Help config ASA5510 (version 8.3)

[JerryBu01]

Hi everyone,

I have a range ip 192.168.100.0/24 with Cisco ASA5510 full access internet now.
anh I configured:
Range 1: Ip from 192.168.100.1 to 192.168.100.25 : full internet access
Range 2: IP from 192.168.100.26 to 192.168.100.254 ermit some webpages, email, https

After I configured the ASA block all traffic, i don't understand why? pleased help me to solve this problem.

object network FullAccess
range 192.168.100.1 192.168.100.25
nat (inside,outside) dynamic interface

object network DenyAccess
range 192.168.100.26 192.168.100.254
nat (inside,outside) dynamic interface

access-list inside_in permit tcp any any eq 25
access-list inside_in permit tcp any any eq 110
access-list inside_in permit tcp any any eq 80
access-list Inside_in permit ip object FullAccess any
access-list Inside_in deny ip object DenyAccess any

access-group inside_in in interface inside

regex url1 “vdict\.com”
regex url2 “translate\.google\.com\.vn”
regex url3 "lienhoagroup\.com"
regex url4 "forevergreenresort\.com"

class-map type inspect http match-any block-url-class
match request header host regex url1
match request header host regex url2
match request header host regex url3
match request header host regex url4

policy-map type inspect http block-url-policy
parameters
class block-url-class
drop-connection log

policy-map global_policy
class inspection_default
inspect http block-url-policy

 

[Danimal1209]

You also need an access list for the outside interface to allow traffic back in.

If the 5510 is nearly the same as the 5505, the device is not stateful (it does not keep track of current connections).

 

[Lithium381]

umm. . . .the 5505 is stateful
do you have routing set up properly with the internet gateway? i don't see IP config(you can replace the first three octets with XX so you can post it here)

edit - it doesn't support stateful failover, however.

 

[Danimal1209]

I've been using the 5505 at school in the lab for over a year. Always have to set up an outside ACL to allow traffic back in.

 

[Lithium381]

I've been using the 5505 at school in the lab for over a year. Always have to set up an outside ACL to allow traffic back in.

curious

suppose this is a question for both of you then:

do you have your interface security levels set up correctly and / or
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
configured?

 

[thecoolnessrune]

I have a 5505 and on mine outgoing traffic is good to go. Traffic goes out and goes back in with a single policy. In situations where it isn't done in one rule, ASDM creates the rules while it creates the policy.

 

[Danimal1209]

I've been using CLI for everything. This accounts for the discrepancy.

Also, by default, traffic from a higher privilege level will allow all traffic to lower privilege level.