?
Solved

Cisco ASA 5505 Config help

Posted on 2007-10-03
19
Medium Priority
?
2,697 Views
Last Modified: 2012-06-21
Hi, I just purchased a Cisco ASA 5505 and built a config I thought would work but I'm running into some issues.  I think the nating may be wrong but i'm not sure.  It may be the Access rules as well.  Basically I have 3 servers behind this firewall that are being hosted at a Co-lo.  I have an internal network of 192.168.10.0 and each server has a 1 to 1 nat with the external addresses I was provided. 72.14.x.x/29.  Right now, I want the servers to be able to access anything, and I want the servers to be accessible on port 80, 22, and a few others. Right now with my current config, I can ssh in to all of them, access 2 of them on 80 but thats about it. I built the config with the ASDM but I will paste the running config here:

: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parlaygroup.com
object-group network Blink_Servers_int
 network-object host oracle_db_int
 network-object host webserver_int
 network-object host appserver_int
 network-object host Lotto_Site-int
object-group network My_Sql
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group network SSH
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service MySql tcp
 port-object eq 3306
object-group service Parlay_Chat tcp
 port-object eq 2156
object-group service Tomcat tcp
 port-object eq 8080
object-group service Parlay_Services tcp
 group-object Parlay_Chat
 group-object Tomcat
 port-object eq www
 port-object eq https
object-group network Blink_Servers_ext
 network-object host oracle_db-ext
 network-object host webserver-ext
 network-object host appserver-ext
 network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Parlay_Network 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ddc6c2ffba808905bf682f242fa129a7
: end
asdm image disk0:/asdm-602.bin
no asdm history enable



0
Comment
Question by:parlay_user
  • 10
  • 9
19 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 20009510
Remove the outside,inside statics
 no static (outside,inside) webserver_int webserver-ext netmask 255.255.255.255
 no static (outside,inside) oracle_db_int oracle_db-ext netmask 255.255.255.255
 no static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255
 clear xlate

>access-list outside_access_in extended permit ip any any
With this entry, you should have full access to any server on any port.
I would remove that line, and let the ones below it allow only specified ports.

>access-list outside_access_in extended permit object-group TCPUDP any object-group Blink_Servers_ext eq www
The object group TCPUDP is incorrectly used.
This entry should read simply:
 access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www

SSH works, because your SSH object group includes hosts, not protocols.
0
 

Author Comment

by:parlay_user
ID: 20009585
Thanks for the response, I can't try it out right now but as soon as I do I will update on progress.

Ian
0
 

Author Comment

by:parlay_user
ID: 20009943
With regards to Access list rules, should all rules be using the internal addresses since I have the NAT in place or do I have to use the external address still? Meaning should this rule look like this:
access-list outside_access_in extended permit tcp any object-group Blink_Servers_EXT eq www

or

access-list outside_access_in extended permit tcp any object-group Blink_Servers_INT eq www
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 20010887
outside_access_in acl should always reference the EXTernal addresses, never the INTernal addresses.

inside_access_in acl should always reference the INTernal addresses
0
 

Author Comment

by:parlay_user
ID: 20017338
Ok I am still having major problems.  Like I said, I can ssh into all the servers just fine, however I cannot hit them on Port 80.  And none of the servers can get out on any port!  Please help.

: Saved
:
ASA Version 8.0(2)
!
hostname blink-fw
domain-name parlaygroup.com
enable password HDuCyYUaf0COvX1Y encrypted
names
name 72.14.x.x appserver-ext description External Add
name 192.168.10.5 appserver_int description Parlay Games
name 72.14.x.x oracle_db-ext description External Add
name 192.168.10.3 oracle_db_int description Oracle / MySql
name 72.14.x.x webserver-ext description External Add
name 192.168.10.4 webserver_int description Apache / PHP
name 24.141.18.88 Trent_Sschwartz description Trent Home IP
name 72.14.x.x Lotto_Site-ext
name 192.168.10.6 Lotto_Site-int
!
interface Vlan1
 nameif inside
 security-level 50
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.14.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name parlaygroup.com
object-group network Blink_Servers_int
 network-object host oracle_db_int
 network-object host webserver_int
 network-object host appserver_int
 network-object host Lotto_Site-int
object-group network My_Sql
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group network SSH
 network-object host Parlay_Network
 network-object host Trent_Sschwartz
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service MySql tcp
 port-object eq 3306
object-group service Parlay_Chat tcp
 port-object eq 2156
object-group service Tomcat tcp
 port-object eq 8080
object-group service Parlay_Services tcp
 group-object Parlay_Chat
 group-object Tomcat
 port-object eq www
 port-object eq https
object-group network Blink_Servers_ext
 network-object host oracle_db-ext
 network-object host webserver-ext
 network-object host appserver-ext
 network-object host Lotto_Site-ext
access-list inside_access_in extended permit ip object-group Blink_Servers_int any
access-list outside_access_in extended permit tcp any object-group Blink_Servers_ext eq www
access-list outside_access_in extended permit tcp object-group SSH object-group Blink_Servers_ext eq ssh
access-list outside_access_in extended permit tcp object-group My_Sql host oracle_db-ext object-group MySql
access-list outside_access_in extended permit tcp any host appserver-ext object-group Parlay_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
static (inside,outside) oracle_db-ext oracle_db_int netmask 255.255.255.255
static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) appserver-ext appserver_int netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.14.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 inside
http Parlay_Network 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:69611d70bb92ee251609bdd9ac744ec9
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20017427
>access-group inside_access_in in interface inside
Start by removing the acl from the inside interface. Later we can lock down outbound traffic is you desire.
  no access-group inside_access_in in interface inside

Also, try adding this:

policy-map global_policy
 class inspection_default
  inspect icmp
  inspect http

Check the default gateway on all servers. Make sure it points to the inside interface of this ASA..
What are these servers using for DNS? An external DNS server?
0
 

Author Comment

by:parlay_user
ID: 20017656
ok, really sorry about the last post.  actually was a problem with my own firewall going out.  I'm basically good to go now except some internal stuff which I will have to figure out.
I do have a question about port forwarding however.  Is it possible to make a rule that states, anything coming in on port 80 hitting appserver-ext, be forwarded to port 2156 on webserver_int ?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20018026
Only if you use port xlates. Example:

no static (inside,outside) webserver-ext webserver_int netmask 255.255.255.255
static (inside,outside) tcp webserver-ext 80 webserver_int 2156 netmask 255.255.255.255
0
 

Author Comment

by:parlay_user
ID: 20018869
so would that be the exact cmd I use?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20019395
Yes, copy and paste even if you want
0
 

Author Comment

by:parlay_user
ID: 20023066
Thanks, that helped.

For some reson, each server cannot hit each other from there external ip?  so if I try and telnet to each other on the ext ip on 80 it doesnt work?
0
 

Author Comment

by:parlay_user
ID: 20023226
Here is 1 of the error msg's:

6      Oct 05 2007      12:33:45      302014      appserver-ext      oracle_db_int       Teardown TCP connection 3014 for outside:appserver-ext/80 to inside:oracle_db_int/51541 duration 0:00:30 bytes 0 SYN Timeout
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20023362
No way. You cannot ever get to the external IP from another internal host.
0
 

Author Comment

by:parlay_user
ID: 20023682
Ok understood, but I should be able to get from External to Internal correct?  Here is the sequence of problems I'm having.  I'm trying to hit an app for my network which succeeds
6      Oct 05 2007      13:06:40      302013      Parlay_Network      appserver_int       Built inbound TCP connection 3151 for outside:Parlay_Network/33111 (Parlay_Network/33111) to inside:appserver_int/80 (appserver-ext/80)

Then when I try to login it timesout

6      Oct 05 2007      13:06:44      302013      appserver-ext      appserver_int       Built outbound TCP connection 3152 for outside:appserver-ext/80 (appserver-ext/80) to inside:appserver_int/47961 (appserver-ext/47961)

6      Oct 05 2007      13:07:14      302014      appserver-ext      appserver_int       Teardown TCP connection 3152 for outside:appserver-ext/80 to inside:appserver_int/47961 duration 0:00:30 bytes 0 SYN Timeout
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024145
>302013      appserver-ext    =>  appserver_int       Built outbound TCP connection
From itself, to itself? This will definately break down.
0
 

Author Comment

by:parlay_user
ID: 20024420
Normally I would say yes but all this worked fine with my other Firewall Astaro 120.  And I was able to connect from server to server using external ip's.  I need this to work.

With the old firewall i could run a wget server ext ip and get
Connecting to server ext ip... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8132 (7.9K) [text/html]
Saving to: `index.html.1'

100%[=======================================>] 8,132       --.-K/s   in 0s

14:28:28 (447 MB/s) - `index.html.1' saved [8132/8132]
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20024970
The Astaro firewall did not run the Adaptive Security Algorithm that the ASA uses in place of basic stateful inspection.
You can try this, but I can't guarantee it will work: add these entries back in that we took out earlier:

static (outside,inside) appserver_int appserver-ext netmask 255.255.255.255

0
 

Author Comment

by:parlay_user
ID: 20025016
Now I just get:
3 Oct 05 200715:49:05 305005 appserver-ext No translation group found for tcp src inside:appserver_int/33095 dst outside:appserver-ext/80

Anything else I could try?  I would think there must be away to do this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20025696
I don't know what to tell you. The ASA is not meant to do what you are trying to do and this is a design "feature" of the firewall.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month13 days, 22 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question