Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Brand new to cisco firewall, i could use help in the configuration

Posted on 2008-10-09
9
Medium Priority
?
259 Views
Last Modified: 2013-12-27
I'm new the Cisco Firewall we are trying to install. I could use and help in the configuration. Attached is out code. Id welcome any extra help
ASA Version 7.0(8)
!
hostname ciscoasa
enable password Q7DJw0sydkgmZ/3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 207.168.41.130 255.255.255.128
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4
: end

Open in new window

0
Comment
Question by:stwardy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22681906
you can also http into that firewall, https://192.168.1.1 that will get you into the ADSM and it may help you out a bit to start....then you can compare you changes and learn the firewall
also
http://www.networksims.com/
good trainer / simlator
 
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22682266
When configuring the firewall, you should establish what kind of access you want to allow in and out of the interfaced such that you adhere to company policy.  

Identify Inside hosts/services you want to publish to the outside world.
Identify what traffic you would like to allow outbound.  
Identify what kind of traffic you want to allow inside, or even to a dmz.
Do you want to log?
Any VPNs?


At the moment, I see you are lacking access-lists/Access-groups to allow traffic to flow.  
I see you have no globals for NAT/PAT to handle the translations

Peralesa made a good suggestion on loading the ADSM, the GUI is usually easier for beginners instead of the Command line.  
0
 

Author Comment

by:stwardy
ID: 22682359
Thank you peralesa, I am reviewing the simulator now.

Mike,

I will eventually be configuring VPN access, translations and a dmz.  But, for now all I want to do is be able to access the internet from the inside interface.  My routers IP is 207.168.41.129.

I have the ADSM loaded and can access the gui.  What are the minimum requirements to allow access to the internet?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22682909
The easiest way to configure this is with command line - If you can post your running config (you can get this by using the console cable and typing "sh run") I can give you the commands you need to get online.
I will also need:
Your ISP IP:
you ISP subnet mask:
your ISP default gateway:
The internal IP range you want to use:
Please post this info and I'll have you online in (seriously) 5-10 minutes.
Cheers!
0
 

Author Comment

by:stwardy
ID: 22683064
ISP IP: 207.168.41.130
 ISP subnet mask:255.255.255.128
 ISP default gateway:297.168.41.129
The internal IP range you want to use: 10.10.10.0 to 10.10.10.254

ASA Version 7.0(8)
!
hostname ciscoasa
enable password Q7DJw0sydkgmZ/3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 207.168.41.130 255.255.255.128
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4
: end
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 600 total points
ID: 22683221
1st off: Upgrade your ASA software ASAP - 7.0 is almost 4 years old. The newest version is 8.0.4. You must upgrade the ASDM to version 6.1.3 to work with the new ASA software.
All your commands look good! Try pinging 4.2.2.2 from the ASA command line - if you get !!!!! as a response, that means you're online.
Do you want DHCP on your inside interface? Right now you need static IPs on the inside since you don't have the DHCP server enabled (unless you have another DHCP server you're using).
Cheers! Let me know!
0
 
LVL 5

Accepted Solution

by:
devangshroff earned 900 total points
ID: 22685680
nat command is missing

nat (inside) 1 0 0
global (outside) 1 inteface



do this your net will start working
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 22686460
This:
global (outside) 1 inteface

should be
global (outside) 1 interface

small typo.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22692757
Yes, that is missing, as well as several other commands.
But as far as getting this working to the asker's specification's, I need the info I asked for in my previous post to provide everything required.
Cheers!
0

Featured Post

Sign your company up to try the MB 660 headset now

Take control and stay focused in noisy open office environments with the MB 660. By reducing background noise, you can revitalize your office and improve concentration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question