Link to home
Start Free TrialLog in
Avatar of ssittig
ssittigFlag for United States of America

asked on

Need help with basic ASA5505 Config

I'm trying to setup an ASA5505 to replace my Linksys router on my network. It doesn't have to do much:

1) Have a static outside IP of 74.94.67.57, subnet .252 Gateway 74.94.67.58 and DNS servers of 68.87.69.146 & 68.87.85.98

2) Have the ASA be the DHCP server for the inside addresses 192.168.1.x range- this seems to be working

3) Let inside addresses access the internet on the outside interface

4) Let outside traffic on ports 9100, 80, 443 through to the inside address of 192.168.1.40

5) Allow administration from the inside and outside address range 74.93.110.x

Attached is my configuration. When I use this, I can't get internet access from inside. I'm not sure where the config is screwed up. Any ideas?

Thanks,

S
: Saved
:
ASA Version 7.2(3) 
!
hostname st21asa5505
domain-name default.domain.invalid
enable password xxxxxx encrypted
names
name 74.94.67.57 ST21PublicIP description Station 21 Public Comcast IP
name 192.168.1.40 ST21VCPrinter description Station 21 Station Printer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ST21PublicIP 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxx encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 68.87.69.146
 name-server 68.87.85.98
 domain-name default.domain.invalid
object-group service VCPrintSrv tcp
 description ValleyCom Printer Services (9100 & http(s))
 port-object range 9100 9100
 port-object eq www
 port-object eq https
access-list outside_access_in extended permit tcp any host ST21PublicIP object-group VCPrintSrv 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp ST21PublicIP 9100 ST21VCPrinter 9100 netmask 255.255.255.255 
static (inside,outside) tcp ST21PublicIP www ST21VCPrinter www netmask 255.255.255.255 
static (inside,outside) tcp ST21PublicIP https ST21VCPrinter https netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 74.93.110.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.69.146 68.87.85.98 interface inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
username admin password UnM/EQO7A3zN3QrZ encrypted
username cisco password VH0vXSJ0gQYkWJcR encrypted
smtp-server 192.168.1.10
prompt hostname context 
Cryptochecksum:4aef2797afbc04956eda7be61adbd946
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

>>2) Have the ASA be the DHCP server for the inside addresses 192.168.1.x range- this seems to be working

yup should be...........

dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd dns 68.87.69.146 68.87.85.98 interface inside
dhcpd enable inside


>>3) Let inside addresses access the internet on the outside interface
>>1) Have a static outside IP of 74.94.67.57, subnet .252 Gateway 74.94.67.58 and DNS servers of 68.87.69.146 & 68.87.85.98

You want all traffic outbound - yes it will do that by default

get rid of this lot

no name 74.94.67.57 ST21PublicIP description Station 21 Public Comcast IP
no name 192.168.1.40 ST21VCPrinter description Station 21 Station Printer
int vlan 1
ip address 74.94.67.57  255.255.255.252
no shut
exit
route outside 0.0.0.0 0.0.0.0 74.94.67.58 1
write mem


Then sort your nat and pat out to let traffivc flow outwards

global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

That will let all traffic flow outbound :) Not sure whay you want to do with those DNS settings? they are allready being leased by DHCP so you should not need to do anything else


>>4) Let outside traffic on ports 9100, 80, 443 through to the inside address of 192.168.1.40

access-list inbound permit tcp any interface outside eq 9100
access-list inbound permit tcp any interface outside eq www
access-list inbound permit tcp any interface outside eq https
static (inside,outside) tcp interface www 192.168.1.40 www dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.40 https dns netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 9100 192.168.1.40 9100 dns netmask 255.255.255.255 0 0
access-group inbound in interface outside
write mem


>>5) Allow administration from the inside and outside address range 74.93.110.x


You dont say if you want SSH, Telnet or Http administration, but see my website here and pick which one you want
http://www.petenetlive.com/Tech/Firewalls/Cisco/connect2.htm

Think that covers everything :)

Pete






Avatar of ssittig

ASKER

Thanks for the input. I'll try that out tomorrow and see how it plays.

-S
No Probs :)
Avatar of ssittig

ASKER

This is my first Cisco device I'm programming and its definitely more complicated than what I've done before. Maybe I'm just a tad slow here, but I still can't get any inbound traffic. Here is my revised config based on what you sent above. I think I'm just missing one or two commands. Can you tell me what I'm missing or have set up wrong?

Thanks,
S
: Saved
:
ASA Version 7.2(3) 
!
hostname st21asa5505
domain-name default.domain.invalid
enable password XXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.94.67.57 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXX encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 68.87.69.146
 name-server 68.87.85.98
 domain-name default.domain.invalid
access-list inside_access_in extended permit ip any any 
access-list inbound extended permit tcp any interface outside eq 9100 
access-list inbound extended permit tcp any interface outside eq www 
access-list inbound extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any eq 9100 host 192.168.1.40 eq 9100 
access-list outside_access_in extended permit tcp any eq www host 192.168.1.40 eq www 
access-list outside_access_in extended permit tcp any eq https host 192.168.1.40 eq https 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.1.40 www netmask 255.255.255.255  dns 
static (inside,outside) tcp interface https 192.168.1.40 https netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 9100 192.168.1.40 9100 netmask 255.255.255.255  dns 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.94.67.58 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 74.93.110.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 68.87.69.146 68.87.85.98
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
username admin password XXXXXX encrypted
username cisco password XXXXXX encrypted
smtp-server 192.168.1.10
prompt hostname context 
Cryptochecksum:XXXXXX
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ssittig

ASKER

PeteLong: First rate solution and thank you so much for the fast help! The firewall is up and behaving properly. Now I'm going to try tackling the ASA5510 we got for a different location and then connect them together with the EasyVPN part. So stay tuned! LOL. Thanks again!
ThanQ if in doubt - for the VPNs use the Wizards - there are walkthroughs on my website.

Avatar of ssittig

ASKER

I'll check it out and give it a try. BTW you have a great site. Nice work.