Solved

ASA 5505 Configuration

Posted on 2007-11-28
6
5,806 Views
Last Modified: 2008-03-03
I recently purchased a Cisco ASA 5505 (Version 7.2(2)) to replace our current Xserve firewall solution.  I need some help to configure this thing.  I need 2 vlan's, one for outside, one for inside.  209.2.2.11-26  is my ip block and here is the current setup:
Internal ip block is 192.168.150.0/24.  The exchange machine is connected to 209.2.2.21 and forwards to 192.168.150.103(externally accessible at mail.domain.com, entourage.domain.com, exchange.domain.com).  The internal users go out via 209.2.2.11.
What I need is for users to be able to come in via VPN as well as access OWA from anywhere.  Users also need to access http, https, smtp.  Currently our vpn solution is to use the xserve to host the vpn connections and logins and would like to use the ASA 5505 to do the same thing (create user accounts for vpn login), if possible.  I also see an email proxy setting on this device and was wondering if I could use that to allow users to retrieve email in outlook from the internet?  I have tried rpc over http but we have some issues that cannot be fixed right now. Please let me know if more information is needed.

Regards,

B
0
Comment
Question by:hyogurt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 28

Expert Comment

by:batry_boy
ID: 20369436
The 2 VLAN's you need to should be preconfigured from the factory (VLAN 1 for inside, VLAN 2 for outside).

You should try out the VPN Wizard for creating remote access VPN connections to the ASA.  Here is a link to the ASDM User Guide with a reference to the VPN Wizard:

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/vpn_wiz.html

It will ask you a series of questions.  Just answer them and it will construct the CLI configuration for you and send it to the ASA.  It will also give you a chance to create local user accounts for VPN access.

I have not tried the e-mail proxy feature so I can't comment on that as to whether it will work for your situation.

Once you have the VPN access working, add the following commands to allow http, https and smtp inbound to to your Exchange server:

static (inside,outside) 209.2.2.21 192.168.150.103 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 209.2.2.21 eq www
access-list outside_access_in permit tcp any host 209.2.2.21 eq https
access-list outside_access_in permit tcp any host 209.2.2.21 eq smtp
access-group outside_access_in in interface outside

Now, having said that, for security reasons I don't think it's a good idea to allow inbound http to your exchange server from the Internet.  SMTP, of course, is necessary, and https is encrypted so that's better than allowing regular http.  However, the most secure method is to not open up either http or https from the outside inbound and just require your remote users to always establish a VPN session first.  Then they can access OWA across the VPN session.  Just a suggestion...
0
 

Author Comment

by:hyogurt
ID: 20404139
I could not figure out how to get the vpn working on the asa 5505 so I just used one of my servers as a RAS server with domain authentication.  I was just wondering how I can apply multiple access lists to the same interface? ie my outside interface.  I have a block of ip's that I can use and only one port is being plugged in to the modem so I'm currently port overloading for the multiple ip's.  If you look below you will see the 2 different acl's that I need applied (only thing i can think of is to group all of the ports into one acl).  One thing that I noticed is that once I do static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255, I cannot do any nat translation such as forwarding an outside port (eg. 9387) to an internal ip on port 3389 for RDP.   Here is my current config:
!
hostname mydomain
domain-name myDOMAIN.COM
enable password uWQ9pwGxi2cxI/2z encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.2.2.10 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name myDOMAIN.COM
access-list vpn extended permit gre any host 209.2.2.12
access-list vpn extended permit tcp any host 209.2.2.12 eq pptp
access-list vpn extended permit udp any host 209.2.2.12 eq 1701
access-list vpn extended permit udp any host 209.2.2.12 eq isakmp
access-list vpn extended permit udp any host 209.2.2.12 eq 1723
access-list vpn extended permit tcp any host 209.2.2.12 eq 3389
access-list mailserver extended permit tcp any host 209.2.2.10 eq https
access-list mailserver extended permit tcp any host 209.2.2.10 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 209.2.2.12-209.2.2.15 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 1 192.168.150.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.2.2.12 192.168.150.2 netmask 255.255.255.255
static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
access-group vpn in interface outside
route outside 0.0.0.0 0.0.0.0 209.2.2.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.150.0 255.255.255.0 inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 198.235.216.130
dhcpd auto_config outside
dhcpd update dns
!
dhcpd address 192.168.150.2-192.168.150.254 inside
dhcpd dns 198.235.216.130 interface inside
dhcpd enable inside
!
dhcpd dns 192.168.1.100 198.235.216.130 interface outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1df93c6f53470599790dfd673a39c63a
: end
0
 
LVL 28

Expert Comment

by:batry_boy
ID: 20404259
>>I was just wondering how I can apply multiple access lists to the same interface?

You can't apply multiple access lists to the same interface in the same direction.  You can apply two different access lists to the same interface as long as they're in different directions.  For example,

access-group vpn in interface outside
access-group vpn out interface outside

You could do that, but that wouldn't be a very logical thing to do.

For your situation, you need to incorporate the two access lists into a single access list.  For example,

access-list outside_access_in extended permit gre any host 209.2.2.12
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq pptp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1701
access-list outside_access_in extended permit udp any host 209.2.2.12 eq isakmp
access-list outside_access_in extended permit udp any host 209.2.2.12 eq 1723
access-list outside_access_in extended permit tcp any host 209.2.2.12 eq 3389
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq https
access-list outside_access_in extended permit tcp any host 209.2.2.10 eq smtp
access-group outside_access_in in interface outside

However, I notice that you're trying to use the ASA outside interface IP itself for your mail server translation.  I wouldn't do this.  You can do the port forward thing like you were talking about, however, using that IP address.  Here's how:

no static (inside,outside) 209.2.2.10 192.168.150.103 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.150.103 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.150.103 https netmask 255.255.255.255

That will allow port forwarding for HTTPS and SMTP traffic from the outside interface IP address to the inside IP address 192.168.150.103.

I would then change the last two access list statements to look like the following:

access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq smtp

0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:hyogurt
ID: 20405996
excellent, thanks.  How do I use the ASA 5505 asa DNS server? like...I give it the ip's it needs for dns esolution and anyone who grabs a dhcp will get 192.168.150.1 as the DNS server and it will do all the name resolutions.  Currently I'm passing my isp's dns server to the clients but I would rather not do that.  I want it to act similar to the cheapy linksys routers where it does the resolution transparently.
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 20406101
>>How do I use the ASA 5505 asa DNS server?

The ASA cannot itself be a DNS server.  The ASA can pass on the value that it itself obtains from the outside interface if you have it configured for DHCP or PPPoE, but you are not doing this since you have a static public IP address on your outside interface.

Unless you have an internal DNS server you can configure in the ASA's DHCP properties to pass on to the clients, I think you're already doing it the best way by passing on the ISP's DNS server IP address.
0
 

Author Comment

by:hyogurt
ID: 20406869
Thanks.  Currently this pix box is in testing and is only useable by a few servers before introducing it to the main network.  Once I plug it in, there is 2 dns servers internally so they will be assigned via dhcp to the clients.  Thanks for all the help, I just need to figure out how to properly get the asa 5505 to handle vpn without the cisco vpn client.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses
Course of the Month9 days, 9 hours left to enroll

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question