tarragompie
asked on
Basic Cisco ASA 5510 Config Question
We have recently bought a Cisco ASA 5510. I just need some help as to get it to route traffic from the router to the LAN. Currently the router is doing the NAT. I have set the second IP for IP routing on the router to 192.169.2.1 255.255.255.0. I’ve also enabled RIP Protocol Control for second subnet. Here is the current running config. Please advise on how to get it working and for any configuration improvements.
ASA Version 7.0(4) Conf
!u
hostname ciscoasace test
domain-name efficio2.com, and interf
snmp
enable password 7S8ePYKfPDzMXKcC encrypted
undebug Disable debugging
namesions
!
interface Ethernet0/0 Configure an snmp-m
description Int0 WAN
nameif Int0
security-
nameif Int1
security-level 100 Configure SS
ip address 11.0.131.5 255.255.255.0nning configuratio
ssl
!
interface Ethernet0/2ions
shutdown
no nameif static
no security-levela higher security
no ip addressess to globaln
!g
interface Management0/0le
nameif management
security-level 100
termin
ip address 192.168.1.1 255.255.255.0 Create SUNRPC services table
management-onlyonfigure?
!
passwd 2KFQnbNIdI.2KYOU encrypted Set system functional options
ftp mode passivencomplete comman
access-list Int0_access_in extended permit tcp interface Int0 interface Int1P inspection
ciscoasa(config)# ?
aaa
access-list Int0_access_in extended permi ac
mtu management 1500s for IPSec connect
mtu Int1 1500
mtu Int0 1500
ERROR: Command requires failover licenseicy by which the tunnel-group name is
ERROR: Command requires failover license Configure Device Manager
asdm image disk0:/asdm-504.bin
access-group Int0_access_in in interface Int0 Configure a list of URLs for use with W
timeout xlate 3:00:00Configure login/sessi
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 a URL filtering server Set system boot parameters
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00tication local databasety
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 Configure address for authentication virtual servers
timeout uauth 0:05:00 absolute
class-map
http server enablevpn-addr-assign
http 192.168.1.0 255.255.255.0 managementsignment policy Clear
http 192.168.2.0 255.255.255.0 Int0 Configure
vpn-sessiondb
no snmp-server locatio
telnet timeout 5ig-register
ssh timeout 5confi
ciscoas
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management Configure us
http http-map
dhcpd lease 3600onfig)# http ?
dhcpd ping_timeout 50
configure mode comm
dhcpd enable management
!o
class-map inspection_default IP address of the host and/
match default-inspection-traffic
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Thanks all!!
ASA Version 7.0(4) Conf
!u
hostname ciscoasace test
domain-name efficio2.com, and interf
snmp
enable password 7S8ePYKfPDzMXKcC encrypted
undebug Disable debugging
namesions
!
interface Ethernet0/0 Configure an snmp-m
description Int0 WAN
nameif Int0
security-
nameif Int1
security-level 100 Configure SS
ip address 11.0.131.5 255.255.255.0nning configuratio
ssl
!
interface Ethernet0/2ions
shutdown
no nameif static
no security-levela higher security
no ip addressess to globaln
!g
interface Management0/0le
nameif management
security-level 100
termin
ip address 192.168.1.1 255.255.255.0 Create SUNRPC services table
management-onlyonfigure?
!
passwd 2KFQnbNIdI.2KYOU encrypted Set system functional options
ftp mode passivencomplete comman
access-list Int0_access_in extended permit tcp interface Int0 interface Int1P inspection
ciscoasa(config)# ?
aaa
access-list Int0_access_in extended permi ac
mtu management 1500s for IPSec connect
mtu Int1 1500
mtu Int0 1500
ERROR: Command requires failover licenseicy by which the tunnel-group name is
ERROR: Command requires failover license Configure Device Manager
asdm image disk0:/asdm-504.bin
access-group Int0_access_in in interface Int0 Configure a list of URLs for use with W
timeout xlate 3:00:00Configure login/sessi
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 a URL filtering server Set system boot parameters
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00tication local databasety
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 Configure address for authentication virtual servers
timeout uauth 0:05:00 absolute
class-map
http server enablevpn-addr-assign
http 192.168.1.0 255.255.255.0 managementsignment policy Clear
http 192.168.2.0 255.255.255.0 Int0 Configure
vpn-sessiondb
no snmp-server locatio
telnet timeout 5ig-register
ssh timeout 5confi
ciscoas
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management Configure us
http http-map
dhcpd lease 3600onfig)# http ?
dhcpd ping_timeout 50
configure mode comm
dhcpd enable management
!o
class-map inspection_default IP address of the host and/
match default-inspection-traffic
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Thanks all!!
ASKER
show run
: Saved
:
ASA Version 7.0(4)
!
hostname ciscoasa
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Int0 WAN
nameif Int0
security-level 0
ip address 72.188.129.11 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
nameif Int1
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list web extended permit tcp 10.0.131.0 255.255.255.0 host 72.188.129.11 eq www
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Int1 1500
mtu Int0 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (Int1) 1 10.0.131.2
global (Int0) 1 10.0.131.2
nat (Int1) 1 access-list web
nat (Int1) 1 10.0.131.5 255.255.255.255
nat (Int1) 1 10.0.131.0 255.255.255.0
nat (Int1) 0 0.0.0.0 0.0.0.0
nat (Int0) 1 72.188.129.11 255.255.255.255
nat (Int0) 1 72.188.129.11 255.255.255.248
nat (Int0) 1 72.188.129.0 255.255.255.0
nat (Int0) 1 72.188.0.0 255.255.0.0
route Int1 10.0.131.5 255.255.255.255 10.0.131.11 1
route Int0 0.0.0.0 0.0.0.0 72.188.10.77 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.131.5 255.255.255.255 Int1
http 192.168.2.0 255.255.255.0 Int0
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
ciscoasa#
I have changed the IP's just for security reason, so basicly we just want it up and running. The way it is setup is the adsl comes into the router at address 72.188.129.11. The router does the NAT, from the router it goes into int0 of the cisco asa 5510. From the int1 of the cisco asa 5510 it is plugged into the LAN (switch) - please advise on steps.
Many thanks!
: Saved
:
ASA Version 7.0(4)
!
hostname ciscoasa
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Int0 WAN
nameif Int0
security-level 0
ip address 72.188.129.11 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
nameif Int1
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list web extended permit tcp 10.0.131.0 255.255.255.0 host 72.188.129.11 eq www
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Int1 1500
mtu Int0 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (Int1) 1 10.0.131.2
global (Int0) 1 10.0.131.2
nat (Int1) 1 access-list web
nat (Int1) 1 10.0.131.5 255.255.255.255
nat (Int1) 1 10.0.131.0 255.255.255.0
nat (Int1) 0 0.0.0.0 0.0.0.0
nat (Int0) 1 72.188.129.11 255.255.255.255
nat (Int0) 1 72.188.129.11 255.255.255.248
nat (Int0) 1 72.188.129.0 255.255.255.0
nat (Int0) 1 72.188.0.0 255.255.0.0
route Int1 10.0.131.5 255.255.255.255 10.0.131.11 1
route Int0 0.0.0.0 0.0.0.0 72.188.10.77 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.131.5 255.255.255.255 Int1
http 192.168.2.0 255.255.255.0 Int0
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
ciscoasa#
I have changed the IP's just for security reason, so basicly we just want it up and running. The way it is setup is the adsl comes into the router at address 72.188.129.11. The router does the NAT, from the router it goes into int0 of the cisco asa 5510. From the int1 of the cisco asa 5510 it is plugged into the LAN (switch) - please advise on steps.
Many thanks!
Remove all of these lines:
global (Int1) 1 10.0.131.2
global (Int0) 1 10.0.131.2
nat (Int1) 1 access-list web
nat (Int1) 1 10.0.131.5 255.255.255.255
nat (Int1) 1 10.0.131.0 255.255.255.0
nat (Int1) 0 0.0.0.0 0.0.0.0 <== this means don't nat anything ! !
nat (Int0) 1 72.188.129.11 255.255.255.255
nat (Int0) 1 72.188.129.11 255.255.255.248
nat (Int0) 1 72.188.129.0 255.255.255.0
route Int1 10.0.131.5 255.255.255.255 10.0.131.11 1
Try it like this:
interface Ethernet0/0
description Int0 WAN
nameif outside <== makes it easier to relate to
interface Ethernet0/1
description Int1 LAN
nameif inside <== again, easier to relate to. These should have been the defaults
global (outside) 1 interface
nat (inside) 1 0 0 0
policy-map global_policy
inspect icmp
>The router does the NAT, from the router it goes into int0 of the cisco asa 5510
Are you sure this router does NAT? I'm assuming your ASA gets a public IP address for the WAN side and you want the ASA to do the NAT?
global (Int1) 1 10.0.131.2
global (Int0) 1 10.0.131.2
nat (Int1) 1 access-list web
nat (Int1) 1 10.0.131.5 255.255.255.255
nat (Int1) 1 10.0.131.0 255.255.255.0
nat (Int1) 0 0.0.0.0 0.0.0.0 <== this means don't nat anything ! !
nat (Int0) 1 72.188.129.11 255.255.255.255
nat (Int0) 1 72.188.129.11 255.255.255.248
nat (Int0) 1 72.188.129.0 255.255.255.0
route Int1 10.0.131.5 255.255.255.255 10.0.131.11 1
Try it like this:
interface Ethernet0/0
description Int0 WAN
nameif outside <== makes it easier to relate to
interface Ethernet0/1
description Int1 LAN
nameif inside <== again, easier to relate to. These should have been the defaults
global (outside) 1 interface
nat (inside) 1 0 0 0
policy-map global_policy
inspect icmp
>The router does the NAT, from the router it goes into int0 of the cisco asa 5510
Are you sure this router does NAT? I'm assuming your ASA gets a public IP address for the WAN side and you want the ASA to do the NAT?
ASKER
Good day Irmoore,
Thank you very much for your help. Have made the changes you suggested and here follows the new config file:
sh run
: Saved
:
ASA Version 7.0(4)
!
hostname Efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
duplex full
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list inbound extended permit tcp any host 82.108.129.105 eq smtp
access-list inbound extended permit tcp any host 82.108.129.105 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
<--- More --->
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 82.108.129.105 255.255.255.255
nat (outside) 1 82.108.129.104 255.255.255.248
nat (outside) 1 82.108.129.0 255.255.255.0
nat (outside) 1 82.108.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 outside
http 10.0.131.5 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
<--- More --->
inspect tftp
inspect icmp error
inspect icmp
!
service-policy global_policy global
pop3s
server sam
default-group-policy DfltGrpPolicy
authentication piggyback
smtps
server sam
default-group-policy DfltGrpPolicy
Cryptochecksum:21e8e387ac0
: end
Efficio(config)#
It is setup as follows
Router (82.108.129.105 - public / 10.0.131.11 - private) Router does the NAT e.g. ftp to 10.0.131.1
|
Cisco ASA (82.108.129.107 - public / 10.0.131.5 - private)
|
Lan (10.0.131.x)
Please advise.
Thank you in advance.
Thank you very much for your help. Have made the changes you suggested and here follows the new config file:
sh run
: Saved
:
ASA Version 7.0(4)
!
hostname Efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
duplex full
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list inbound extended permit tcp any host 82.108.129.105 eq smtp
access-list inbound extended permit tcp any host 82.108.129.105 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
<--- More --->
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 82.108.129.105 255.255.255.255
nat (outside) 1 82.108.129.104 255.255.255.248
nat (outside) 1 82.108.129.0 255.255.255.0
nat (outside) 1 82.108.0.0 255.255.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 outside
http 10.0.131.5 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
<--- More --->
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
<--- More --->
inspect tftp
inspect icmp error
inspect icmp
!
service-policy global_policy global
pop3s
server sam
default-group-policy DfltGrpPolicy
authentication piggyback
smtps
server sam
default-group-policy DfltGrpPolicy
Cryptochecksum:21e8e387ac0
: end
Efficio(config)#
It is setup as follows
Router (82.108.129.105 - public / 10.0.131.11 - private) Router does the NAT e.g. ftp to 10.0.131.1
|
Cisco ASA (82.108.129.107 - public / 10.0.131.5 - private)
|
Lan (10.0.131.x)
Please advise.
Thank you in advance.
Do not use any nat (outside) statements
Remove these:
>nat (outside) 1 82.108.129.105 255.255.255.255
>nat (outside) 1 82.108.129.104 255.255.255.248
>nat (outside) 1 82.108.129.0 255.255.255.0
>nat (outside) 1 82.108.0.0 255.255.0.0
>Router (82.108.129.105 - public / 10.0.131.11 - private) Router does the NAT e.g. ftp to 10.0.131.1
Disable all NAT on the router
Create new static nat statements on the ASA
static (inside,outside) 82.108.129.105 10.0.131.1 netmask 255.255.255.255
^^ public IP ^^ Private IP
Remove these:
>nat (outside) 1 82.108.129.105 255.255.255.255
>nat (outside) 1 82.108.129.104 255.255.255.248
>nat (outside) 1 82.108.129.0 255.255.255.0
>nat (outside) 1 82.108.0.0 255.255.0.0
>Router (82.108.129.105 - public / 10.0.131.11 - private) Router does the NAT e.g. ftp to 10.0.131.1
Disable all NAT on the router
Create new static nat statements on the ASA
static (inside,outside) 82.108.129.105 10.0.131.1 netmask 255.255.255.255
^^ public IP ^^ Private IP
ASKER
Have done this except disabling the NAT on the router, if I do this what device does the NAT then?
Many thanks
Many thanks
the asa firewall
does it with these commands lrmoore gave you
global (outside) 1 interface
nat (inside) 1 0 0 0
global (outside) 1 interface
nat (inside) 1 0 0 0
ASKER
Guys thanks so much for this prompt responses, its helping a lot.
Just need some clarity quickly.
So the ASA allows all NAT traffic then, if you setup and specify the NAT on the firewall is it then more secure?
How can I delete the following?
>nat (outside) 1 82.108.129.105 255.255.255.255
>nat (outside) 1 82.108.129.104 255.255.255.248
>nat (outside) 1 82.108.129.0 255.255.255.0
>nat (outside) 1 82.108.0.0 255.255.0.0
Using the following command:
Efficio# clear nat (inside) 1 82.108.129.105 255.255.255.255
Thanks very much
Just need some clarity quickly.
So the ASA allows all NAT traffic then, if you setup and specify the NAT on the firewall is it then more secure?
How can I delete the following?
>nat (outside) 1 82.108.129.105 255.255.255.255
>nat (outside) 1 82.108.129.104 255.255.255.248
>nat (outside) 1 82.108.129.0 255.255.255.0
>nat (outside) 1 82.108.0.0 255.255.0.0
Using the following command:
Efficio# clear nat (inside) 1 82.108.129.105 255.255.255.255
Thanks very much
retype the text with no in front
example
no nat (outside) 1 82.108.129.105 255.255.255.255
then repeat for the other 3
example
no nat (outside) 1 82.108.129.105 255.255.255.255
then repeat for the other 3
>How can I delete the following?
Most any command can be deleted with "no" followed by the command:
efficio#config t
efficio(config)#no nat (outside) 1 82.108.129.105 255.255.255.255
efficio(config)#no nat (outside) 1 82.108.129.104 255.255.255.248
efficio(config)#no nat (outside) 1 82.108.129.0 255.255.255.0
efficio(config)#no nat (outside) 1 82.108.0.0 255.255.0.0
Most any command can be deleted with "no" followed by the command:
efficio#config t
efficio(config)#no nat (outside) 1 82.108.129.105 255.255.255.255
efficio(config)#no nat (outside) 1 82.108.129.104 255.255.255.248
efficio(config)#no nat (outside) 1 82.108.129.0 255.255.255.0
efficio(config)#no nat (outside) 1 82.108.0.0 255.255.0.0
ASKER
Thanks very much guys will give this a go
>class-map inspection_default
> match default-inspection-traffic
Am I missing something here? He's matching something called default-inspection-traffic
Also, make sure that the outside router has a route to the LAN with it's next hop pointing at 82.108.129.107.
Also, I see this:
route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
along with:
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
ip address 82.108.129.107 255.255.255.248
The default route has to point to a next hop and there's no way that 82.108.10.77 is in the same subnet as 82.108.129.107. So unless these are fake addresses and you messed up in your substitution, you need to fix the default route.
> match default-inspection-traffic
Am I missing something here? He's matching something called default-inspection-traffic
Also, make sure that the outside router has a route to the LAN with it's next hop pointing at 82.108.129.107.
Also, I see this:
route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
along with:
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
ip address 82.108.129.107 255.255.255.248
The default route has to point to a next hop and there's no way that 82.108.10.77 is in the same subnet as 82.108.129.107. So unless these are fake addresses and you messed up in your substitution, you need to fix the default route.
ASKER
Hi there Mike,
Would you mind please providing the comands for the steps you described in your post.
Thanks
Would you mind please providing the comands for the steps you described in your post.
Thanks
Regarding "match default-inspection-traffic
Regarding the default route, you can do this:
no route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
route outside 0.0.0.0 0.0.0.0 [the ip address of the outside router] 1
And as I said, on the other router make sure you have:
ip route 10.0.131.0 255.255.255.0 82.108.129.107
That assumes of course that the router and the ASA are indeed sharing that same ip subnet- perhaps you should doublecheck the addressing between the outside router and the ASA?
Regarding the default route, you can do this:
no route outside 0.0.0.0 0.0.0.0 82.108.10.77 1
route outside 0.0.0.0 0.0.0.0 [the ip address of the outside router] 1
And as I said, on the other router make sure you have:
ip route 10.0.131.0 255.255.255.0 82.108.129.107
That assumes of course that the router and the ASA are indeed sharing that same ip subnet- perhaps you should doublecheck the addressing between the outside router and the ASA?
>>class-map inspection_default
>> match default-inspection-traffic
>Am I missing something here? He's matching something called default-inspection-traffic
default-inspection-traffic
Here's the text from my firewall
default-inspection-traffic
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
xdmcp-----udp--177
>> match default-inspection-traffic
>Am I missing something here? He's matching something called default-inspection-traffic
default-inspection-traffic
Here's the text from my firewall
default-inspection-traffic
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
xdmcp-----udp--177
also, if the router is doing the NAT, then you should look at potentially running the ASA in transparent mode because the router shouldn't know anything about the internal network segment if you are using public IPs on the firewall,
can you just forward the 82.108.129.107 255.255.255.248 range from the router to the firewall and then just have the firewall do that nat, or does your ISP manage the router so you can change that stuff
can you just forward the 82.108.129.107 255.255.255.248 range from the router to the firewall and then just have the firewall do that nat, or does your ISP manage the router so you can change that stuff
ASKER
Thanks guys, to clearify this is our setup
Internet
|
82.108.129.105
Router (Also has private address of 10.0.131.11)
|
82.108.129.107
Cisco ASA
10.0.131.5
|
10.0.131.X
LAN
Does this help
Internet
|
82.108.129.105
Router (Also has private address of 10.0.131.11)
|
82.108.129.107
Cisco ASA
10.0.131.5
|
10.0.131.X
LAN
Does this help
k, someone correct me if I'm wrong, but wouldn't tarragompie be better off setting his firewall in transparent mode or doing something like this then
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
nat (outside) 0 access-list nonat
essentially getting rid of any NAT/PAT operations on the firewall. however, i've never done something like that before so am not 100% positive. i'll look at transparent mode a little more. i'm thinking that's the way to go maybe
access-list nonat permit ip any any
nat (inside) 0 access-list nonat
nat (outside) 0 access-list nonat
essentially getting rid of any NAT/PAT operations on the firewall. however, i've never done something like that before so am not 100% positive. i'll look at transparent mode a little more. i'm thinking that's the way to go maybe
ASKER
Ok guys here is the new and improved config, updated according to your support:
sh run
: Saved
:
ASA Version 7.0(4)
!
hostname Efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
duplex full
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list inbound extended permit tcp any host 82.108.129.105 eq smtp
access-list inbound extended permit tcp any host 82.108.129.105 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
<--- More --->
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.108.129.105 11.0.131.2 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 outside
http 11.0.131.5 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
<--- More --->
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp error
inspect icmp
<--- More --->
!
service-policy global_policy global
pop3s
server sam
default-group-policy DfltGrpPolicy
authentication piggyback
smtps
server sam
default-group-policy DfltGrpPolicy
Cryptochecksum:296c2d85e29
: end
Anything else need to change?
Thank you very much
sh run
: Saved
:
ASA Version 7.0(4)
!
hostname Efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
description Outside Interface - WAN
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.248
!
interface Ethernet0/1
description Int1 LAN
duplex full
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
<--- More --->
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list inbound extended permit tcp any host 82.108.129.105 eq smtp
access-list inbound extended permit tcp any host 82.108.129.105 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
<--- More --->
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.108.129.105 11.0.131.2 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 outside
http 11.0.131.5 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
<--- More --->
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp error
inspect icmp
<--- More --->
!
service-policy global_policy global
pop3s
server sam
default-group-policy DfltGrpPolicy
authentication piggyback
smtps
server sam
default-group-policy DfltGrpPolicy
Cryptochecksum:296c2d85e29
: end
Anything else need to change?
Thank you very much
i guess i'm still confused. now the inside interface of the router has a 10.0.131.x/24 private address as does on the inside of your firewall. there has got to be a routing problem there. inside of the router and the outside of the firewall are in two different IP segments. how can they communicate.
am i just missing something there
am i just missing something there
I agree. Why does the router have a private inside address and the firewall has a public outside address? If they are connecting to each other they need to be in the same subnet. I also agree that if it can be put in transparent mode it will solve several problems, as it gets out of the routing game altogether and only needs a management IP- which should be on the inside.
thanks for the clarification on the inspection policy, I don't have one of those jobbers.
thanks for the clarification on the inspection policy, I don't have one of those jobbers.
no problem
ASKER
Should the outside interface of the Cisco ASA have a public IP address (82.108.129.107) or should bothe the outside and inside interface have a private IP address (10.0.131.x) and only the router have a pulic IP address (82.108.129.105)
Please advise
Please advise
In your current setup you need to have a subnet in between the ASA and the router so that the ASA's outside interface and the router's inside interface can speak to each other. This has to be different from your router's outside public subnet and the LAN subnet. I would use something like 10.0.100.1 and 10.0.100.2.
May be things would be a little easier and clearer if we had the configuration of the router as well. This will ensure that you can have optimal configuration and design itself, post it here.
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
By applying a different subnet between the router and asa (changing the router's LAN address) does that then mean changing the default gateway on the server to? Is there anything else that needs to change anywhere?
Many thanks
Many thanks
ASKER
The Router has the following setup:
LAN: 10.0.100.1
WAN: 82.108.129.105
Port Redirection Table:
Pptp – TCP – 1723 – 10.0.131.2
Smtp – TCP – 25 – 10.0.131.8
POP3 – TCP – 110 – 10.0.131.8
FTP – TCP – 21 – 10.0.131.3
NAT>>DMZ Host Setup
Aux. WAN Setup
82.108.129.105 – Router
82.108.129.106 – SharePoint Server
NAT>>Open Ports Setup
Name Aux. WAN IP Local IP
Email 82.108.129.105 10.0.131.8
SharePoint 82.108.129.106 10.0.131.4
LAN: 10.0.100.1
WAN: 82.108.129.105
Port Redirection Table:
Pptp – TCP – 1723 – 10.0.131.2
Smtp – TCP – 25 – 10.0.131.8
POP3 – TCP – 110 – 10.0.131.8
FTP – TCP – 21 – 10.0.131.3
NAT>>DMZ Host Setup
Aux. WAN Setup
82.108.129.105 – Router
82.108.129.106 – SharePoint Server
NAT>>Open Ports Setup
Name Aux. WAN IP Local IP
Email 82.108.129.105 10.0.131.8
SharePoint 82.108.129.106 10.0.131.4
>By applying a different subnet between the router and asa (changing the router's LAN address) does that then mean changing >the default gateway on the server to? Is there anything else that needs to change anywhere?
Absolutely. anything that refers to the IP addresses of those 2 interfaces will have to change.
Right now the ASA and the router are configured as if they were in parallel but they have to be in series, to use electrical circuit terminology.
Absolutely. anything that refers to the IP addresses of those 2 interfaces will have to change.
Right now the ASA and the router are configured as if they were in parallel but they have to be in series, to use electrical circuit terminology.
Just to throw this out there:
ASA has a L2 drop-in transparent mode where you can have the same IP subnet on both sides
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html
ASA has a L2 drop-in transparent mode where you can have the same IP subnet on both sides
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html
I think someone mentioned that possibility earlier- that would make life simpler because the ASA is not longer an IP hop. But it will probably require completely reconfiguring the ASA.
ASKER
Thanks so much guys,
Reconfigured the router with transparent mode, get www traffice fine
How do I configure it that it allows the following traffic:
pptp TCP 1723 10.0.100.2
smtp TCP 25 10.0.100.8
pop3 TCP 110 10.0.100.8
ftp TCP 21 10.0.100.3
https TCP 444 10.0.100.4
Please advise, here follows the new config:
sh run
: Saved
:
ASA Version 7.0(4)
!
firewall transparent
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Management0/0
nameif management
<--- More --->
security-level 0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list PPTP extended permit gre any host 10.0.100.2
access-list SMTP extended permit tcp any host 10.0.100.8 eq smtp
access-list POP3 extended permit tcp any host 10.0.100.8 eq pop3
access-list ftp extended permit tcp any host 10.0.100.3 eq ftp
access-list HTTPS extended permit tcp any host 10.0.100.4 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip address 10.0.100.5 255.255.255.0
ERROR: Command requires failover license
ERROR: Command requires failover license
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
<--- More --->
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
<--- More --->
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:147026f71ff
: end
Thanks for all the help so far
Reconfigured the router with transparent mode, get www traffice fine
How do I configure it that it allows the following traffic:
pptp TCP 1723 10.0.100.2
smtp TCP 25 10.0.100.8
pop3 TCP 110 10.0.100.8
ftp TCP 21 10.0.100.3
https TCP 444 10.0.100.4
Please advise, here follows the new config:
sh run
: Saved
:
ASA Version 7.0(4)
!
firewall transparent
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Management0/0
nameif management
<--- More --->
security-level 0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list PPTP extended permit gre any host 10.0.100.2
access-list SMTP extended permit tcp any host 10.0.100.8 eq smtp
access-list POP3 extended permit tcp any host 10.0.100.8 eq pop3
access-list ftp extended permit tcp any host 10.0.100.3 eq ftp
access-list HTTPS extended permit tcp any host 10.0.100.4 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip address 10.0.100.5 255.255.255.0
ERROR: Command requires failover license
ERROR: Command requires failover license
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
<--- More --->
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
<--- More --->
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:147026f71ff
: end
Thanks for all the help so far
>access-list PPTP extended permit gre any host 10.0.100.2
>access-list SMTP extended permit tcp any host 10.0.100.8 eq smtp
>access-list POP3 extended permit tcp any host 10.0.100.8 eq pop3
>access-list ftp extended permit tcp any host 10.0.100.3 eq ftp
>access-list HTTPS extended permit tcp any host 10.0.100.4 eq https
Remove all of those and just create one access-list and then apply the access-group to the interface:
access-list INBOUND permit gre any host 10.0.100.2
access-list INBOUND permit tcp any host 10.0.100.8 eq smtp
access-list INBOUND permit tcp any host 10.0.100.8 eq pop3
access-list INBOUND permit tcp any host 10.0.100.3 eq ftp
access-list INBOUND permit tcp any host 10.0.100.4 eq https
access-group INBOUND in interface outside
>access-list SMTP extended permit tcp any host 10.0.100.8 eq smtp
>access-list POP3 extended permit tcp any host 10.0.100.8 eq pop3
>access-list ftp extended permit tcp any host 10.0.100.3 eq ftp
>access-list HTTPS extended permit tcp any host 10.0.100.4 eq https
Remove all of those and just create one access-list and then apply the access-group to the interface:
access-list INBOUND permit gre any host 10.0.100.2
access-list INBOUND permit tcp any host 10.0.100.8 eq smtp
access-list INBOUND permit tcp any host 10.0.100.8 eq pop3
access-list INBOUND permit tcp any host 10.0.100.3 eq ftp
access-list INBOUND permit tcp any host 10.0.100.4 eq https
access-group INBOUND in interface outside
ASKER
Thanks guys our firewall is up and running.
Just to note when running the firewall in transparent mode you have to apply the acces list to both interfaces.
The only problem we still have is getting VPN connection.
We make use of windows VPN on PPTP TCP 1723
Any advise how to get this working.
Thanks again
Just to note when running the firewall in transparent mode you have to apply the acces list to both interfaces.
The only problem we still have is getting VPN connection.
We make use of windows VPN on PPTP TCP 1723
Any advise how to get this working.
Thanks again
ASKER
Hi there,
I had configured our firewall in transparent mode as suggested, all was working fine. The reason we got the Cisco ASA 5510 is so we can make use of the WebVPN application. This application can only be used when the firewall is in routed mode.
Please would you advise what needs to change on configuration as I am not even getting web access with.
Your help is much appreciated.
ASA Version 7.0(4)
!
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.100.2 255.255.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list INBOUND extended permit gre any host 10.0.131.2
access-list INBOUND extended permit tcp any host 10.0.131.8 eq smtp
access-list INBOUND extended permit tcp any host 10.0.131.8 eq pop3
access-list INBOUND extended permit tcp any host 10.0.131.3 eq ftp
access-list INBOUND extended permit tcp any host 10.0.131.4 eq https
access-list INBOUND extended permit tcp any host 10.0.131.8 eq www
access-list INBOUND extended permit tcp any host 10.0.131.4 eq www
access-list INBOUND extended permit udp any any
access-list OUTBOUND extended permit gre any any
access-list OUTBOUND extended permit tcp any any eq smtp
access-list OUTBOUND extended permit tcp any any eq pop3
access-list OUTBOUND extended permit tcp any any eq ftp
access-list OUTBOUND extended permit tcp any any eq https
access-list OUTBOUND extended permit tcp any any eq www
<--- More --->
access-list inside_access_in extended permit gre any host 10.0.131.2
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq smtp
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq pop3
access-list inside_access_in extended permit tcp any host 10.0.131.3 eq ftp
access-list inside_access_in extended permit tcp any host 10.0.131.4 eq https
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq www
access-list inside_access_in extended permit tcp any host 10.0.131.4 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.0.100.2 10.0.131.5 netmask 255.255.255.255
access-group INBOUND in interface outside
access-group OUTBOUND out interface outside
access-group inside_access_in in interface inside
<--- More --->
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.1 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
<--- More --->
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Please help
I had configured our firewall in transparent mode as suggested, all was working fine. The reason we got the Cisco ASA 5510 is so we can make use of the WebVPN application. This application can only be used when the firewall is in routed mode.
Please would you advise what needs to change on configuration as I am not even getting web access with.
Your help is much appreciated.
ASA Version 7.0(4)
!
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.100.2 255.255.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list INBOUND extended permit gre any host 10.0.131.2
access-list INBOUND extended permit tcp any host 10.0.131.8 eq smtp
access-list INBOUND extended permit tcp any host 10.0.131.8 eq pop3
access-list INBOUND extended permit tcp any host 10.0.131.3 eq ftp
access-list INBOUND extended permit tcp any host 10.0.131.4 eq https
access-list INBOUND extended permit tcp any host 10.0.131.8 eq www
access-list INBOUND extended permit tcp any host 10.0.131.4 eq www
access-list INBOUND extended permit udp any any
access-list OUTBOUND extended permit gre any any
access-list OUTBOUND extended permit tcp any any eq smtp
access-list OUTBOUND extended permit tcp any any eq pop3
access-list OUTBOUND extended permit tcp any any eq ftp
access-list OUTBOUND extended permit tcp any any eq https
access-list OUTBOUND extended permit tcp any any eq www
<--- More --->
access-list inside_access_in extended permit gre any host 10.0.131.2
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq smtp
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq pop3
access-list inside_access_in extended permit tcp any host 10.0.131.3 eq ftp
access-list inside_access_in extended permit tcp any host 10.0.131.4 eq https
access-list inside_access_in extended permit tcp any host 10.0.131.8 eq www
access-list inside_access_in extended permit tcp any host 10.0.131.4 eq www
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.0.100.2 10.0.131.5 netmask 255.255.255.255
access-group INBOUND in interface outside
access-group OUTBOUND out interface outside
access-group inside_access_in in interface inside
<--- More --->
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.1 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
<--- More --->
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
Please help
Just couldn't leave well enough alone, could you? <8-}
That's why we're here... Just remember that we are all volunteers here and pop in whenever we have some spare time..
First problem with your new config is that you have broken all the rules with one simple static that nats your outside ip to your inside ip. Can't do that, my friend:
no static (inside,outside) 10.0.100.2 10.0.131.5 netmask 255.255.255.255
clear xlate
Now you can remove these access-groups
no access-group OUTBOUND out interface outside
no access-group inside_access_in in interface inside
Next issue is that your inside interface IP overlaps with your outside interface IP subnet
interface Ethernet0/0
ip address 10.0.100.2 255.255.0.0 <== everything 10.0.x.x belongs "outside"
!
interface Ethernet0/1
ip address 10.0.131.5 255.255.255.0 <== This IP is in the same subnet as Eth0/0
!
Next issue is that you ar pointing your default gateway to a public IP. The DG needs to be on the same subnet as the outside interface.
I think you have some fundamental issues that you have to fix before you can get to your ultimate goal of using this for SSL VPN support. You need the public IP address assigned to the outside interface of the ASA unit. No question about it. That means that your external router needs to be in bridged mode to allow that. What kind of WAN connection do you have? What kind of router is it?
Cable modem can go direct to ASA, no router required, ASA gets public IP
DSL modem can be set in bridge mode, connect direct to ASA, ASA gets public IP
T1 to router? ISP should provide enough public IPs to use on inside router and outside ASA.
That's why we're here... Just remember that we are all volunteers here and pop in whenever we have some spare time..
First problem with your new config is that you have broken all the rules with one simple static that nats your outside ip to your inside ip. Can't do that, my friend:
no static (inside,outside) 10.0.100.2 10.0.131.5 netmask 255.255.255.255
clear xlate
Now you can remove these access-groups
no access-group OUTBOUND out interface outside
no access-group inside_access_in in interface inside
Next issue is that your inside interface IP overlaps with your outside interface IP subnet
interface Ethernet0/0
ip address 10.0.100.2 255.255.0.0 <== everything 10.0.x.x belongs "outside"
!
interface Ethernet0/1
ip address 10.0.131.5 255.255.255.0 <== This IP is in the same subnet as Eth0/0
!
Next issue is that you ar pointing your default gateway to a public IP. The DG needs to be on the same subnet as the outside interface.
I think you have some fundamental issues that you have to fix before you can get to your ultimate goal of using this for SSL VPN support. You need the public IP address assigned to the outside interface of the ASA unit. No question about it. That means that your external router needs to be in bridged mode to allow that. What kind of WAN connection do you have? What kind of router is it?
Cable modem can go direct to ASA, no router required, ASA gets public IP
DSL modem can be set in bridge mode, connect direct to ASA, ASA gets public IP
T1 to router? ISP should provide enough public IPs to use on inside router and outside ASA.
ASKER
I am sorry if I come across impatient, just very eager to get this thing running. I do appreciate all the help you guys give.
I got some help today so please tell me if the following config will work.
ASA Version 7.0(4)
!
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list INBOUND extended permit tcp any host 82.108.129.106 eq www
access-list INBOUND extended permit tcp any host 82.108.129.106 eq https
access-list INBOUND extended permit tcp any host 82.108.129.108 eq smtp
access-list INBOUND extended permit tcp any host 82.108.129.108 eq pop3
access-list INBOUND extended permit tcp any host 82.108.129.108 eq www
access-list INBOUND extended permit tcp any host 82.108.129.109 eq nntp
access-list INBOUND extended permit tcp any host 82.108.129.109 eq ftp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.108.129.106 10.0.131.4 netmask 255.255.255.255
static (inside,outside) 82.108.129.108 10.0.131.8 netmask 255.255.255.255
static (inside,outside) tcp 82.108.129.109 nntp 10.0.131.2 nntp netmask 255.255.255.255
static (inside,outside) tcp 82.108.129.109 ftp 10.0.131.3 ftp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.1 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
<--- More --->
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Thanks Again
I got some help today so please tell me if the following config will work.
ASA Version 7.0(4)
!
hostname efficio
domain-name efficio2.com
enable password 7S8ePYKfPDzMXKcC encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 82.108.129.107 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.131.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
access-list INBOUND extended permit tcp any host 82.108.129.106 eq www
access-list INBOUND extended permit tcp any host 82.108.129.106 eq https
access-list INBOUND extended permit tcp any host 82.108.129.108 eq smtp
access-list INBOUND extended permit tcp any host 82.108.129.108 eq pop3
access-list INBOUND extended permit tcp any host 82.108.129.108 eq www
access-list INBOUND extended permit tcp any host 82.108.129.109 eq nntp
access-list INBOUND extended permit tcp any host 82.108.129.109 eq ftp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm-504.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 82.108.129.106 10.0.131.4 netmask 255.255.255.255
static (inside,outside) 82.108.129.108 10.0.131.8 netmask 255.255.255.255
static (inside,outside) tcp 82.108.129.109 nntp 10.0.131.2 nntp netmask 255.255.255.255
static (inside,outside) tcp 82.108.129.109 ftp 10.0.131.3 ftp netmask 255.255.255.255
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 82.108.129.105 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.1 255.255.255.255 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
<--- More --->
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
Thanks Again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what's the config on the router though. I thought that had an internal address of 10.0.100.x and did the nat functionality. if so was that changed to so that it forwards the IPs on; what's going on with that piece?
you can do that via Transfer -> Capture text
then after you finish the show run
end the capture then post the contents of the capture file