Solved

Need help with Cisco ASA5505 setup (upgrading Linksys RV042 to Cisco ASA5505 50-user)

Posted on 2008-10-17
49
1,469 Views
Last Modified: 2010-07-27
Hello,

I should replace Linksys RV042 router with Cisco ASA5505 (50-user license). The office where RV042 is right now is about 30 miles away, Cisco ASA is on my desk at home, I do have an remote desktop to the server and RV042 and I should do the exchange on Monday so I have 2 days to do the setup.
Right now the network in the office where new ASA should go consists of Siemens T1 router, RV042 is hooked up to Siemens and to 48-port switch, 3 Windows 2000 servers (domain controller + 2 applications/database) and about 40 Windows PCs, and two remote users connected via VPN.

This is my first Cisco device so I do not have any experience with CLI. Initially I've tried to use ASDM to configure it but stacked on first step: device IP address which should be 192.168.0.1.Once I hit  "Apply" the connection to device is lost and nothing changes. So I learned how to use CLI at least to reset the device to factory settings :-).

I also tried to obtain some guidance from Cisco Web site but it looks like it is oriented to experienced users and there is no guides for entry-level users that just stepped up in this technology.


Below are some details about existing config I should have on the end on ASA:

DHCP server is running on RV042 router, IP range 192.168.0.10~199

Router IP: 192.168.0.1
AD server IP:  192.168.0.5

WAN IP: 63.xxx.xxx.3
WAN GW: 63.xxx.xxx.1

DNS1: 216.xxx.28.33
DNS2: 216.xxx.28.0

Port 3001 TCP/UDP forwarded to 192.168.0.202.

There are probably some routes applied on Windows Server directly using command line which I may need to add on ASA as well.

ASA should be programmed and prepared so once I am in the office on Monday morning all I will have to do is to swap devices so the downtime is expected to be less than 5-10 minutes. It is production environment with users using database, shared folders and Internet to connect to hosted Exchange server via RPC.
I will need your help setting up this ASA using settings above. Lets start firs with device IP address change. If we will use CLI, please provide necessary commands I have to type. If you need any information about current config, let me know how I can list it on the screen.
ADSM version: 5.293)
ASA version: 7.2(3)

Thank you in advise.

P.S. Is it any way how I can test and verify the result without being in the office where it will reside?
0
Comment
Question by:MACROLEVEL
  • 23
  • 14
  • 12
49 Comments
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
So we will assume you know how to get to enable mode...

go to enable.. type the following and post up the output..

show run


0
 

Author Comment

by:MACROLEVEL
Comment Utility
Nice to see you helping me with this issue also, DMTechGrooup. I'll post it just in a minute...
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Here is it:

ciscoasa# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:22c9384fdc121b50a346a16d48f48f77
: end
0
 
LVL 24

Accepted Solution

by:
DMTechGrooup earned 200 total points
Comment Utility

Paste this into the command line after you enable..

config t
no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.254 inside
interface vlan1
ip address 192.168.0.1 255.255.255.0
exit
interface vlan2
ip address 63.xxx.xxx.3 255.255.255.0
exit
route outside 0.0.0.0 0.0.0.0 63.x.x.x 1
dhcpd address 192.168.1.10-192.168.1.199 inside
dhcpd enable inside
access-list inbound permit tcp any interface outside eq 3001
access-group inbound in interface outside
static (inside,outside) tcp interface 3001 10.0.1.1 3001 netmask 255.255.255.255
no http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 management
wr mem

See how that goes

0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Oh and set the 63.x.x.x areas with the IP address and on the route the gateway address.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Can we please start first changing device's IP address? I want to monitor all the changes later using ADSM...

Let me guess using your previous answer:

config t
no dhcpd enable inside
no dhcpd address 192.168.1.2-192.168.1.254 inside
interface vlan1
ip address 192.168.0.1 255.255.255.0
exit
dhcpd address 192.168.0.10-192.168.0.199 inside
dhcpd enable inside
no http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 management
wr mem



Also, please check your answer as I believe the DHCP address is wrong...
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Looks right to me.. why do you think it is wrong?
0
 

Author Comment

by:MACROLEVEL
Comment Utility
this one is yours:
dhcpd address 192.168.1.10-192.168.1.199 inside

I think it should be:
dhcpd address 192.168.0.10-192.168.0.199 inside

What about my code - is it right just to change IP address and enable DHCP? Is any command missing? Should I restart ASA pr anything else? I use to read before about different images stored in the memory...
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
yes you can change the DHCP to 0.10-0.199

When you do the wr mem it writes it to memory so when you reboot it uses these changes.. if you do not use wr mem then it will use these changes until you reboot then go back to the old config.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
I'm getting error: % Invalid Input detected at "^" marker
http 192.168.0.0 255.255.255.0 management

                               ^

Open in new window

0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
change it to from management to inside
0
 

Author Comment

by:MACROLEVEL
Comment Utility
2 DMTechGrooup:

OK, with "inside" it works. Now I have the new IP changed and I was able to use ASDM and went online using DCHP (I will use DHCP for outside interface for now because I can use internet to answer you on the same computer).

OK, next step is to forward port TCP/UDP to 192.168.0.202.

Here is what I got from you:

config t
access-list inbound permit tcp any interface outside eq 3001
access-group inbound in interface outside
static (inside,outside) tcp interface 3001 10.0.1.1 3001 netmask 255.255.255.255
wr mem

I can't see where is the address I need it forwarded to, and I believe the netmask is different also.
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
change to 10.0.1.1 to the address you want it forwarded to

static (inside,outside) tcp interface 3001 10.0.1.1 3001 netmask 255.255.255.255
0
 

Author Comment

by:MACROLEVEL
Comment Utility

ciscoasa(config)# static (inside, outside) tcp interface 3001 192.168.0.202 30$
 

static (inside, outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.2               ^55.255
 

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)#

Open in new window

0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
Looks like the subnet got seperated.. make sure it is all together..

static (inside, outside) tcp interface 3001 192.168.0.202 3001 255.255.255.255
0
 

Author Comment

by:MACROLEVEL
Comment Utility
when I type or copy the command above it replaces it with

ciscoasa(config)# $p interface 3001 192.168.0.202 3001 255.255.255.255


and after this generate the message I already posted
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
static (inside, outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Yes, I did try this:

static (inside, outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255

and when I copy it from clipboard or type it it replaces it on the screen with

ciscoasa(config)# $p interface 3001 192.168.0.202 3001 255.255.255.255

so I can't see the beginning of command I just typed... Is it any limitation about length or so? Can we split this command?
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
no even tough you dont see it you can scroll back so do let that bug you.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
I see... OK, the error message is posted above at 6:10PM.
0
 
LVL 24

Assisted Solution

by:DMTechGrooup
DMTechGrooup earned 200 total points
Comment Utility
It should work

static (inside,outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Thanks, finally applied port forwarding. Found that it was a space between (inside, outside) in your previous post. And not I can see the rule in ASDM as well.

OK, what's next?
0
 
LVL 24

Expert Comment

by:DMTechGrooup
Comment Utility
From what you asked for that is it.
0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
config t

dns name-server x.x.x.x

where x.x.x.x indicates dns1 ip
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:MACROLEVEL
Comment Utility
Thank you for all your help so far.


I do have 2 DNS servers. How do I add both of them? I see example above, but just for one DNS server....



I need to verify some other thins before I'll be positive that I can swap the devices.

As I told you, that's my first Cisco device. I don't know are all the ports blocked by default or not, is the firewall enabled and what it will filter. It is production environment with some specific application/databases. On old RV042 firewall is on and the only port forwarded is 3001, and everything works just fine. I must be sure that everything will work once I swap the devices and I will have the same or greater level of protection.

pcAnywhere is used to manage applications servers remotely. Will it pass through FW?

Also, what about VPN setup? Right now with RV042 users connect to it using Windows built-in client. Is this possible with ASA, what command should I apply and what VPN client users should use if built-in is not good for some reasons.

How will I access ASA remotely to manage it?

Thank you in advance.
0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
For the name servers using the command i ref above you can just do the command twice using differnet ip's  they wont interfere with each other.

only using no before the command negates it.

The most secure way to access your asa is through ssh.

SSH requires username and password so you will need to create one and then specify that aaa authentication local. Unles your using a tacacs server or radius which you arent
you will also need to create a rsa key and specify which ip's can access the asa and on what interface via ssh.
here are the commands you can just copy and paste after modifying;

1 fw#(config t) username USERNAMEHERE password PASSWORDHERE
2 fw#(config t) aaa authentication ssh console LOCAL
3 fw#(config t) crypto key generate rsa modulus 1024
4 fw#(config t) ssh 192.16.1.1 255.255.255.255 inside
5 fw#(config t) ssh 172.16.1.1 255.255.255.255 outside
6 fw#(config t) ssh version 1
7 fw#(config t) ssh timeout 30

In step 4 substiture 192.168.1.1 for whatever ip address you want on the INSIDE network to be able to ssh into the firewall if you want any host to be able to substitute the ip address and netmask to fw#(config t) ssh  0.0.0.0 0.0.0.0 inside

In step 5 substiture 172.16.1.1 for whatever ip address you want on theOUTSIDE meaning what ip/networks/remote location network to be able to ssh into the firewall if you want anyone in the world to provided they no the password to  be able to substitute the ip address and netmask to fw#(config t) ssh  0.0.0.0 0.0.0.0 outside

The below link provides more details



http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
Cisco ASA  doesnt filter traffic it either permits or denies it . On that note by default you start with 2 networks.   INSIDE and OUTSIDE where outside leads to the internet and inside is the protected network. The INSIDE network has a security level of 100 whereas the outside has a security level of 0

Cisco says that a higher security level can automatically go to a lower one so anyone in the inside network can access anything in the outside network but not vice versa this is a result of a default rule on the inside network (ip any any )   any host on the inside network with any netmask can access anything in the outside network  the indication of IP means all ports.  
Its the exact oposite for the outside network. if you want someone in the world to access something on the inside network you will have to establish a access-list (outside_in).

You might wonder how to return traffic from the inside makes it back in from the outside well the asa is a stateful firewall and the inside network uses reflexive nats for those connections.




0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
I can help you setup VPN but I just that be the last project that you undertake. Better to get the ASA setup the way you want and understand the configuration otherwise things get messy. End users can use the Cisco VPN Client or the native windows VPN client doesnt matter.

For pcanywhere if the connection is first established from a remote location to your network you will need to configure a access-list and apply it to the outside interface in. If this something that runs on pc's in the company and people access those pcs remotely most likely it will work as a result of reflexive nat.

If the network is a AD domain you might consider having end users connect via RA and remote desktop into there pc.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
2 leonjs:

Thank you for all this info. Can you please tell me what IP should be set in Step 5? The WAN IP address which actually is the IP I'm getting from the T1 router or the IP address from which I will be accessing ASA?
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
On my ASA's for step five I have indicated
5 fw#(config t) ssh 0.0.0.0 0.0.0.0 outside


A example of what you might put in there would be a branch office external ip to allow them ssh access to the firewall. Other then that just omit it for now.
Chances are you will only ssh from the inside network and if your home you will vpn,  remote desktop/ pc anywhere,  to your work pc then ssh in so you can leave step 5 out if you want.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
I need to access ASA, say, from home if I need to do some changes - I can't drive 30 miles every time I have to do something. With RV042 I can have HTTPS or simply can use pcAnywhere to use remote screen and access it using web browser. Although I can use remote desktop to access remote computer and launch ASDM on it, probably the best way will be SSH to ASA. My IP at home is dynamic so I can't be sure that it will be the same tomorrow. WHat should I do in this case? What is the best practice for small offices without full time IT stuff and consultants fixing issues remotely?
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
In this case will just use 0.0.0.0 0.0.0.0 it doesn't really matter. Ive never been in a company without full time staff so i couldn't answer but other then the remote access tools any any is the only way.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Just noticed something important... I can't ping or tracert any public IP outside ASA. What is missing?
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
Copy and paste the running config into here
0
 

Author Comment

by:MACROLEVEL
Comment Utility

ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list inbound extended permit tcp any interface outside eq 3001

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.10-192.168.0.199 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:93a6cfcaf7caf88dad8d76b0842d2dc7

: end

Open in new window

0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
config t
fw#(config t) policy-map global_policy
fw#(config-pmap)class inspection_default
fw#(config-pmap-c)inspect icmp
0
 

Author Comment

by:MACROLEVEL
Comment Utility
2 leonjs:

now i can ping but still can't tracert




Tracing route to cnn.com [157.166.226.26]

over a maximum of 30 hops:
 

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4     *        *        *     Request timed out.

  5  ^C

Open in new window

0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
fw#(config t) icmp permit any echo outside
fw#(config t) icmp permit any echo-reply outside
fw#(config t) icmp permit any redirect outside
fw#(config t) icmp permit any time-exceed outside

0
 

Author Comment

by:MACROLEVEL
Comment Utility
The same... can ping only.
ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list inbound extended permit tcp any interface outside eq 3001

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any redirect outside

icmp permit any time-exceeded outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.10-192.168.0.199 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:24be54f2a6377d1100883e9841800797

: end

Open in new window

0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
Keep those in there and try this


fw#(config t) access-list inbound permit icmp any any time-exceeded
fw#(config t) access-list inbound permit icmp any any echo-reply
fw#(config t) access-list inbound permit icmp any any echo
fw#(config t) access-list inbound permit icmp any any redirect
0
 

Author Comment

by:MACROLEVEL
Comment Utility
now it's fine.

Please take a look at current config and let me know if we need to perform some housekeeping... if it is OK, I'm going to set it for static address for outside and tomorrow morning will swap devices.
ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list inbound extended permit tcp any interface outside eq 3001

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any echo

access-list inbound extended permit icmp any any redirect

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any redirect outside

icmp permit any time-exceeded outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255

access-group inbound in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.10-192.168.0.199 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:fe2a090d8001fb6e0b2c2be26f64de95

: end

Open in new window

0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
Your running version 7.2(3) of ASA The latest version is 8.0(4) I would upgrade not critical but there are some enhancement and you also get to use the later version of ASDM which has alot of improvement if your a GUI person. You will need a valid smartnet/contract or cco login to access the updates

Otherwise looks good the way it is.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
I will try to learn CLI in the future, for for now I guess I may use ASDM combined with CLI.

As about version, if the new version is not buggy, why not? I have second ASA5505 SEC+ which I purchased to learn IOS and ASDM at home. I got SmartNet for it as well. Does both devices use the same IOS? If so, then I guess I can try upgrade it (will need some directions, though). I will need to upgrade ASDM as well, right? Right now I have version 5.2.

Btw, can I have console cable connected all the time to server and ASA so if I need to do changes I can remote desktop the server and do changes?
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
Yea well every version has bugs nothing you can do about that. However the benefits of upgrading outweigh them. Both devices use the same ios. Its mandatory to upgrade the ASDM as well 5.2 isnt compatible with the newer version. Latest version of ASDM is 6.3.

You can keep the blue rollover cable connected as long as you want, so you can do your changes. If you want see my profile i have my contact info in contact me directly, otherwise this post might go on for a while.
0
 

Author Comment

by:MACROLEVEL
Comment Utility
Hi again,

Just tested ASA on location and seems something is wrong with DNS setup. My paltop is connected to ASA directly, Skype is Online but cannot open any web page. Please take a look at config and ipconfig log on the bottom... looks like it is not getting DNS servers information from ASA.

Also, is this correct syntax:

route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.1 1


ciscoasa# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 63.xxx.xxx.3 255.255.255.128

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 216.xxx.28.33

 name-server 216.xxx.28.0

 domain-name default.domain.invalid

access-list inbound extended permit tcp any interface outside eq 3001

access-list inbound extended permit icmp any any time-exceeded

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit icmp any any echo

access-list inbound extended permit icmp any any redirect

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo outside

icmp permit any echo-reply outside

icmp permit any redirect outside

icmp permit any time-exceeded outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3001 192.168.0.202 3001 netmask 255.255.255.255

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.10-192.168.0.199 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8fc4c5f4bcc1b90a18b62933d42f8bf4

: end

ciscoasa#
 
 
 
 
 
 

~~~~~~~~~~~~~
 
 

Ethernet adapter Local Area Connection:
 

        Connection-specific DNS Suffix  . :

        Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection

        Physical Address. . . . . . . . . : 00-13-A9-F9-FD-5B

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.0.10

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.0.1

        DHCP Server . . . . . . . . . . . : 192.168.0.1

        Lease Obtained. . . . . . . . . . : Monday, October 20, 2008 10:48:50 AM

        Lease Expires . . . . . . . . . . : Monday, October 20, 2008 11:48:50 AM

Open in new window

0
 
LVL 3

Assisted Solution

by:leonjs
leonjs earned 300 total points
Comment Utility
you need this command
fw#(config t) dhcpd dns X.X.X.X

where x.x.x.x is the dns server you want the client to use

If your not sure what ip address to put there or it doesnt work try 4.2.2.2 a global dns server useful in testing.
0
 
LVL 3

Expert Comment

by:leonjs
Comment Utility
route outside 0.0.0.0 0.0.0.0 63.xxx.xxx.1 1 is correct

to double confirm you can try fw#show route

and verify gateway of last resort is 63.xxx.xxx.1 to network 0.0.0.0

also that trailing extra 1 you see is a indication of the route having a metric of 1 which is normal
0
 

Author Comment

by:MACROLEVEL
Comment Utility
I'm online!

Swapped devices, all users are connected to internet (had to restart the server). Will test applications and other servers now and let you know if there is a problem. Thank you for all your help!
0
 

Author Closing Comment

by:MACROLEVEL
Comment Utility
Please double check you answers, especially commands syntax... Just one space can cause error, and wrong IP address can mislead. Thank you for your help, I got finally this device up and running. Now I have to deal with Cisco AP and advanced setup so I'll post my questions soon.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now