• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

Cisco ASA 5505 COnfiguration

Hello,

I just installed a Cisco ASA 5505 and we now cannot access the following URL from inside the private network:
https://74.92.127.249:444/default.aspx

Result of the command: "show running-config"



: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password te33L/h.Ec.i2D8/ encrypted
names
!
interface Vlan1
 nameif inside
 security-level 99
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.92.127.249 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd /0/HIjF2.wDfVoEk encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any any eq imap4
access-list outside_access_in remark HTTP
access-list outside_access_in extended permit tcp any any eq 81
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_in extended permit tcp any any eq 444
access-list outside_access_in extended permit tcp any any eq smtp
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in remark LMS
access-list outside_access_in extended permit tcp any any eq 4545
access-list outside_access_in extended permit tcp any any eq ftp-data
access-list outside_access_in extended permit tcp any any eq ssh
access-list pdg_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.224
access-list pdgroup_splitTunnelAcl standard permit any
access-list pdg_splitTunnelAcl_1 standard permit any
access-list pdgroup_splitTunnelAcl_1 standard permit any
access-list pdgroup_splitTunnelAcl_2 standard permit any
access-list pdgroup_splitTunnelAcl_3 standard permit 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPSEC 10.1.1.1-10.1.1.25 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 81 192.168.1.2 81 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp interface 444 192.168.1.2 444 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 4545 192.168.1.3 4545 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface imap4 192.168.1.2 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface ftp-data 192.168.1.2 ftp-data netmask 255.255.255.255
static (inside,inside) tcp 10.1.1.0 https 192.168.1.2 https netmask 255.255.255.255
static (inside,outside) tcp interface ssh 192.168.1.2 ssh netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.92.127.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server IPSECVPNs protocol radius
aaa-server IPSECVPNs host 192.168.1.2
 timeout 5
 key
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.7.190.124 255.255.255.255 outside
http redirect inside 444
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set  
crypto ipsec transform-set
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.255 inside
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh 66.7.190.124 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
!
webvpn
 port 44343
group-policy _1 internal
group-policy _1 attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl_3
 default-domain value
group-policy  internal
group-policy  attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl_2
 default-domain value

username admin password tunnel-group xxx type ipsec-ra
tunnel-group xxxxx general-attributes
 address-pool IPSEC
 authentication-server-group IPSECVPNs
 default-group-policy _1
tunnel-group  ipsec-attributes
 pre-shared-key *
prompt hostname context

: end
0
aromeo409
Asked:
aromeo409
  • 4
  • 3
1 Solution
 
batry_boyCommented:
What exactly are you trying to do here?  Since you are using the outside ASA interface IP in your URL, I assume you are trying to access the ASDM on the ASA for management of the firewall...is this correct?  If so, you should use the inside interface IP from the inside instead of the outside interface IP.  For example,

https://192.168.1.1

If this is not what you are trying to do, please elaborate...
0
 
aromeo409Author Commented:
We have a Small Business Server and this is the address to the company portal from the Internet. Our users have some hard coded url links to the https://74.92.127.249:444/default.aspx address. When they are in the office they cannot access these url's.
0
 
batry_boyCommented:
Add the following command and see if this helps...

same-security-traffic permit intra-interface

I don't think it will, but you can give it a try...I've never tried it for allowing traffic to enter an interface that it just exited, but I know that command is specifically for allowing traffic that just entered an interface to exit back out that same interface.  I just don't know if it will allow that in reverse.

See the following URL for more info on that command:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
aromeo409Author Commented:
I tried and it still does not work.

Thanks, for your help.
0
 
batry_boyCommented:
I don't think you're going to be able to do what you're wanting to do.  I think you need to have your users use a separate shortcut that points to the inside private address when they're in the office.
0
 
aromeo409Author Commented:
I'm just going to update DNS and have them use the FQDN. Thanks, for all of your help.
0
 
batry_boyCommented:
That's the best way to do it...
0

Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now