Solved

Configuring ASA 5505 Firewall

Posted on 2007-03-27
11
282 Views
Last Modified: 2010-04-09
Question reposted with higher point value

I recently purchased a ASA 5505 and need some assistance in the initial setup. I only need 2 VLANS, business and outside. I used the ASDM Sart up wizard to configure the device in hopes that I would, at least, be able to connect to the internet. I am using the 192.168.0.1-255 address scheme for all inside hosts and have Public address range of 216.64.x.x consisting of 15 addresses. Using my old firewall settings I used 192.168.1.1 (default on the 5505) for the inside interface and 216.64.x.2 for the outside. Would someone be able to work with me in setting up the firewall? I have a very basic network infrastructure with only a few needs for NAT, ie: SMTP, HTTP, HTTPS.

Below is the running config:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password xxxxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f815428ef39f2bd2773d754d076546f9
: end


0
Comment
Question by:bkana
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 18800045
>global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.255
Change this to:
 global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
 global (outside) 1 interface  <== this gives you 'overload' capability

Otherwise, the basics look fine for normal use by internal clients.

\\-- email server and www server statics (example only)
static (inside,outside) 216.64.78.13 192.168.1.13 netmask 255.255.255.255
static (inside,outside) 216.64.78.14 192.168.1.14 netmask 255.255.255.255

\\-- access-list for www/email
access-list outside_in permit tcp any host 216.64.78.13 eq smtp
access-list outside_in permit tcp any host 216.64.78.14 eq www
access-list outside_in permit tcp any host 216.64.78.14 eq https

0
 

Author Comment

by:bkana
ID: 18800176
Thank you lrmoore:

Excuse my ignorance, but is what you posted the CLI way of doing it? I think I can do it in ASDM, but wanted learn how to in CLI as well. Is the bottome portion of your answer the actuall command to use in CLI?  And what do you mean by global (outside) 1 interface?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18800232
Yes, those are all actual CLI entries.
global (outside) 1 interface
 This command will use the ip address assigned to the outside interface as an overload address. Since you only have 10 addresses in your global pool, you need another one for overload or else only 10 inside hosts can get out at any one time.
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:bkana
ID: 18800514
Thank you.
I tried the command to add the global entry but it says one already exists. What is the command to remove/delete the old global entry and add a new one?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18801134
Post the new show config - just the global lines. It may be there and this message is informational..
0
 

Author Comment

by:bkana
ID: 18801886
I was able to change it, but is till won't work. Something else that I found interesting:

After I unplugged the ASA 5505 to test it on my network and then plugged in the old firewall  - I could not access the net for about 10 min, I had to reset the IAD and everything was ok.

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password ulzaQiFnKVzDwUmW encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.78.2 255.255.255.240
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.78.3-216.64.78.12 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 216.64.78.0 255.255.255.0 216.64.78.1 1
route outside 0.0.0.0 0.0.0.0 216.64.78.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e0a014cbb4ffc245596f4e47f79b763
: end
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18802012
> I could not access the net for about 10 min, I had to reset the IAD and everything was ok.
This is expected due to ARP cache on the IAD.

>route inside 216.64.78.0 255.255.255.0 216.64.78.1 1
This is part of the problem. Remove this route statement
  no route inside 216.64.78.0 255.255.255.0 216.64.78.1 1

0
 

Author Comment

by:bkana
ID: 18802086
I have removed the route, but can't test it until later.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18802240
Remember to power cycle the IAD after connecting the new ASA to flush the arp cache and you should be OK.
0
 

Author Comment

by:bkana
ID: 18803715
Still didn't work and cycled the power to the IAD after connecting the ASA. I can't even ping any of the addresses either - or is that due to the firewall?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 18804224
Can you ping the next hop gateway IP from the ASA itself?

You will never be able to ping from a PC to anything outside the firewall without adding an explicit icmp inspect. Add this:

policy-map global_policy
 class inspection_default
  inspect icmp

Now you should be able to ping the next hop gateway from a client, but you can't ping the ASA's own outside interface from a PC.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question