It is currently Thu Oct 19, 2017 12:52 pm


All times are UTC




Post new topic Reply to topic  [ 16 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 8:59 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
Hi,
Thanks for your help but i can ping the WAN 8.8.8.8 sitting on ASA. The problem is i can not ping from inside to outside. Thats where i struggle.


Also i have shared MS Loopback1 with WiFi adapter so that bit is fine.192.168.137.1 is MS-Loopback IP and 192.168.137.2 is the outside interface directly connected IP.
But i can ping 8.8.8.8 so i am assuming its fine




Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 9:33 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
As the ASA config looks fine, maybe somebody else will chime in that matches your specific topology with VirtualBox and QEMU on Windows. My experience is solely with the ASA/VMware stack on Mac and Linux (http://forum.gns3.net/topic8180.html, https://plus.google.com/+MarcWeisel/posts/LATMbzGcpYz).

_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 9:37 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
Okay i got a iMac and i can simulate that on it and see if it works. Please send me the instructions for iMac. Also would you be able to tell me how can i setup a complete lab for practice as i can watch videos but dont know how to setup a reliable lab that i can use for day to day practice.
Thanks


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 9:52 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
Quote:
Okay i got a iMac and i can simulate that on it and see if it works. Please send me the instructions for iMac. Also would you be able to tell me how can i setup a complete lab for practice as i can watch videos but dont know how to setup a reliable lab that i can use for day to day practice.


Just click on the link in my sig block for all the info.

_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 11:15 pm 
Offline

Joined: Sat Aug 16, 2014 12:14 pm
Posts: 9
Thank God i fixed it now lol took me 24 hrs


here is the final configs


ciscoasa(config)# show running-config
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 192.168.137.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network INSIDE_to_OUTSIDE
subnet 10.10.10.0 255.255.255.0
object network INTERNAL_NETWORK
subnet 10.10.10.0 255.255.255.0
object-group service ALLOWED_PORTS tcp
port-object eq www
port-object eq https
access-list OUTSIDE_IN extended permit udp any any eq domain
access-list OUTSIDE_IN extended permit icmp any any
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list INSIDE_OUT extended permit tcp object INTERNAL_NETWORK any object-group ALLOWED_PORTS
access-list INSIDE_OUT extended permit icmp any any
access-list INSIDE_OUT extended permit udp object INTERNAL_NETWORK any eq domain
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 10 burst-size 5
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
!
object network INSIDE_to_OUTSIDE
nat (inside,outside) dynamic interface
object network INTERNAL_NETWORK
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
access-group INSIDE_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.137.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
service resetoutside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password f3UhLvUj1QsXsuK7 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map INSPECTION_DEFAULT
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map GLOBAL_POLICY
class INSPECTION_DEFAULT
inspect icmp
inspect http
inspect dns
class inspection_default
inspect icmp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
set connection decrement-ttl
!
service-policy GLOBAL_POLICY global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:0cbe35894505fca973cd5b4c30f2f4d8

!


Also make sure that you use the proper IP address , subnet mask and Default Gateway on the VB WIN XP
Most Import is DNS which is main issue throughout the course
so use 8.8.8.8 on the VB Host machine (XP)


Also to check whether the Firewall has been allowing TCP traffic to the web, use this command
ciscoasa(config)#packet-tracer input inside tcp 10.10.10.50 1025 8.8.8.8 www

ciscoasa(config)# packet-tracer input inside tcp 10.10.10.50 1025 8.8.8.8 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_OUT in interface inside
access-list INSIDE_OUT extended permit tcp object INTERNAL_NETWORK any object-group ALLOWED_PORTS
object-group service ALLOWED_PORTS tcp
port-object eq www
port-object eq https
Additional Information:

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map GLOBAL_POLICY
class class-default
set connection decrement-ttl
service-policy GLOBAL_POLICY global
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map INSPECTION_DEFAULT
match default-inspection-traffic
policy-map GLOBAL_POLICY
class INSPECTION_DEFAULT
inspect http
service-policy GLOBAL_POLICY global
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network INSIDE_to_OUTSIDE
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 10.10.10.50/1025 to 192.168.137.2/22248

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 339, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

ciscoasa(config)#


The above output proves that Firewall is capable of allowing tcp traffic through.


Thanks for all your help and patience through the day


Regards

Imran

Oxford


Top
 Profile  
 
 Post subject: Re: ASA 5520 with GNS3 connected to ms loopback
PostPosted: Sat Aug 16, 2014 11:52 pm 
Offline

Joined: Fri May 13, 2011 10:35 pm
Posts: 83
Location: Seattle, WA (USA)
Glad to help and also see you found the solution to your problem. FYI, you don't need to create ACLs for "normal" traffic originating from a higher security zone to a lower one (https://supportforums.cisco.com/discussion/11539041/asa-firewall-interface-security-levels-and-access-lists). The traffic is permitted by default.



_________________
http://binarynature.blogspot.com/search/label/GNS3


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page Previous  1, 2

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO