hyogurt
asked on
ASA 5505 Configuration
I recently purchased a Cisco ASA 5505 (Version 7.2(2)) to replace our current Xserve firewall solution. I need some help to configure this thing. I need 2 vlan's, one for outside, one for inside. 209.2.2.11-26 is my ip block and here is the current setup:
Internal ip block is 192.168.150.0/24. The exchange machine is connected to 209.2.2.21 and forwards to 192.168.150.103(externally
What I need is for users to be able to come in via VPN as well as access OWA from anywhere. Users also need to access http, https, smtp. Currently our vpn solution is to use the xserve to host the vpn connections and logins and would like to use the ASA 5505 to do the same thing (create user accounts for vpn login), if possible. I also see an email proxy setting on this device and was wondering if I could use that to allow users to retrieve email in outlook from the internet? I have tried rpc over http but we have some issues that cannot be fixed right now. Please let me know if more information is needed.
Regards,
B
Internal ip block is 192.168.150.0/24. The exchange machine is connected to 209.2.2.21 and forwards to 192.168.150.103(externally
What I need is for users to be able to come in via VPN as well as access OWA from anywhere. Users also need to access http, https, smtp. Currently our vpn solution is to use the xserve to host the vpn connections and logins and would like to use the ASA 5505 to do the same thing (create user accounts for vpn login), if possible. I also see an email proxy setting on this device and was wondering if I could use that to allow users to retrieve email in outlook from the internet? I have tried rpc over http but we have some issues that cannot be fixed right now. Please let me know if more information is needed.
Regards,
B
ASKER
I could not figure out how to get the vpn working on the asa 5505 so I just used one of my servers as a RAS server with domain authentication. I was just wondering how I can apply multiple access lists to the same interface? ie my outside interface. I have a block of ip's that I can use and only one port is being plugged in to the modem so I'm currently port overloading for the multiple ip's. If you look below you will see the 2 different acl's that I need applied (only thing i can think of is to group all of the ports into one acl). One thing that I noticed is that once I do static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255, I cannot do any nat translation such as forwarding an outside port (eg. 9387) to an internal ip on port 3389 for RDP. Here is my current config:
!
hostname mydomain
domain-name myDOMAIN.COM
enable password uWQ9pwGxi2cxI/2z encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.2.2.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name myDOMAIN.COM
access-list vpn extended permit gre any host 209.2.2.12
access-list vpn extended permit tcp any host 209.2.2.12 eq pptp
access-list vpn extended permit udp any host 209.2.2.12 eq 1701
access-list vpn extended permit udp any host 209.2.2.12 eq isakmp
access-list vpn extended permit udp any host 209.2.2.12 eq 1723
access-list vpn extended permit tcp any host 209.2.2.12 eq 3389
access-list mailserver extended permit tcp any host 209.2.2.10 eq https
access-list mailserver extended permit tcp any host 209.2.2.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.2.2.12-209.2.2.15 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.2.2.12 192.168.150.2 netmask 255.255.255.255
static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
access-group vpn in interface outside
route outside 0.0.0.0 0.0.0.0 209.2.2.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.150.0 255.255.255.0 inside
http authentication-certificate
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 198.235.216.130
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 192.168.150.2-192.168.150.
dhcpd dns 198.235.216.130 interface inside
dhcpd enable inside
!
dhcpd dns 192.168.1.100 198.235.216.130 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1df93c6f534
: end
!
hostname mydomain
domain-name myDOMAIN.COM
enable password uWQ9pwGxi2cxI/2z encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.2.2.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name myDOMAIN.COM
access-list vpn extended permit gre any host 209.2.2.12
access-list vpn extended permit tcp any host 209.2.2.12 eq pptp
access-list vpn extended permit udp any host 209.2.2.12 eq 1701
access-list vpn extended permit udp any host 209.2.2.12 eq isakmp
access-list vpn extended permit udp any host 209.2.2.12 eq 1723
access-list vpn extended permit tcp any host 209.2.2.12 eq 3389
access-list mailserver extended permit tcp any host 209.2.2.10 eq https
access-list mailserver extended permit tcp any host 209.2.2.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.2.2.12-209.2.2.15 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.2.2.12 192.168.150.2 netmask 255.255.255.255
static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
access-group vpn in interface outside
route outside 0.0.0.0 0.0.0.0 209.2.2.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.150.0 255.255.255.0 inside
http authentication-certificate
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 198.235.216.130
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 192.168.150.2-192.168.150.
dhcpd dns 198.235.216.130 interface inside
dhcpd enable inside
!
dhcpd dns 192.168.1.100 198.235.216.130 interface outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1df93c6f534
: end
>>I was just wondering how I can apply multiple access lists to the same interface?
You can't apply multiple access lists to the same interface in the same direction. You can apply two different access lists to the same interface as long as they're in different directions. For example,
access-group vpn in interface outside
access-group vpn out interface outside
You could do that, but that wouldn't be a very logical thing to do.
For your situation, you need to incorporate the two access lists into a single access list. For example,
access-list outside_access_in extended permit gre any host 209.2.2.12
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq pptp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1701
access-list outside_access_in extended permit udp any host 209.2.2.12 eq isakmp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1723
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq 3389
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq https
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq smtp
access-group outside_access_in in interface outside
However, I notice that you're trying to use the ASA outside interface IP itself for your mail server translation. I wouldn't do this. You can do the port forward thing like you were talking about, however, using that IP address. Here's how:
no static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.150.103 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.150.103 https netmask 255.255.255.255
That will allow port forwarding for HTTPS and SMTP traffic from the outside interface IP address to the inside IP address 192.168.150.103.
I would then change the last two access list statements to look like the following:
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
You can't apply multiple access lists to the same interface in the same direction. You can apply two different access lists to the same interface as long as they're in different directions. For example,
access-group vpn in interface outside
access-group vpn out interface outside
You could do that, but that wouldn't be a very logical thing to do.
For your situation, you need to incorporate the two access lists into a single access list. For example,
access-list outside_access_in extended permit gre any host 209.2.2.12
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq pptp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1701
access-list outside_access_in extended permit udp any host 209.2.2.12 eq isakmp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1723
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq 3389
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq https
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq smtp
access-group outside_access_in in interface outside
However, I notice that you're trying to use the ASA outside interface IP itself for your mail server translation. I wouldn't do this. You can do the port forward thing like you were talking about, however, using that IP address. Here's how:
no static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.150.103 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.150.103 https netmask 255.255.255.255
That will allow port forwarding for HTTPS and SMTP traffic from the outside interface IP address to the inside IP address 192.168.150.103.
I would then change the last two access list statements to look like the following:
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp
ASKER
excellent, thanks. How do I use the ASA 5505 asa DNS server? like...I give it the ip's it needs for dns esolution and anyone who grabs a dhcp will get 192.168.150.1 as the DNS server and it will do all the name resolutions. Currently I'm passing my isp's dns server to the clients but I would rather not do that. I want it to act similar to the cheapy linksys routers where it does the resolution transparently.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Currently this pix box is in testing and is only useable by a few servers before introducing it to the main network. Once I plug it in, there is 2 dns servers internally so they will be assigned via dhcp to the clients. Thanks for all the help, I just need to figure out how to properly get the asa 5505 to handle vpn without the cisco vpn client.
You should try out the VPN Wizard for creating remote access VPN connections to the ASA. Here is a link to the ASDM User Guide with a reference to the VPN Wizard:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_wiz.html
It will ask you a series of questions. Just answer them and it will construct the CLI configuration for you and send it to the ASA. It will also give you a chance to create local user accounts for VPN access.
I have not tried the e-mail proxy feature so I can't comment on that as to whether it will work for your situation.
Once you have the VPN access working, add the following commands to allow http, https and smtp inbound to to your Exchange server:
static (inside,outside) 209.2.2.21 192.168.150.103 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 209.2.2.21 eq www
access-list outside_access_in permit tcp any host 209.2.2.21 eq https
access-list outside_access_in permit tcp any host 209.2.2.21 eq smtp
access-group outside_access_in in interface outside
Now, having said that, for security reasons I don't think it's a good idea to allow inbound http to your exchange server from the Internet. SMTP, of course, is necessary, and https is encrypted so that's better than allowing regular http. However, the most secure method is to not open up either http or https from the outside inbound and just require your remote users to always establish a VPN session first. Then they can access OWA across the VPN session. Just a suggestion...