Configuring ASA 5505 Firewall

Question reposted with higher point value

I recently purchased a ASA 5505 and need some assistance in the initial setup. I only need 2 VLANS, business and outside. I used the ASDM Sart up wizard to configure the device in hopes that I would, at least, be able to connect to the internet. I am using the 192.168.0.1-255 address scheme for all inside hosts and have Public address range of 216.64.x.x consisting of 15 addresses. Using my old firewall settings I used 192.168.1.1 (default on the 5505) for the inside interface and 216.64.x.2 for the outside. Would someone be able to work with me in setting up the firewall? I have a very basic network infrastructure with only a few needs for NAT, ie: SMTP, HTTP, HTTPS.

Below is the running config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password xxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f815428ef39f2bd2773d754d076546f9
: end


bkanaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
>global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.255
Change this to:
 global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
 global (outside) 1 interface  <== this gives you 'overload' capability

Otherwise, the basics look fine for normal use by internal clients.

\\-- email server and www server statics (example only)
static (inside,outside) 216.64.78.13 192.168.1.13 netmask 255.255.255.255
static (inside,outside) 216.64.78.14 192.168.1.14 netmask 255.255.255.255

\\-- access-list for www/email
access-list outside_in permit tcp any host 216.64.78.13 eq smtp
access-list outside_in permit tcp any host 216.64.78.14 eq www
access-list outside_in permit tcp any host 216.64.78.14 eq https

0
bkanaAuthor Commented:
Thank you lrmoore:

Excuse my ignorance, but is what you posted the CLI way of doing it? I think I can do it in ASDM, but wanted learn how to in CLI as well. Is the bottome portion of your answer the actuall command to use in CLI?  And what do you mean by global (outside) 1 interface?
0
lrmooreCommented:
Yes, those are all actual CLI entries.
global (outside) 1 interface
 This command will use the ip address assigned to the outside interface as an overload address. Since you only have 10 addresses in your global pool, you need another one for overload or else only 10 inside hosts can get out at any one time.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

bkanaAuthor Commented:
Thank you.
I tried the command to add the global entry but it says one already exists. What is the command to remove/delete the old global entry and add a new one?
0
lrmooreCommented:
Post the new show config - just the global lines. It may be there and this message is informational..
0
bkanaAuthor Commented:
I was able to change it, but is till won't work. Something else that I found interesting:

After I unplugged the ASA 5505 to test it on my network and then plugged in the old firewall  - I could not access the net for about 10 min, I had to reset the IAD and everything was ok.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 216.64.78.0 255.255.255.0 216.64.78.1 1
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e0a014cbb4ffc245596f4e47f79b763
: end
0
lrmooreCommented:
> I could not access the net for about 10 min, I had to reset the IAD and everything was ok.
This is expected due to ARP cache on the IAD.

>route inside 216.64.78.0 255.255.255.0 216.64.78.1 1
This is part of the problem. Remove this route statement
  no route inside 216.64.78.0 255.255.255.0 216.64.78.1 1

0
bkanaAuthor Commented:
I have removed the route, but can't test it until later.
0
lrmooreCommented:
Remember to power cycle the IAD after connecting the new ASA to flush the arp cache and you should be OK.
0
bkanaAuthor Commented:
Still didn't work and cycled the power to the IAD after connecting the ASA. I can't even ping any of the addresses either - or is that due to the firewall?
0
lrmooreCommented:
Can you ping the next hop gateway IP from the ASA itself?

You will never be able to ping from a PC to anything outside the firewall without adding an explicit icmp inspect. Add this:

policy-map global_policy
 class inspection_default
  inspect icmp

Now you should be able to ping the next hop gateway from a client, but you can't ping the ASA's own outside interface from a PC.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.