Solved

ASA 5505 Configuration

Posted on 2007-11-28
6
5,765 Views
Last Modified: 2008-03-03
I recently purchased a Cisco ASA 5505 (Version 7.2(2)) to replace our current Xserve firewall solution.  I need some help to configure this thing.  I need 2 vlan's, one for outside, one for inside.  209.2.2.11-26  is my ip block and here is the current setup:
Internal ip block is 192.168.150.0/24.  The exchange machine is connected to 209.2.2.21 and forwards to 192.168.150.103(externally accessible at mail.domain.com, entourage.domain.com, exchange.domain.com).  The internal users go out via 209.2.2.11.
What I need is for users to be able to come in via VPN as well as access OWA from anywhere.  Users also need to access http, https, smtp.  Currently our vpn solution is to use the xserve to host the vpn connections and logins and would like to use the ASA 5505 to do the same thing (create user accounts for vpn login), if possible.  I also see an email proxy setting on this device and was wondering if I could use that to allow users to retrieve email in outlook from the internet?  I have tried rpc over http but we have some issues that cannot be fixed right now. Please let me know if more information is needed.

Regards,

B
0
Comment
Question by:hyogurt
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
The 2 VLAN's you need to should be preconfigured from the factory (VLAN 1 for inside, VLAN 2 for outside).

You should try out the VPN Wizard for creating remote access VPN connections to the ASA.  Here is a link to the ASDM User Guide with a reference to the VPN Wizard:

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_wiz.html

It will ask you a series of questions.  Just answer them and it will construct the CLI configuration for you and send it to the ASA.  It will also give you a chance to create local user accounts for VPN access.

I have not tried the e-mail proxy feature so I can't comment on that as to whether it will work for your situation.

Once you have the VPN access working, add the following commands to allow http, https and smtp inbound to to your Exchange server:

static (inside,outside) 209.2.2.21 192.168.150.103 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 209.2.2.21 eq www
access-list outside_access_in permit tcp any host 209.2.2.21 eq https
access-list outside_access_in permit tcp any host 209.2.2.21 eq smtp
access-group outside_access_in in interface outside

Now, having said that, for security reasons I don't think it's a good idea to allow inbound http to your exchange server from the Internet.  SMTP, of course, is necessary, and https is encrypted so that's better than allowing regular http.  However, the most secure method is to not open up either http or https from the outside inbound and just require your remote users to always establish a VPN session first.  Then they can access OWA across the VPN session.  Just a suggestion...
0
 

Author Comment

by:hyogurt
Comment Utility
I could not figure out how to get the vpn working on the asa 5505 so I just used one of my servers as a RAS server with domain authentication.  I was just wondering how I can apply multiple access lists to the same interface? ie my outside interface.  I have a block of ip's that I can use and only one port is being plugged in to the modem so I'm currently port overloading for the multiple ip's.  If you look below you will see the 2 different acl's that I need applied (only thing i can think of is to group all of the ports into one acl).  One thing that I noticed is that once I do static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255, I cannot do any nat translation such as forwarding an outside port (eg. 9387) to an internal ip on port 3389 for RDP.   Here is my current config:
!
hostname mydomain
domain-name myDOMAIN.COM
enable password uWQ9pwGxi2cxI/2z encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.2.2.10 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name myDOMAIN.COM
access-list vpn extended permit gre any host 209.2.2.12
access-list vpn extended permit tcp any host 209.2.2.12 eq pptp
access-list vpn extended permit udp any host 209.2.2.12 eq 1701
access-list vpn extended permit udp any host 209.2.2.12 eq isakmp
access-list vpn extended permit udp any host 209.2.2.12 eq 1723
access-list vpn extended permit tcp any host 209.2.2.12 eq 3389
access-list mailserver extended permit tcp any host 209.2.2.10 eq https
access-list mailserver extended permit tcp any host 209.2.2.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.2.2.12-209.2.2.15 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.2.2.12 192.168.150.2 netmask 255.255.255.255
static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
access-group vpn in interface outside
route outside 0.0.0.0 0.0.0.0 209.2.2.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.150.0 255.255.255.0 inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 198.235.216.130
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 192.168.150.2-192.168.150.254 inside
dhcpd dns 198.235.216.130 interface inside
dhcpd enable inside
!
dhcpd dns 192.168.1.100 198.235.216.130 interface outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1df93c6f53470599790dfd673a39c63a
: end
0
 
LVL 28

Expert Comment

by:batry_boy
Comment Utility
>>I was just wondering how I can apply multiple access lists to the same interface?

You can't apply multiple access lists to the same interface in the same direction.  You can apply two different access lists to the same interface as long as they're in different directions.  For example,

access-group vpn in interface outside
access-group vpn out interface outside

You could do that, but that wouldn't be a very logical thing to do.

For your situation, you need to incorporate the two access lists into a single access list.  For example,

access-list outside_access_in extended permit gre any host 209.2.2.12
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq pptp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1701
access-list outside_access_in extended permit udp any host 209.2.2.12 eq isakmp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1723
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq 3389
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq https
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq smtp
access-group outside_access_in in interface outside

However, I notice that you're trying to use the ASA outside interface IP itself for your mail server translation.  I wouldn't do this.  You can do the port forward thing like you were talking about, however, using that IP address.  Here's how:

no static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.150.103 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.150.103 https netmask 255.255.255.255

That will allow port forwarding for HTTPS and SMTP traffic from the outside interface IP address to the inside IP address 192.168.150.103.

I would then change the last two access list statements to look like the following:

access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp

0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:hyogurt
Comment Utility
excellent, thanks.  How do I use the ASA 5505 asa DNS server? like...I give it the ip's it needs for dns esolution and anyone who grabs a dhcp will get 192.168.150.1 as the DNS server and it will do all the name resolutions.  Currently I'm passing my isp's dns server to the clients but I would rather not do that.  I want it to act similar to the cheapy linksys routers where it does the resolution transparently.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
Comment Utility
>>How do I use the ASA 5505 asa DNS server?

The ASA cannot itself be a DNS server.  The ASA can pass on the value that it itself obtains from the outside interface if you have it configured for DHCP or PPPoE, but you are not doing this since you have a static public IP address on your outside interface.

Unless you have an internal DNS server you can configure in the ASA's DHCP properties to pass on to the clients, I think you're already doing it the best way by passing on the ISP's DNS server IP address.
0
 

Author Comment

by:hyogurt
Comment Utility
Thanks.  Currently this pix box is in testing and is only useable by a few servers before introducing it to the main network.  Once I plug it in, there is 2 dns servers internally so they will be assigned via dhcp to the clients.  Thanks for all the help, I just need to figure out how to properly get the asa 5505 to handle vpn without the cisco vpn client.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Switch requirement for IP Phones 4 20
View More Items in Exchange - Outlook 2016 3 14
MX Backup 4 35
cached or not 5 34
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now