Cisco Firewall Help - Hardware & Software

I know this is prolly not the best place to be asking this, but here's hoping. I've got a Cisco ASA 5520 Firewall and can't get traffic to pass through it. The interfaces on the firewall can ping their individual routers, but the end routers can not ping each other. Any help would be greatly appreciated. **Note** This device is NOT something you buy at a store, if your experience only goes as far as a linksys home router, I'm sorry but you won't be able to help. Thanks for the thought though.

That's a pretty nice piece of hardware you got there. You did configure it right? It's not exactly plug it in and expect it to work. I don't know how much experience you have with these things so you know how to access it over a console cable in Hyperterminal? Would it be possible to see your running config? Remove any passwords first of course.

I'm experienced in the area. I can configure routers and switches till I'm blue in the face, but for some reason this ASA is kicking my butt. Also, I just wiped the config in case I was conflicting so it's empty. I can give you the default config if you want though. [editline]03:46PM[/editline] [code]ASA Version 7.0(8) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 100 ip address 10.5.1.1 255.255.255.0 ! interface GigabitEthernet0/1 shutdown no nameif security-level 100 no ip address ! interface GigabitEthernet0/2 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive same-security-traffic permit inter-interface access-list any-in standard permit any pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:8f100be09918dd3cfa94cd42d182ee29 : end [/code] I just threw in a couple IP's and some basic settings.

I'm not sure how much help I can be then, I originally wanted to see the config just to make sure there wasn't something completely off the wall incorrect that would be preventing the routers from pinging each other. I've really only worked with Cisco routers but I assume the IOS and commands are at least a little bit similar. I'm taking a wild guess but have you set up a route and checked the routing table to make sure it's forwarding to the correct IP?

Sorry, I went home for the day a tad early yesterday. Anyway, I haven't messed with the routing table yet, it has options for allowing communication between any interfaces with the same security level. And Although I don't have it in the config above, there's a command that allows all communication from any interface to any other interface on any protocol. That's why I'm confused. I guess I'll mess with the routing table and manually configure each side. I'll see what I can do.

Isn't this a 3-4k piece of equipment? Shouldn't you receive some sort of tech support to go with that purchase?

Post a screenshot of your access rules. Get the ASDM client, or just do a show run if you use CLI. You probably have a deny somewhere for outside to inside traffic.

I'm going to go out on an absolute limb here; have you set a default route on your end routers? edit; note i'm assuming you aren't using any routing protocols.

[QUOTE=Veers;17452950]Isn't this a 3-4k piece of equipment? Shouldn't you receive some sort of tech support to go with that purchase?[/QUOTE] Tad more expensive than that and yes I get support, but that's if it isn't working. I'm sure this is operator error since I'm very inexperienced in this area. (I'm more of a computer tech but my job title is Network Engineer.) [editline]09:14AM[/editline] [QUOTE=faze;17452983]Post a screenshot of your access rules. Get the ASDM client, or just do a show run if you use CLI. You probably have a deny somewhere for outside to inside traffic.[/QUOTE] I prefer the CLI, but I've tried in the ASDM as well. Here's my config though. [code]ASA Version 7.0(8) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names dns-guard ! interface GigabitEthernet0/0 nameif outside security-level 100 ip address 10.5.1.1 255.255.255.0 ! interface GigabitEthernet0/1 shutdown no nameif security-level 100 no ip address ! interface GigabitEthernet0/2 nameif inside security-level 100 ip address 10.10.1.1 255.255.255.0 ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! ftp mode passive same-security-traffic permit inter-interface access-list any-in standard permit any pager lines 24 logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover asdm image disk0:/asdm-508.bin no asdm history enable arp timeout 14400 global (outside) 10 10.5.1.5 global (inside) 20 10.10.1.5 nat (outside) 20 10.5.1.0 255.255.255.0 nat (inside) 10 10.10.1.0 255.255.255.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd enable management ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:8f100be09918dd3cfa94cd42d182ee29 : end[/code] [editline]09:16AM[/editline] [QUOTE=abigserve;17463352]I'm going to go out on an absolute limb here; have you set a default route on your end routers? edit; note i'm assuming you aren't using any routing protocols.[/QUOTE] No protocols being used, and no I have not set up a default route. I totally forgot to do that. :doh: :bang: [editline]09:43AM[/editline] I just threw a default route on each router pointing towards the firewall and still nothing. I'll keep messing with them but any more help is greatly appreciated.

Post your routing tables on each device. Also, try using a different protocol to test connectivity between the two devices (such as tftp). I think I have an idea what's going on but i'm not 100% just yet. try that first.

K, so the layout of the network just changed so now it's like this: [img]http://img7.imageshack.us/img7/5959/networkg.png[/img] The 2811 and 7206 should not be allowed to talk, and I have the switch unmanaged to (hopefully) make things easier so as to not have to set up VLAN's. (I removed the extra connections from the drawing but if you need to know, I can tell you where other devices will be) So from an end device attached to the switch, when I try to ping the 2811 the firewall sees it and denies it saying the access group rule is no allowing it, although the ASDM does not have an option for access group that I can find, only access-list (as it puts it in the config, I'm only using the ASDM because I'm unsure of all the commands) I'll post the firewall's new config since the network change. [editline]10:22AM[/editline] I fixed the issues. Turns out I was allowing access to the interface of the firewall instead of the subnet itself. I then just threw in a quick route of 0.0.0.0 to the firewall from the 2811 and BAM it came up. I knew it would be something stupid like all that. Oh well. I would like to personally thank everyone who posted in this thread for all the help, you guys are helping to keep me employed. :D I hope you guys have an awesome day.