ASA configuration using packet tracer

Question

I an trying to configure below network.

I am not able to open http://142.12.56.68 from public laptop.

I am able to ping to firewall 192.158.99.1 from VLAN20 laptop0.

I have below configurations on asa and multi switch. Please let me know what else I need to do perform to complete this network.

ciscoasa(config)#show run
: Saved
:
ASA Version 9.6(1)
!
hostname ciscoasa
names
!
interface GigabitEthernet1/1
 nameif inside
 security-level 100
 ip address 192.168.99.1 255.255.255.252
!
interface GigabitEthernet1/2
 nameif dmz
 security-level 50
 ip address 172.16.1.0 255.255.255.0
 ospf authentication message-digest
 ospf message-digest-key 1 md5 *****
!
!
interface Management1/1
 management-only
 nameif outside
 security-level 0
 ip address 148.12.56.67 255.255.255.0
 ospf authentication message-digest
 ospf message-digest-key 1 md5 *****
!
webvpn
 enable outside
object network DMZ
 subnet 172.16.1.0 255.255.255.0
object network LAN
 subnet 192.168.20.0 255.255.255.0
object network webserver
 host 172.16.1.10
object network webserver-external-ip
 host 148.12.56.68
!
route outside 192.168.99.0 255.255.255.252 148.12.56.68 1
!
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit tcp any object webserver eq www
access-list OUTSIDE extended permit tcp any host 148.12.56.68 eq www
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any unreachable
!
!
access-group OUTSIDE in interface outside
object network DMZ
 nat (dmz,outside) dynamic interface
object network LAN
 nat (inside,outside) dynamic interface
object network webserver
 nat (dmz,outside) static 148.12.56.68
!
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect icmp 
!
service-policy global_policy global
!
telnet timeout 5
ssh timeout 5
!
!
router ospf 1
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 network 192.168.99.0 255.255.255.252 area 0
 network 148.12.56.0 255.255.255.0 area 0
 network 171.16.1.0 255.255.255.0 area 1
 network 172.16.1.0 255.255.255.0 area 1
!

For MultiSwitch I have below:

> S1#show run
Building configuration...

Current configuration : 1840 bytes
!
version 12.2(37)SE1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname S1
!
ip routing
!
interface FastEthernet0/1
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/2
 switchport access vlan 20
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/4
 switchport access vlan 10
 switchport mode access
 switchport nonegotiate
!
interface FastEthernet0/5
 no switchport
 ip address 192.168.99.2 255.255.255.252
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 mac-address 000c.8551.6601
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
 mac-address 000c.8551.6602
 ip address 192.168.20.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 network 192.0.0.0 0.255.255.255 area 0
 network 172.16.1.0 0.0.0.255 area 1
end

` Network Diagram

score 0 · Answer 1 · answered Apr 19 '20 at 15:11

0

You are using Management interface in management-only mode, therefore you can only use this interface to manage ASA. As I know you cannot remove management-only option from management interface.

packet tracer command example:

packet-tracer input outside tcp <laptop_ip> 148.12.56.68 80

At the end of the output you can see Action line which show the final action. The next line will show you the reason if the action is drop.

You can also check ASA log entries. You should always configure logging feature!!! Minimal logging configuration:

logging enable
logging timestamp
logging buffered informational
logging buffer-size 16384

The above configuration will add timestamp to all log messages, log severity level is informational and buffer 16M of log messages.

For more information about ASA logging: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/monitor-syslog.html

You can find more information about log severity levels: https://en.wikipedia.org/wiki/Syslog#Severity_level

To send log messages to a central log server:

logging host <asa_interface> <remote_log_server_ip> <protocol/port/>

Example, the log messages will be sent from inside interface, to 192.168.1.1 remote server to udp/514 port (standard/legacy syslog protocol and port):

logging host inside 192.168.1.1 udp

I think log messages is one of your best friend for troubleshooting!

answered Apr 19 '20 at 15:11

GuBo

129
1
1
6

I changed my management interface from firewall to GigabitEthernet. I tried below command on as to show trace: 192.168.20.3 is IP addtess of laptop 0 packet-tracer input outside tcp 192.168.20.3 148.12.56.68 80 But it says invalid command. – linda Apr 19 '20 at 17:39
The packet-tracer command can be used in privileged EXEC mode, so you must run ```enable``` command before ```packet-tracer``` command. – GuBo Apr 19 '20 at 18:18
By the way, I thought public laptop's IP address, not internal one. – GuBo Apr 19 '20 at 18:21
Ohh Ok I think I misunderstood it This is my first network in packet tracer. Wanted to learn ASA firewall I will check it with public laptop. Thank you – linda Apr 19 '20 at 19:31
I tried below command in executive mode on asa, but still says invalid command: ciscoasa#packet-tracer input outside tcp 172.16.1.100 148.12.56.68 80 ^ % Invalid input detected at '^' marker. ciscoasa# – linda Apr 19 '20 at 19:34
^ sign show you where is the problem. As I understood you have changed configuration. Do you have interface which name is outside? – GuBo Apr 20 '20 at 05:50
I think I find the problem. Sorry for the typo. The right command is ```packet-tracer input outside tcp 172.16.1.100 1234 148.12.56.68 80```. I forgot to add source TCP port. – GuBo Apr 20 '20 at 05:56
I recommend to use Cisco documentations. You can download and read online without registration. – GuBo Apr 20 '20 at 06:00

ASA configuration using packet tracer

1 Answers1