We help IT Professionals succeed at work.

Cisco ASA 5505 Config help

parlay_user
parlay_user asked
on
2,715 Views
Last Modified: 2012-06-21
Hi, I just purchased a Cisco ASA 5505 and built a config I thought would work but I'm running into some issues.  I think the nating may be wrong but i'm not sure.  It may be the Access rules as well.  Basically I have 3 servers behind this firewall that are being hosted at a Co-lo.  I have an internal network of 192.168.10.0 and each server has a 1 to 1 nat with the external addresses I was provided. 72.14.x.x/29.  Right now, I want the servers to be able to access anything, and I want the servers to be accessible on port 80, 22, and a few others. Right now with my current config, I can ssh in to all of them, access 2 of them on 80 but thats about it. I built the config with the ASDM but I will paste the running config here:

: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parlaygroup.com
object-group network Blink_Servers_int
 network-object host oracle_db_int
 network-object host webserver_int
 network-object host appserver_int
 network-object host Lotto_Site-int
object-group network My_Sql
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group network SSH
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service MySql tcp
 port-object eq 3306
object-group service Parlay_Chat tcp
 port-object eq 2156
object-group service Tomcat tcp
 port-object eq 8080
object-group service Parlay_Services tcp
 group-object Parlay_Chat
 group-object Tomcat
 port-object eq www
 port-object eq https
object-group network Blink_Servers_ext
 network-object host oracle_db-ext
 network-object host webserver-ext
 network-object host appserver-ext
 network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Parlay_Network 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ddc6c2ffba808905bf682f242fa129a7
: end
asdm image disk0:/asdm-602.bin
no asdm history enable



Comment
Watch Question

Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Remove the outside,inside statics
 no static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
 no static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
 no static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
 clear xlate

>access-list outside_access_in extended permit ip any any
With this entry, you should have full access to any server on any port.
I would remove that line, and let the ones below it allow only specified ports.

>access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
The object group TCPUDP is incorrectly used.
This entry should read simply:
 access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www

SSH works, because your SSH object group includes hosts, not protocols.

Author

Commented:
Thanks for the response, I can't try it out right now but as soon as I do I will update on progress.

Ian

Author

Commented:
With regards to Access list rules, should all rules be using the internal addresses since I have the NAT in place or do I have to use the external address still? Meaning should this rule look like this:
access-list outside_access_in extended permit tcp any object-group Blink_Servers_EXT eq www

or

access-list outside_access_in extended permit tcp any object-group Blink_Servers_INT eq www
Sr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Ok I am still having major problems.  Like I said, I can ssh into all the servers just fine, however I cannot hit them on Port 80.  And none of the servers can get out on any port!  Please help.

: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parlaygroup.com
object-group network Blink_Servers_int
 network-object host oracle_db_int
 network-object host webserver_int
 network-object host appserver_int
 network-object host Lotto_Site-int
object-group network My_Sql
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group network SSH
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service MySql tcp
 port-object eq 3306
object-group service Parlay_Chat tcp
 port-object eq 2156
object-group service Tomcat tcp
 port-object eq 8080
object-group service Parlay_Services tcp
 group-object Parlay_Chat
 group-object Tomcat
 port-object eq www
 port-object eq https
object-group network Blink_Servers_ext
 network-object host oracle_db-ext
 network-object host webserver-ext
 network-object host appserver-ext
 network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
http Parlay_Network 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69611d70bb92ee251609bdd9ac744ec9
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>access-group inside_access_in in interface inside
Start by removing the acl from the inside interface. Later we can lock down outbound traffic is you desire.
  no access-group inside_access_in in interface inside

Also, try adding this:

policy-map global_policy
 class inspection_default
  inspect icmp
  inspect http

Check the default gateway on all servers. Make sure it points to the inside interface of this ASA..
What are these servers using for DNS? An external DNS server?

Author

Commented:
ok, really sorry about the last post.  actually was a problem with my own firewall going out.  I'm basically good to go now except some internal stuff which I will have to figure out.
I do have a question about port forwarding however.  Is it possible to make a rule that states, anything coming in on port 80 hitting appserver-ext, be forwarded to port 2156 on webserver_int ?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Only if you use port xlates. Example:

no static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) tcp webserver-ext 80 webserver_int 2156 netmask 255.255.255.255

Author

Commented:
so would that be the exact cmd I use?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
Yes, copy and paste even if you want

Author

Commented:
Thanks, that helped.

For some reson, each server cannot hit each other from there external ip?  so if I try and telnet to each other on the ext ip on 80 it doesnt work?

Author

Commented:
Here is 1 of the error msg's:

6      Oct 05 2007      12:33:45      302014      appserver-ext      oracle_db_int       Teardown TCP connection 3014 for outside:appserver-ext/80 to inside:oracle_db_int/51541 duration 0:00:30 bytes 0 SYN Timeout
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
No way. You cannot ever get to the external IP from another internal host.

Author

Commented:
Ok understood, but I should be able to get from External to Internal correct?  Here is the sequence of problems I'm having.  I'm trying to hit an app for my network which succeeds
6      Oct 05 2007      13:06:40      302013      Parlay_Network      appserver_int       Built inbound TCP connection 3151 for outside:Parlay_Network/33111 (Parlay_Network/33111) to inside:appserver_int/80 (appserver-ext/80)

Then when I try to login it timesout

6      Oct 05 2007      13:06:44      302013      appserver-ext      appserver_int       Built outbound TCP connection 3152 for outside:appserver-ext/80 (appserver-ext/80) to inside:appserver_int/47961 (appserver-ext/47961)

6      Oct 05 2007      13:07:14      302014      appserver-ext      appserver_int       Teardown TCP connection 3152 for outside:appserver-ext/80 to inside:appserver_int/47961 duration 0:00:30 bytes 0 SYN Timeout
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
>302013      appserver-ext    =>  appserver_int       Built outbound TCP connection
From itself, to itself? This will definately break down.

Author

Commented:
Normally I would say yes but all this worked fine with my other Firewall Astaro 120.  And I was able to connect from server to server using external ip's.  I need this to work.

With the old firewall i could run a wget server ext ip and get
Connecting to server ext ip... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8132 (7.9K) [text/html]
Saving to: `index.html.1'

100%[=======================================>] 8,132       --.-K/s   in 0s

14:28:28 (447 MB/s) - `index.html.1' saved [8132/8132]
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
The Astaro firewall did not run the Adaptive Security Algorithm that the ASA uses in place of basic stateful inspection.
You can try this, but I can't guarantee it will work: add these entries back in that we took out earlier:

static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255

Author

Commented:
Now I just get:
3 Oct 05 200715:49:05 305005 appserver-ext No translation group found for tcp src inside:appserver_int/33095 dst outside:appserver-ext/80

Anything else I could try?  I would think there must be away to do this?
Les MooreSr. Systems Engineer
CERTIFIED EXPERT
Top Expert 2008

Commented:
I don't know what to tell you. The ASA is not meant to do what you are trying to do and this is a design "feature" of the firewall.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.