Solved

ASA 5505 initial configuration

Posted on 2007-03-26
37
17,669 Views
Last Modified: 2008-11-05
I recently purchased a ASA 5505 and need some assistance in the initial setup. I only need 2 VLANS, business and outside. I used the ASDM Sart up wizard to configure the device in hopes that I would, at least, be able to connect to the internet. I am using the 192.168.0.1-255 address scheme for all inside hosts and have Public address range of 216.64.x.x consisting of 15 addresses. Using my old firewall settings I used 192.168.1.1 (default on the 5505) for the inside interface and 216.64.x.2 for the outside. Would someone be able to work with me in setting up the firewall? I have a very basic network infrastructure with only a few needs for NAT, ie: SMTP, HTTP, HTTPS.

Regards,
Bill
0
Comment
Question by:bkana
  • 18
  • 18
37 Comments
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
    Can you please post your running config. In CLI, type sh run and paste the output please.
0
 

Author Comment

by:bkana
Comment Utility
Sure, here it is. Your probably going to have a lot of questions, as I haven't done much to set it up yet.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f815428ef39f2bd2773d754d076546f9
: end
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
       What type is your connection type to internet? DSL?
        What device are you using to connect to internet?        
0
 

Author Comment

by:bkana
Comment Utility
It is a T-1 solution running through a Cisco IAD2400
0
 

Author Comment

by:bkana
Comment Utility
MrHusy,

Do you have any further information regarding this? I need to get this firewall operational and your help would be greatly appreciated.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
    Too little points to spend so much time on m8 sorry :(. I though it was 500, somehow your question passed my filter.
0
 

Author Comment

by:bkana
Comment Utility
I understand - Could you at least pass it on to someone who might be able to help me or post a couple of quick responses to what has been given so far? Maybe a couple of things I could change just to get started?


0
 

Author Comment

by:bkana
Comment Utility
I have increased the point value on this question.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
      Dont worry, now you increased the points and this question will pass the filter of Irmoore :)
       Never used to work together with Cisco IAD2400 but in my opinion, Cisco IAD2400 already supposed to acquire the reserverd ips (216.x.x.x) as public (global) and there supposed to be another local newtwork (like 192.168.1.0 or 172.16.1.0) between one interface of Cisco IAD2400 and outside interface of PIX. Therefore you mustn't assign your global ip addresses to PIX as interface ip or global range.
0
 

Author Comment

by:bkana
Comment Utility
Yes, except my local network is 192.168.0.1-255 (does it matter that it's not 192.168.1.0?) Could you explain more about the global range? What do I assign to my outside interface then? I thought you assign one of your public ips to the outside interface. So, do I need to first remove the 216.64.x.x - 216.64.x.x range from my gloabl (outside) interface?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
     If the statement below is correct,

             outside↓                   ↓inside      outside↓         ↓inside
                     int0                  int1                       int0     int1
Internet-----T1------Cisco IAD2400------------------PIX-------------Inside network
↑------216.64.x.x------↑       ↑-----------?------------↑  ↑--192.168.0.0/24---↑                                  

   *I assume that statement above is correct, so you will need another network to the ? place for NAT.
   *It doesn't matter if its 1.0 or not. An ip address ending with 0 means the subnet. In your condition 192.168.0.0/24 is your subnet (24 means 255.255.255.0 subnetmask and 192.168.0.0 means 192.168.0.1-192.168.0.254)
   I Want to ask some questions  
   *Plug the network cable, which is coming from Cisco IAD2400 to a random PC, and check what IP , dns server, subnetmask and gateway addresses does the PC acquire from Cisco IAD2400. Then I can build you a configuration.
    *Again if the statement above is correct, you shuld do the global assignments in Cisco IAD2400.
0
 

Author Comment

by:bkana
Comment Utility
Thanks for the info.

I put a laptop on the IAD and configured the laptop for DHCP - but I don't think the IAD threw the right information or any at all. When I ran ipconfig /all I got an IP of 169.254.99.161 and a mask of 255.255.0.0

The above statement is correct, but I do not have access to the IAD2400 - it was installed by my ISP when we upgraded to our current Dynamic T-3 solution. My current (old) firewall has 216.64.x.2 as it's outside address (at least that's what it appears to be in the configuration). Can't we just mirror that on the ASA 5505 or put that address as the outside address?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
       So we should go on according to your old firewall's config. Can you please post the both your old firewall's and ASA 5505's current running configs?
0
 

Author Comment

by:bkana
Comment Utility
I don't have a CLI file for the old firewall persay, but I can give you all the parameters and how it is setup:
The following are the only settings configured on the old firewall:
Interface Configuration:
Interface Name - untrust
IP = 216.64.x.2
mask = 255.255.255.240
Gateway = 216.64.78.1

Interface Name - trust
IP=192.168.0.1
mask = 255.255.255.0
no gateway defined

There is a "Mapped IP" option on the untrust section that has some entry's that map my public addresses to my inside private addresses such as 216.64.x.10  mapped to 192.168.0.62 for my mail server with a mask of 255.255.255.255. I have about 8 mapped that way for things like a web server and RDP

There is also a Static Route section that has:
192.168.0.0, mask of 255.255.255.0, gateway of 0.0.0.0 with the interface being trust and metric of 0
216.64.x.0, mask of 255.255.255.240, gateway of 0.0.0.0 with the interface being untrust and metric 0
0.0.0.0, mask of 0.0.0.0, gateway of 216.64.78.1, with the untrust interface, metric 1

There is an address section with two tabs, trust and untrust
on the trust tab there is an entry called mycompany Internal:
IP/Domain name: 192.168.0.0
mask = 255.255.255.0
trust location

There's also one called Inside Any with 0.0.0.0 for both ip and mask

There's a Policy section with two tabs as well: incoming and outgoing
on the outgoing tab there a few entries
Source                               Destination                 Service                  NAT           Action

Inside Any                           Outside Any               NetBios                  N/A            deny
companynameInternal         Outside Any               Any                       yes             allow
comaonynameInternal         Outside Any               https                      N/A             allow

Hers is the current ASA 5505 config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password xxxxxxxxxxxxxxrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 216.64.78.0 255.255.255.0 216.64.78.1 1
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e0a014cbb4ffc245596f4e47f79b763
: end
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
Comment Utility
then your configuration is OK except the following route
route inside 216.64.78.0 255.255.255.0 216.64.78.1 1

remove it by typing
no route inside 216.64.78.0 255.255.255.0 216.64.78.1 1

then
wr mem
cl xl

A question= Are your web servers and etc in inside interface hast static IPs like 192.168.0.62 mail server? If yes, we should define the default PIX inside interface and DHCP pool as 192.168.0.1 so you wont spend time on configuring clients.
    Get into CLI and do following.

enable
"type your pass"
conf t
conf fac 192.168.0.1 255.255.255.0
"press enter till you see your firewall hostname"
wr mem
rel
"press enter to reload"

         Now your inside interface is 192.168.0.1. Lets go on configuration

enable
"type your pass"
conf t

int eth0
nameif outside
no shu
dup au
ip add 216.64.78.2 255.255.255.240
sec 0
quit

int eth1
nameif inside
no shu
dup au
sec 100
quit

route outside 0 0 216.64.78.1
nat (inside) 1 0 0
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240

"now time for static NAT mappings"

static (inside,outside) 216.64.78.10 192.168.0.62 netmask 255.255.255.255
access-list mailserver permit tcp any host 216.64.78.10 eq smtp
access-list mailserver permit icmp any any  "this is for ping,just check connectivty,remove if you want"
access-group mailserver in interface outside

"lets say that your terminal server is 192.168.0.60 in inside and global ip is 216.64.78.11. Then do following

static (inside,outside) 216.64.78.11 192.168.0.60 netmask 255.255.255.255
access-list termserver permit tcp any host 192.168.0.60 eq 3389
access-group termserver in interface outside

        ACLs above permit anyone from outside to connect to related global ip. If you like to permit only one ip to connect from internet to related ip, type   host x.x.x.x   instead  any    If you like to give only a few IPs to access, then you should create an object group. If you need object-grouping tell me and ill explain it too.

0
 

Author Comment

by:bkana
Comment Utility
Let me clarify a few things, what do you mean by:
then
wr mem
cl xl

and

enable
"type your pass" (is this my password that I setup for accessing the firewall?)
conf t

Are those just commands in the CLI?

And, yes all of my servers (mail, web, ect) are inside and all have a static address using the 192.168.0.3-255 addresses scheme. I have IP mappings setup on the old firewall to public addresses for things like smpt, and https. I only have 30 clients without DHCP on the network - I have them all set to static IP's. Do I still need DHCP?

I do not have a terminal server, but I get the idea. I'll do what you posted and get back with you.




Also,

0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
         *Yes they are just CLI commands except "then", "and" and the phrases in "... ".
          *Yes it is the password for accessing firewall.
          *You dont need DHCP, so you can disable it with the following command when you are in config t mode.

no dhcpd enable inside
         
          *Please post the latest running config of your PIX. We would start implementing vlans after ve provide basic connection.
0
 

Author Comment

by:bkana
Comment Utility
Here is the latest config. I had a little trouble running the commands for eth0 and eth1, but I'm assuming we were trying to configure the outside interface with 216.64.x.2 with security set to 0, correct? If so, I went ahead and did it in the gui. Can you tell from the config that I did it properly. I also setup one mapping for my mail sevrer. I have others I would like to do though.

Couple of questions before we move on:
1. What do these commands do: "wr mem"   "conf t"   "nu shu" "dup au"
and what does the "access-group mailserver in interface outside" command do?


Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ulzaQiFnKVzDwUmW encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list mailserver extended permit tcp any host 216.64.78.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 216.64.78.10 192.168.0.62 netmask 255.255.255.255
access-group mailserver in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7b79511728a54eaaf624771524c0916f
: end

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
1. What do these commands do: "wr mem"   "conf t"   "nu shu" "dup au"
and what does the "access-group mailserver in interface outside" command do?
      Wr mem=write memory: writes your current config to memory permenantly
      conf t=configure terminal: allows you to enter config mode. You can make essential configurations under that node. a (config) appears nect to your PIX device's hostname in CLI
     no shu=no shutdown: enables the interface
     dup au=duplex auto: sets the interface duplex to auto.

"and what does the "access-group mailserver in interface outside" command do?
we created an access list (ACL) named mailserver by typing
access-list mailserver extended permit tcp any host 216.64.78.10 eq smtp
and we tagged this acl to outside interface by
access-group mailserver in interface outside
   
     Interface Vlan1, and Interface Vlan2  ? Did you set these from GUI?
0
 

Author Comment

by:bkana
Comment Utility
Thanks for the info!

So basically we can create as many ACL's as we like, give them a name, and then use that name on one of the interfaces to activate it per say, or put it in use. The ACL's are sort of like the IP Mappings I had on my old firewall that would allow certain services such as SMTP, HTTPS, etc to traverse the firewall, correct?

Yes, I setup the Vlans through the GUI. Looking at the Interfaces tab, the outside interface is marked as Vlan2 and the inside is marked as Vlan1. Vlan2 is using the switched port of Ethernet0/0 and the rest are being used by Vlan1 for the inside. I think the running config shows the interfaces as being Vlan1 and Vlan2 - is that not correct?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
          I think in your old firewall, that IP mapping function was providing both access configuration and mapping. But in PIX, IP mapping is provided by static command, and allow/deny access configurations are provided by ACLs. ACLs allow SMTP, HTTPS etc.

static (inside,outside) 216.64.78.10 192.168.0.62 netmask 255.255.255.255 "provides ip mapping"
access-list mailserver permit tcp any host 216.64.78.10 eq smtp "configure access permission (smtp in example)"
access-group mailserver in interface outside "tagging the ACL to related interface"
             If your network with that configuration, then that means your Vlan config is correct.
            Could you please post me the output of sh int command in CLI?
0
 

Author Comment

by:bkana
Comment Utility
Thanks for clarifying the commands and thier respective meanings. Here is the output of the sh int command:

Keep in mind that I do not have the firewall connected to my network/IAD yet.

Result of the command: "sh int"

Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI
      MAC address 0019.0726.0bfe, MTU 1500
      IP address 192.168.0.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
      35034 packets input, 2605959 bytes
      26742 packets output, 11912832 bytes
      2132 packets dropped
      1 minute input rate 10 pkts/sec,  770 bytes/sec
      1 minute output rate 7 pkts/sec,  2871 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 10 pkts/sec,  786 bytes/sec
      5 minute output rate 7 pkts/sec,  2911 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is down, line protocol is down
  Hardware is EtherSVI
      MAC address 0019.0726.0bfe, MTU 1500
      IP address 216.64.78.2, subnet mask 255.255.255.240
  Traffic Statistics for "outside":
      0 packets input, 0 bytes
      0 packets output, 0 bytes
      0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bf6, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 0019.0726.0bf7, MTU not set
      IP address unassigned
      35735 packets input, 3448660 bytes, 0 no buffer
      Received 500 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      4 switch ingress policy drops
      27198 packets output, 12701821 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/2 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bf8, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bf9, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/4 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bfa, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bfb, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bfc, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0019.0726.0bfd, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
      You are welcome.
           You should start processing the implementation of PIX into your environment at a time when your company is not working for at least 3 hours.
           And also please apply the commands below for syslog get enabled and feedback you.
           
          logging on
          logging trap 7
          logging que 150
          wr mem

Logs will appear in ASDM window.
0
 

Author Comment

by:bkana
Comment Utility
Are you recommending 3 hours due to the IAD and or ASA having to "learn" about each other and the new device. I understand arp cache also has something to do with it, correct. I might have time this afternoon to connect it to my network and begin troubleshooting (if need be).

Also, can I assume that by default the ASA will not permit anything to come in to the network, unless otherwise explicitly told to do so? I will contact you when I am ready to connect it.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
          Adaptive Security Algorithm, is set to permit traffic flow from higher security interface to lower security interface and block traffic from lower sec to higher one. And you will permit the traffic with acls.
          Always calculate the worst possiblity and recover back time to running config if implementation fails. I recommend you to workaround with some examples in a test environment with PIX.
0
 

Author Comment

by:bkana
Comment Utility
What I can do is connect one of my Windows 2003 member servers and a copule of test PC's to my extra hub and us that for testing.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
            That is enough too. Use PIX in this small test environment, ask me the problems you ancounter and get used to PIX.
0
 

Author Comment

by:bkana
Comment Utility
Good news, I connected the firewall to my network, reset the IAD and I was able to connect to the internet. Sent a few test e-mails and e-mail seems to be working as well.

Now: I had several other mappings on the old firewall to allow certain services like RDP, HTTPS, SSL. I think I can configure the HTTP ones with the examples you gave me. But what about RDP - do I have to find out the port used by RDP to set it up? In one of your earlier examples, I typed in eq smtp for mail. What would be the one for "RDP"? Is the following command correct for setting up the mapping:

static (inside,outside) 216.64.x.12 192.168.0.212 netmask 255.255.255.255  (this is for accessing my pc via RDP)
How do I right the access-list command for this one?
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
access-list outside_access_in permit any host 216.64.78.12 eq 3389
access-group outside_access_in in interface outside
0
 

Author Comment

by:bkana
Comment Utility
Thanks MrHusy.

Can you verify my current config below. This is without the above entires but I added two for HTTP and HTTPS to the same server and it looks like it added them to the "mailserver" tag. They do work though.
I'm a little confused about the access-group command and the access-list outside_in statements in the current config.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ulzaQiFnKVzDwUmW encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list mailserver extended permit tcp any host 216.64.78.10 eq smtp
access-list mailserver extended permit tcp any host 216.64.78.4 eq https log
access-list mailserver extended permit tcp any host 216.64.78.4 eq www
access-list outside_in extended permit tcp any host 216.64.78.4 eq https
access-list outside_in extended permit tcp any host 216.64.78.4 eq www
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 150
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 216.64.78.10 192.168.0.62 netmask 255.255.255.255
static (inside,outside) 216.64.78.4 192.168.0.4 netmask 255.255.255.255
access-group mailserver in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e9422190102b4c2d9c49bab8522241ed
: end



0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
          Ahh sorry Bill, working on so many PIX issues that i forgot your config once. It doesn't differ, my command  above works too but we alreeady have a acl name, so we better go on with it and not create multiple names. So it has to be as folowing

access-list outside_in permit any host 216.64.78.12 eq 3389
access-group outside_in in interface outside

or if you like, you may name your acl according to your protocol

access-list RDP_Allowpermit any host 216.64.78.12 eq 3389
access-group RDP_Allow in in interface outside

acl names do not matter since you tag it to interface with access-group command. I named it as mailserver coz rules war all related about your mailserver. You may change as you wish.
0
 

Author Comment

by:bkana
Comment Utility
No worries, I understand how busy you must be.

When I used the "access-group outside_in in interface outside" it cleared all of my previous entires and I had to use the GUI under Security Policy to re-add the permits for SMTP and HTTPS. It's all working now though. I think I got the hang of it now. I know you prefer to use the CLI - but how do I view the various acl's in the gui? It's not that big of a deal. And, one more question: Is "tagging it to an interface" the same as "Adding an Access Rule" on one of the interfaces under the Security Plicy in the GUI?

I really appreciate all of your help on this - only wish I could return the favor! I may ask a copule of more questions in the upcoming week, but for now I think I got it!  Thanks again!
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
         You are welcome Bill.
               *GUI is just some graphics for people to understand better and not to memorize so many commands. There must be an option in Options/Tools or preferences in GUI that shows you first what you have done (as CLI codes) and then sends to PIX. So you would be able to see which commands does GUI send to PIX when you make config.
               *"access-group outside_in in interface outside"  shouldn't clear previous entries. Somethin must ve gone wrong.
                *When you add an ACL via GUI, GUI writes the ACL then tags it to the interface. You wont need extra operation. You would see that it uses access-group command after access-list automatically ,if you enable the option in GUI that i mentioned above.

See you in upcoming questions :)
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
          Hello Bill
              If my assistance was helpful for you, please accept one of my posts as an answer with a deserved grade.
              Thank You.
0
 

Author Comment

by:bkana
Comment Utility
Got it!

The only thing I have left to do is setup VPN. I ran through the VPN wizard to setup Remote Access, went home and loaded the Cisco VPN Client (4.6), but couldn't connect. I'm assuming the host you connect to is the outside interface of the ASA correct? Do most people use the Cisco client to connect or do they use the built-in Microsoft client? I know I have to setup a few things on the ASA first, but am unclear as how to do so.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
           Hi Bill,
                Most people use Cisco client for more security and the interface differs according to your needs. Configuring VPN is a different issue, so should be asked in a new question.
                Regards.
0
 
LVL 1

Expert Comment

by:ralphcarter2008
Comment Utility
yes it is the outside interface IP that you connect to with the client.

under group authentication of the vpn client, make sure the Name: is spelled exactly as it is in your config, case sensitive.

Under password: make sure you have the exact Pre-shared Key:

Then when you connect you should be assigned an IP that you defined in your DHCP Pool for VPN. Make sure your inside routers  (if any) know how to get to this VPN pool subnet.

And dont try to VPN in from the inside of your network!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now