Below is the firewall config (with all the company info removed) that I'm trying to deploy in our environment.
Firewall is in the internal 10.68.48.0/20 subnet, I cannot ping the other internal subnets of the organization - eg, 10.7.0.0/20 subnet from the firewall. Can someone please have a look at the below config and tell me what I'm misisng?
I have no experience working with firewalls and I'm not sure what I need to add further.
Edit : OneDrive link of the config text file - https://1drv.ms/t/s!AjSYQDbgQrcVZwnFFDs3D73VRhA
FW001# sh run : Saved : : Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores) : ASA Version 9.4(4)17 ! terminal width 200 hostname FW001 domain-name corporate.net names ! interface GigabitEthernet1/1 description *** To Internet *** shutdown nameif outside security-level 0 ip address x.x.x.x 255.255.255.248 ! interface GigabitEthernet1/2 description *** To Switch *** channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/3 description *** To Switch *** channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet1/4 description *** To YP Router *** nameif DMZ-YP security-level 80 ip address 1x.0.2.x1 255.255.255.248 ! interface GigabitEthernet1/5 description << To 100M Internet Line >> no nameif no security-level no ip address ! interface GigabitEthernet1/6 description <<Fiber_400>> nameif outside-2 security-level 0 ip address x.x.x.x 255.255.255.252 ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! interface Port-channel1 lacp max-bundle 8 no nameif no security-level no ip address ! interface Port-channel1.100 vlan 100 nameif Server_LAN security-level 100 ip address 10.68.54.251 255.255.255.0 ! interface Port-channel1.101 vlan 101 nameif User-LAN security-level 100 ip address 10.68.55.251 255.255.255.0 ! interface Port-channel1.999 vlan 999 nameif Management security-level 100 ip address 10.68.48.251 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup outside dns server-group DefaultDNS name-server 8.8.8.8 name-server 4.2.2.2 domain-name corporate.net same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network 10.200.0.0 subnet 10.200.0.0 255.248.0.0 object network 10.208.0.0 subnet 10.208.0.0 255.254.0.0 object network 10.0.0.0 subnet 10.0.0.0 255.255.0.0 object network 10.21.0.0 subnet 10.21.0.0 255.255.0.0 object network 10.31.16.0 subnet 10.31.16.0 255.255.255.128 object network 10.40.0.0 subnet 10.40.0.0 255.254.0.0 object network 10.7.0.0 subnet 10.7.0.0 255.255.0.0 object network 10.8.0.0 subnet 10.8.0.0 255.254.0.0 object network 10.20.110.0 subnet 10.20.110.0 255.255.255.0 object network 10.64.0.0 subnet 10.64.0.0 255.224.0.0 object network 10.204.106.0 subnet 10.204.106.0 255.255.255.0 object service TCP-4000 service tcp destination eq 4000 object service TCP-22 service tcp destination eq ssh object network INSIDE_10.68.48.0_20 subnet 10.68.48.0 255.255.240.0 object network DMZ-YP-Subnet subnet 192.0.x.xx 255.255.255.248 object network YP-Remacc1 host 1xx.1xx.167.34 object network YP-Remacc2 host 1xx.1xx.240.3 object network YP host 1xx.0.x.xx object service SSH-YP service tcp source eq ssh object service SSH-YP-OUT service tcp source eq 4000 object-group network xxx-Remote-Subnet network-object object 10.0.0.0 network-object object 10.20.110.0 network-object object 10.200.0.0 network-object object 10.208.0.0 network-object object 10.21.0.0 network-object object 10.31.16.0 network-object object 10.40.0.0 network-object object 10.7.0.0 network-object object 10.8.0.0 network-object object 10.64.0.0 network-object 10.66.0.0 255.254.0.0 network-object object 10.204.106.0 object-group network YP-Remote network-object object YP-Remacc1 network-object object YP-Remacc2 object-group network YPSSH network-object host 1xx.59.xx4.xx4 network-object host 15x.10x.2xx.32 access-list DMZ-YP_ACCESS_IN extended permit ip object DMZ-YP-Subnet any access-list DMZ-YP_ACCESS_IN extended permit ip object-group xkx-Remote-Subnet any access-list DMZ-YP_ACCESS_IN extended permit icmp any any time-exceeded access-list DMZ-YP_ACCESS_IN extended permit icmp any any unreachable access-list DMZ-YP_ACCESS_IN extended permit icmp any any traceroute access-list OUTSIDE-2_ACCESS_IN extended permit icmp any any access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YPSSH object YP eq ssh access-list OUTSIDE-2_ACCESS_IN extended permit tcp object-group YP-Remote object YP eq ssh pager lines 24 logging enable logging asdm informational logging host Management 10.202.10.232 17/1514 logging class session trap informational mtu outside 1500 mtu DMZ-YP 1500 mtu outside-2 1500 mtu Server_LAN 1500 mtu User-LAN 1500 mtu Management 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 icmp permit any User-LAN icmp permit any Management asdm image disk0:/asdm-791-151.bin asdm history enable arp timeout 14400 no arp permit-nonconnected nat (DMZ-YP,outside-2) source static YP interface service SSH-YP SSH-YP-OUT nat (DMZ-YP,outside-2) source dynamic DMZ-YP-Subnet interface nat (Server_LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface nat (User-LAN,outside-2) source dynamic INSIDE_10.68.48.0_20 interface nat (Management,outside-2) source dynamic INSIDE_10.68.48.0_20 interface object network obj_any nat (any,outside-2) dynamic interface access-group DMZ-YP_ACCESS_IN in interface DMZ-YP access-group OUTSIDE-2_ACCESS_IN in interface outside-2 router rip network 1xx.0.x.0 version 2 ! route outside-2 0.0.0.0 0.0.0.0 x.xx.x.x 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 user-identity default-domain LOCAL http server enable http 0.0.0.0 0.0.0.0 DMZ-YP http 0.0.0.0 0.0.0.0 outside-2 snmp-server host DMZ-YP 10.202.10.232 community ***** version 2c no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh scopy enable no ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 DMZ-YP ssh 0.0.0.0 0.0.0.0 outside-2 ssh 10.68.54.0 255.255.255.0 Server_LAN ssh 10.68.55.42 255.255.255.255 User-LAN ssh 10.68.55.0 255.255.255.0 User-LAN ssh timeout 60 ssh key-exchange group dh-group1-sha1 console timeout 0 management-access Management dhcprelay server 10.68.54.12 Server_LAN dhcprelay enable User-LAN dhcprelay timeout 60 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10.202.100.1 source Management prefer dynamic-access-policy-record DfltAccessPolicy username Temporary password .s86pxc3Jm62lZTh encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context : end 1#
No comments:
Post a Comment