Solved

Brand new to cisco firewall, i could use help in the configuration

Posted on 2008-10-09
9
251 Views
Last Modified: 2013-12-27
I'm new the Cisco Firewall we are trying to install. I could use and help in the configuration. Attached is out code. Id welcome any extra help
ASA Version 7.0(8)
!
hostname ciscoasa
enable password Q7DJw0sydkgmZ/3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 207.168.41.130 255.255.255.128
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4
: end

Open in new window

0
Comment
Question by:stwardy
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22681906
you can also http into that firewall, https://192.168.1.1 that will get you into the ADSM and it may help you out a bit to start....then you can compare you changes and learn the firewall
also
http://www.networksims.com/
good trainer / simlator
 
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22682266
When configuring the firewall, you should establish what kind of access you want to allow in and out of the interfaced such that you adhere to company policy.  

Identify Inside hosts/services you want to publish to the outside world.
Identify what traffic you would like to allow outbound.  
Identify what kind of traffic you want to allow inside, or even to a dmz.
Do you want to log?
Any VPNs?


At the moment, I see you are lacking access-lists/Access-groups to allow traffic to flow.  
I see you have no globals for NAT/PAT to handle the translations

Peralesa made a good suggestion on loading the ADSM, the GUI is usually easier for beginners instead of the Command line.  
0
 

Author Comment

by:stwardy
ID: 22682359
Thank you peralesa, I am reviewing the simulator now.

Mike,

I will eventually be configuring VPN access, translations and a dmz.  But, for now all I want to do is be able to access the internet from the inside interface.  My routers IP is 207.168.41.129.

I have the ADSM loaded and can access the gui.  What are the minimum requirements to allow access to the internet?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22682909
The easiest way to configure this is with command line - If you can post your running config (you can get this by using the console cable and typing "sh run") I can give you the commands you need to get online.
I will also need:
Your ISP IP:
you ISP subnet mask:
your ISP default gateway:
The internal IP range you want to use:
Please post this info and I'll have you online in (seriously) 5-10 minutes.
Cheers!
0
 

Author Comment

by:stwardy
ID: 22683064
ISP IP: 207.168.41.130
 ISP subnet mask:255.255.255.128
 ISP default gateway:297.168.41.129
The internal IP range you want to use: 10.10.10.0 to 10.10.10.254

ASA Version 7.0(8)
!
hostname ciscoasa
enable password Q7DJw0sydkgmZ/3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 207.168.41.130 255.255.255.128
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4
: end
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 200 total points
ID: 22683221
1st off: Upgrade your ASA software ASAP - 7.0 is almost 4 years old. The newest version is 8.0.4. You must upgrade the ASDM to version 6.1.3 to work with the new ASA software.
All your commands look good! Try pinging 4.2.2.2 from the ASA command line - if you get !!!!! as a response, that means you're online.
Do you want DHCP on your inside interface? Right now you need static IPs on the inside since you don't have the DHCP server enabled (unless you have another DHCP server you're using).
Cheers! Let me know!
0
 
LVL 5

Accepted Solution

by:
devangshroff earned 300 total points
ID: 22685680
nat command is missing

nat (inside) 1 0 0
global (outside) 1 inteface



do this your net will start working
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22686460
This:
global (outside) 1 inteface

should be
global (outside) 1 interface

small typo.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22692757
Yes, that is missing, as well as several other commands.
But as far as getting this working to the asker's specification's, I need the info I asked for in my previous post to provide everything required.
Cheers!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question