ksbrett
asked on
ASA 5505 initial configuration
I am replacing an existing PIX 501 with an ASA 5505. I have configured the ASA 5505 to the best of my knowledge but I cannot connect to the internet . The PIX works fine so the problem is not hardware or wiring. I'm not sure what I am missing. I am only using 2 interfaces. Please Help.
ASA Version 7.2(3)
!
hostname quailsgate
domain-name quailsgate.com
enable password .hkyoydsUIKDLYjd encrypted
names
name 192.168.0.7 citrix
name 192.168.0.6 win-dns
name 192.168.0.5 nov-dns
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.71.224.123 255.255.252.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd .hkyoydsUIKDLYjd encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name quailsgate.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list qyyvpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.128
access-list out-in extended permit tcp any interface outside eq citrix-ica
access-list out-in extended permit tcp any interface outside eq 1677
access-list out-in extended permit tcp any interface outside eq 6504
access-list out-in extended permit tcp any interface outside eq 6505
access-list out-in extended permit tcp any interface outside eq ftp
access-list out-in extended permit tcp any interface outside eq 4500
access-list out-in extended permit tcp any interface outside eq 500
access-list out-in extended permit tcp any interface outside eq 52080
access-list out-in extended permit tcp any interface outside eq 47493
access-list out-in extended permit tcp any interface outside eq 47513
access-list out-in extended permit tcp any interface outside eq 52443
access-list out-in extended permit tcp any interface outside eq 51443
access-list out-in extended permit tcp any interface outside eq 51080
access-list out-in extended permit tcp any interface outside eq https
access-list out-in extended permit tcp any interface outside eq ldaps
access-list out-in extended permit tcp any interface outside eq 7205
access-list out-in extended permit tcp any interface outside eq 631
access-list out-in extended permit tcp any interface outside eq 2620
access-list out-in extended permit tcp any interface outside eq pop3
access-list out-in extended permit tcp any interface outside eq 47808
access-list out-in extended permit udp any interface outside eq 47808
access-list out-in extended permit tcp any interface outside eq 3389
access-list out-in extended permit tcp any interface outside eq ldap
access-list out-in extended permit tcp any interface outside eq www
access-list out-in extended permit tcp any interface outside eq 2368
access-list out-in extended permit tcp any interface outside eq 6320
access-list out-in extended permit tcp any interface outside eq 6323
access-list out-in extended permit tcp any interface outside eq 61031
access-list out-in extended permit tcp host 12.129.20.19 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.199.61 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.155 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.156 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.157 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.158 interface outside eq smtp
access-list out-in extended permit tcp host 62.209.45.166 interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.19 interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.10 interface outside eq smtp
access-list out-in extended permit tcp host 206.16.57.70 interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.74 interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.10 interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.10 interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.74 interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.200.206.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.117.146.230 interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq 41794
access-list out-in extended permit tcp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 41792
access-list out-in extended permit tcp any interface outside eq 41793
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool qyvpool 192.168.20.1-192.168.20.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 47808 192.168.0.30 47808 netmask 255.255.255.255
static (inside,outside) udp interface 47808 192.168.0.30 47808 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica citrix citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 3389 citrix 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp nov-dns smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 nov-dns pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 nov-dns 1677 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps nov-dns ldaps netmask 255.255.255.255
static (inside,outside) tcp interface https nov-dns https netmask 255.255.255.255
static (inside,outside) tcp interface www nov-dns www netmask 255.255.255.255
static (inside,outside) tcp interface ldap nov-dns ldap netmask 255.255.255.255
static (inside,outside) tcp interface 631 nov-dns 631 netmask 255.255.255.255
static (inside,outside) tcp interface 6320 192.168.0.80 6320 netmask 255.255.255.255
static (inside,outside) tcp interface 2368 192.168.0.80 2368 netmask 255.255.255.255
static (inside,outside) tcp interface 6323 192.168.0.80 6323 netmask 255.255.255.255
static (inside,outside) tcp interface 61031 192.168.0.80 61031 netmask 255.255.255.255
static (inside,outside) tcp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) tcp interface 41792 192.168.0.70 41792 netmask 255.255.255.255
static (inside,outside) tcp interface 41793 192.168.0.70 41793 netmask 255.255.255.255
static (inside,outside) tcp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 24.71.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 64.59.168.13 64.59.168.15
dhcpd update dns
!
dhcpd address 192.168.0.100-192.168.0.15
dhcpd update dns interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy qyyvpn internal
group-policy qyyvpn attributes
dns-server value 192.168.0.6 192.168.0.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value qyyvpn_splitTunnelAcl
default-domain value quailsgate.com
username Brian password 9KJNgOtRfmePUHpn encrypted privilege 15
username Brian attributes
vpn-group-policy qyyvpn
username brian password 1D4bQqBicrlmu8ov encrypted privilege 15
username brian attributes
vpn-group-policy qyyvpn
username scott password z78JDdv9bP1muE/v encrypted privilege 15
username scott attributes
vpn-group-policy qyyvpn
username kimco password w8CBFP7sYPe6XNUG encrypted privilege 15
username kimco attributes
vpn-group-policy qyyvpn
username ksbrett password dVc8gF9zGhM84iDc encrypted privilege 15
username ksbrett attributes
vpn-group-policy qyyvpn
tunnel-group qyyvpn type ipsec-ra
tunnel-group qyyvpn general-attributes
address-pool qyvpool
default-group-policy qyyvpn
tunnel-group qyyvpn ipsec-attributes
pre-shared-key *
prompt context hostname
Cryptochecksum:8959525a9fb
: end
ASA Version 7.2(3)
!
hostname quailsgate
domain-name quailsgate.com
enable password .hkyoydsUIKDLYjd encrypted
names
name 192.168.0.7 citrix
name 192.168.0.6 win-dns
name 192.168.0.5 nov-dns
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.71.224.123 255.255.252.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd .hkyoydsUIKDLYjd encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name quailsgate.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list qyyvpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.20.0 255.255.255.128
access-list out-in extended permit tcp any interface outside eq citrix-ica
access-list out-in extended permit tcp any interface outside eq 1677
access-list out-in extended permit tcp any interface outside eq 6504
access-list out-in extended permit tcp any interface outside eq 6505
access-list out-in extended permit tcp any interface outside eq ftp
access-list out-in extended permit tcp any interface outside eq 4500
access-list out-in extended permit tcp any interface outside eq 500
access-list out-in extended permit tcp any interface outside eq 52080
access-list out-in extended permit tcp any interface outside eq 47493
access-list out-in extended permit tcp any interface outside eq 47513
access-list out-in extended permit tcp any interface outside eq 52443
access-list out-in extended permit tcp any interface outside eq 51443
access-list out-in extended permit tcp any interface outside eq 51080
access-list out-in extended permit tcp any interface outside eq https
access-list out-in extended permit tcp any interface outside eq ldaps
access-list out-in extended permit tcp any interface outside eq 7205
access-list out-in extended permit tcp any interface outside eq 631
access-list out-in extended permit tcp any interface outside eq 2620
access-list out-in extended permit tcp any interface outside eq pop3
access-list out-in extended permit tcp any interface outside eq 47808
access-list out-in extended permit udp any interface outside eq 47808
access-list out-in extended permit tcp any interface outside eq 3389
access-list out-in extended permit tcp any interface outside eq ldap
access-list out-in extended permit tcp any interface outside eq www
access-list out-in extended permit tcp any interface outside eq 2368
access-list out-in extended permit tcp any interface outside eq 6320
access-list out-in extended permit tcp any interface outside eq 6323
access-list out-in extended permit tcp any interface outside eq 61031
access-list out-in extended permit tcp host 12.129.20.19 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.199.61 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.155 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.156 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.157 interface outside eq smtp
access-list out-in extended permit tcp host 12.129.219.158 interface outside eq smtp
access-list out-in extended permit tcp host 62.209.45.166 interface outside eq smtp
access-list out-in extended permit tcp host 63.241.222.19 interface outside eq smtp
access-list out-in extended permit tcp host 65.55.251.10 interface outside eq smtp
access-list out-in extended permit tcp host 206.16.57.70 interface outside eq smtp
access-list out-in extended permit tcp host 207.46.51.74 interface outside eq smtp
access-list out-in extended permit tcp host 207.46.163.10 interface outside eq smtp
access-list out-in extended permit tcp host 213.199.154.10 interface outside eq smtp
access-list out-in extended permit tcp host 213.244.175.74 interface outside eq smtp
access-list out-in extended permit tcp host 216.32.180.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.32.181.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.200.206.10 interface outside eq smtp
access-list out-in extended permit tcp host 216.117.146.230 interface outside eq smtp
access-list out-in extended permit tcp any interface outside eq 41794
access-list out-in extended permit tcp any interface outside eq 41795
access-list out-in extended permit tcp any interface outside eq 41792
access-list out-in extended permit tcp any interface outside eq 41793
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool qyvpool 192.168.20.1-192.168.20.10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 47808 192.168.0.30 47808 netmask 255.255.255.255
static (inside,outside) udp interface 47808 192.168.0.30 47808 netmask 255.255.255.255
static (inside,outside) tcp interface citrix-ica citrix citrix-ica netmask 255.255.255.255
static (inside,outside) tcp interface 3389 citrix 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp nov-dns smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 nov-dns pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 1677 nov-dns 1677 netmask 255.255.255.255
static (inside,outside) tcp interface ldaps nov-dns ldaps netmask 255.255.255.255
static (inside,outside) tcp interface https nov-dns https netmask 255.255.255.255
static (inside,outside) tcp interface www nov-dns www netmask 255.255.255.255
static (inside,outside) tcp interface ldap nov-dns ldap netmask 255.255.255.255
static (inside,outside) tcp interface 631 nov-dns 631 netmask 255.255.255.255
static (inside,outside) tcp interface 6320 192.168.0.80 6320 netmask 255.255.255.255
static (inside,outside) tcp interface 2368 192.168.0.80 2368 netmask 255.255.255.255
static (inside,outside) tcp interface 6323 192.168.0.80 6323 netmask 255.255.255.255
static (inside,outside) tcp interface 61031 192.168.0.80 61031 netmask 255.255.255.255
static (inside,outside) tcp interface 41794 192.168.0.70 41794 netmask 255.255.255.255
static (inside,outside) tcp interface 41792 192.168.0.70 41792 netmask 255.255.255.255
static (inside,outside) tcp interface 41793 192.168.0.70 41793 netmask 255.255.255.255
static (inside,outside) tcp interface 41795 192.168.0.70 41795 netmask 255.255.255.255
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 24.71.224.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 64.59.168.13 64.59.168.15
dhcpd update dns
!
dhcpd address 192.168.0.100-192.168.0.15
dhcpd update dns interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy qyyvpn internal
group-policy qyyvpn attributes
dns-server value 192.168.0.6 192.168.0.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value qyyvpn_splitTunnelAcl
default-domain value quailsgate.com
username Brian password 9KJNgOtRfmePUHpn encrypted privilege 15
username Brian attributes
vpn-group-policy qyyvpn
username brian password 1D4bQqBicrlmu8ov encrypted privilege 15
username brian attributes
vpn-group-policy qyyvpn
username scott password z78JDdv9bP1muE/v encrypted privilege 15
username scott attributes
vpn-group-policy qyyvpn
username kimco password w8CBFP7sYPe6XNUG encrypted privilege 15
username kimco attributes
vpn-group-policy qyyvpn
username ksbrett password dVc8gF9zGhM84iDc encrypted privilege 15
username ksbrett attributes
vpn-group-policy qyyvpn
tunnel-group qyyvpn type ipsec-ra
tunnel-group qyyvpn general-attributes
address-pool qyvpool
default-group-policy qyyvpn
tunnel-group qyyvpn ipsec-attributes
pre-shared-key *
prompt context hostname
Cryptochecksum:8959525a9fb
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.