blog
    How quickly can you troub ...
    14 September 09

    How quickly can you troubleshoot an ASA firewall configuration?

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    It was a dark, cold night in late December, and Bob, (the optimistic firewall technician), had a single ASA to deploy before going home for the holidays.  The requirements for the firewall were simple.   Bob read them slowly as follows:

    1. R1 should be able to ping the server "Radio.INE.com" by name.
    2. PC should be able to ping the server "Radio.INE.com" by name.

    Bob also read the background information to see if this was something he could finish before leaving the office.   Bob read the following:

    DNS Server is mapping radio.ine.com to the global address of 136.1.122.100
    All devices have appropriate routes in place.
    R1 and the PC are both configured to use the DNS server at 136.1.122.2
    DNS Server, PC, R1  and supporting L2 switchports for the ASA are configured correctly.

    Bob also looked at the diagram:

    Bob's Quick Installation Gone Wrong

    Bob put the following together in notepad, and then quickly pasted it into the ASA using Secure CRT:

    !************ begin ASA configuration ************

    enable

    conf  t
    clear config all

    no nat-control
    hostname ASA1
    interface Ethernet0/0
    nameif outside
    ip address 136.1.122.10 255.255.255.0
    interface Ethernet0/1
    nameif inside
    ip address 172.16.16.10 255.255.255.0
    interface Ethernet0/2
    nameif dmz
    ip address 10.0.0.10 255.255.255.0
    nat (inside) 1 172.16.16.0 255.255.255.0
    nat (dmz) 1 10.0.0.0 255.255.255.0
    global (outside) 1 interface
    access-list outside permit tcp any host 136.1.122.100 eq www
    access-list outside permit icmp any host 136.1.122.100 echo
    access-group outside in interface outside
    static (dmz,outside) 136.1.122.100 10.0.0.100

    wr

    !************end ASA configuration*************

    After waiting a few moments, Bob went to R1, issued the following command and hoped for the best:

    Ping radio.INE.com

    The ping failed.    He tried the same ping from the PC which also failed.    As much as Bob “hoped” it would work, it didn’t, and Bob secretly wished he had the skills and knowledge of a Security CCIE that would allow him to quickly solve the configuration problem so he could go home for the holidays.

    My fellow CCIE bloggers and INE fans, your mission, should you choose to accept it, is to identify the missing and/or incorrect elements that need to be in place for successful pings to radio.ine.com from the PC and R1.

    There is more than 1 way to solve this, and there are between 5 and 7 corrections that need to take place.

    Will you assist BOB?

    Hey! Don’t miss anything - subscribe to our newsletter!

    © 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo