im IMBlock
> parameters
> class InstantMSN
> drop-connection log
> !
> prompt hostname context
> Cryptochecksum:cd27619b7d15523a934badb87c74c6f5
> : end
> INFFRW01# conf t
> INFFRW01(config)# exit
> INFFRW01#
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


-- 
Alasdair Gow
Lumison
t: 0845 1199 900
d: 0131 514 4042

P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs


-- 

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed.  
If you have received this email in error please notify the sender. Any 
offers or quotation of service are subject to formal specification.  
Errors and omissions excepted.  Please note that any views or opinions 
presented in this email are solely those of the author and do not 
necessarily represent those of Lumison, nplusone or lightershade ltd.  
Finally, the recipient should check this email and any attachments for the 
presence of viruses.  Lumison, nplusone and lightershade ltd accepts no 
liability for any damage caused by any virus transmitted by this email.

More information about the cisco-nsp mailing list