Solved

Brand new to cisco firewall, i could use help in the configuration

Posted on 2008-10-09
9
248 Views
Last Modified: 2013-12-27
I'm new the Cisco Firewall we are trying to install. I could use and help in the configuration. Attached is out code. Id welcome any extra help
ASA Version 7.0(8)

!

hostname ciscoasa

enable password Q7DJw0sydkgmZ/3M encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 207.168.41.130 255.255.255.128

!

interface Ethernet0/1

 nameif DMZ

 security-level 0

 ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

 nameif Inside

 security-level 100

 ip address 10.10.10.254 255.255.255.0

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0

 management-only

!

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu Outside 1500

mtu DMZ 1500

mtu Inside 1500

no failover

no asdm history enable

arp timeout 14400

route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4

: end

Open in new window

0
Comment
Question by:stwardy
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 17

Expert Comment

by:Andres Perales
Comment Utility
you can also http into that firewall, https://192.168.1.1 that will get you into the ADSM and it may help you out a bit to start....then you can compare you changes and learn the firewall
also
http://www.networksims.com/
good trainer / simlator
 
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
When configuring the firewall, you should establish what kind of access you want to allow in and out of the interfaced such that you adhere to company policy.  

Identify Inside hosts/services you want to publish to the outside world.
Identify what traffic you would like to allow outbound.  
Identify what kind of traffic you want to allow inside, or even to a dmz.
Do you want to log?
Any VPNs?


At the moment, I see you are lacking access-lists/Access-groups to allow traffic to flow.  
I see you have no globals for NAT/PAT to handle the translations

Peralesa made a good suggestion on loading the ADSM, the GUI is usually easier for beginners instead of the Command line.  
0
 

Author Comment

by:stwardy
Comment Utility
Thank you peralesa, I am reviewing the simulator now.

Mike,

I will eventually be configuring VPN access, translations and a dmz.  But, for now all I want to do is be able to access the internet from the inside interface.  My routers IP is 207.168.41.129.

I have the ADSM loaded and can access the gui.  What are the minimum requirements to allow access to the internet?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
The easiest way to configure this is with command line - If you can post your running config (you can get this by using the console cable and typing "sh run") I can give you the commands you need to get online.
I will also need:
Your ISP IP:
you ISP subnet mask:
your ISP default gateway:
The internal IP range you want to use:
Please post this info and I'll have you online in (seriously) 5-10 minutes.
Cheers!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:stwardy
Comment Utility
ISP IP: 207.168.41.130
 ISP subnet mask:255.255.255.128
 ISP default gateway:297.168.41.129
The internal IP range you want to use: 10.10.10.0 to 10.10.10.254

ASA Version 7.0(8)
!
hostname ciscoasa
enable password Q7DJw0sydkgmZ/3M encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 207.168.41.130 255.255.255.128
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/2
 nameif Inside
 security-level 100
 ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu DMZ 1500
mtu Inside 1500
no failover
no asdm history enable
arp timeout 14400
route Outside 0.0.0.0 0.0.0.0 207.168.41.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:edc6cb0012a025b301331a8fa302fdc4
: end
0
 
LVL 12

Assisted Solution

by:Pugglewuggle
Pugglewuggle earned 200 total points
Comment Utility
1st off: Upgrade your ASA software ASAP - 7.0 is almost 4 years old. The newest version is 8.0.4. You must upgrade the ASDM to version 6.1.3 to work with the new ASA software.
All your commands look good! Try pinging 4.2.2.2 from the ASA command line - if you get !!!!! as a response, that means you're online.
Do you want DHCP on your inside interface? Right now you need static IPs on the inside since you don't have the DHCP server enabled (unless you have another DHCP server you're using).
Cheers! Let me know!
0
 
LVL 5

Accepted Solution

by:
devangshroff earned 300 total points
Comment Utility
nat command is missing

nat (inside) 1 0 0
global (outside) 1 inteface



do this your net will start working
0
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
This:
global (outside) 1 inteface

should be
global (outside) 1 interface

small typo.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Yes, that is missing, as well as several other commands.
But as far as getting this working to the asker's specification's, I need the info I asked for in my previous post to provide everything required.
Cheers!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now