TechQA.

ASA configuration using packet tracer

1.2k views Asked by At

I an trying to configure below network.

I am not able to open http://142.12.56.68 from public laptop.

I am able to ping to firewall 192.158.99.1 from VLAN20 laptop0.

I have below configurations on asa and multi switch. Please let me know what else I need to do perform to complete this network. 

ciscoasa(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif inside
 security-level 100
 ip address 192.168.99.1 255.255.255.252
!
interface GigabitEthernet1/2
 nameif dmz
 security-level 50
 ip address 172.16.1.0 255.255.255.0
 ospf authentication message-digest
 ospf message-digest-key 1 md5 *****
!
!
interface Management1/1
 management-only
 nameif outside
 security-level 0
 ip address 148.12.56.67 255.255.255.0
 ospf authentication message-digest
 ospf message-digest-key 1 md5 *****
!
webvpn
 enable outside
object network DMZ
 subnet 172.16.1.0 255.255.255.0
object network LAN
 subnet 192.168.20.0 255.255.255.0
object network webserver
 host 172.16.1.10
object network webserver-external-ip
 host 148.12.56.68
!
route outside 192.168.99.0 255.255.255.252 148.12.56.68 1
!
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit tcp any object webserver eq www
access-list OUTSIDE extended permit tcp any host 148.12.56.68 eq www
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
!
!
access-group OUTSIDE in interface outside
object network DMZ
 nat (dmz,outside) dynamic interface
object network LAN
 nat (inside,outside) dynamic interface
object network webserver
 nat (dmz,outside) static 148.12.56.68
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 network 192.168.99.0 255.255.255.252 area 0
 network 148.12.56.0 255.255.255.0 area 0
 network 171.16.1.0 255.255.255.0 area 1
 network 172.16.1.0 255.255.255.0 area 1
!

For MultiSwitch I have below:

> S1#show run
Building configuration...

Current configuration : 1840 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S1
!
ip routing
!
interface FastEthernet0/1
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/5
 no switchport
 ip address 192.168.99.2 255.255.255.252
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 mac-address 000c.8551.6601
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
 mac-address 000c.8551.6602
 ip address 192.168.20.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 192.0.0.0 0.255.255.255 area 0
 network 172.16.1.0 0.0.0.255 area 1
end

` Network Diagram

networking cisco vlan asa
Original Q&A
1

There are 1 answers

8
GuBo On

You are using Management interface in management-only mode, therefore you can only use this interface to manage ASA. As I know you cannot remove management-only option from management interface.

packet tracer command example:

packet-tracer input outside tcp <laptop_ip> 148.12.56.68 80

At the end of the output you can see Action line which show the final action. The next line will show you the reason if the action is drop.

You can also check ASA log entries. You should always configure logging feature!!! Minimal logging configuration:

logging enable
logging timestamp
logging buffered informational
logging buffer-size 16384

The above configuration will add timestamp to all log messages, log severity level is informational and buffer 16M of log messages.

For more information about ASA logging: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-syslog.html

You can find more information about log severity levels: https://en.wikipedia.org/wiki/Syslog#Severity_level

To send log messages to a central log server:

logging host <asa_interface> <remote_log_server_ip> <protocol/port/>

Example, the log messages will be sent from inside interface, to 192.168.1.1 remote server to udp/514 port (standard/legacy syslog protocol and port):

logging host inside 192.168.1.1 udp

I think log messages is one of your best friend for troubleshooting!

Related Questions in NETWORKING

Related Questions in CISCO

Related Questions in VLAN

Related Questions in ASA

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions