• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1615
  • Last Modified:

configure cisco 800 router for internet and ASA as FW

Hi, I have got knowledge on cisco routers and fair knowledge on FW. This is for our new office in Saudi, currently we have a DSL line and it connected and configured on 800 series router only for ther users to access the internet and OWA access (no servers in that location). I need to implement FW and I have got ASA 5505. I have prepared the configuration of router and ASA by collecting the details hence please some body check the configuration and confirm whether it is fine or not (configuration is attached). the connectivity is DSL connected to the cisco 800 router to Cisco ASA and to hub. The DSL is configured on the router and DHCP pool is configured on the ASA.
ksa111.txt
0
sasaabir
Asked:
sasaabir
  • 6
  • 5
1 Solution
 
bkepfordCommented:
You need to do your NATing on the router as it has the public IP.
The ASA looks good except that you don't need to NAT and I couldn't find ACL outside_access_in that you have applied to the outside interface. Also since you shouldn't NAT on the ASA you need to put a static rout to get to the inside network of the ASA onto your router.
So take this out of your ASA config

no nat (inside) 1 0.0.0.0 0.0.0.0
And add this into your router config

interface FastEthernet0
ip nat inside
!
interface Dialer1
ip nat outside
!
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
!
ip route 192.168.113.0 255.255.255.0 192.168.112.2

0
 
sasaabirAuthor Commented:
What is the access list to be given as I am getting below error whil configuring the access group
Error: access list outside_access_in does not exist

Is the below access list is o.k, is it secured, we need to access the internet
access-list outside_access_in extended permit tcp any any eq www
access-group outside_access_in in interface outside
0
 
bkepfordCommented:
That ACL will allow unsolicited Web traffic in your network. By default traffic flowing from a higher security level to a lower security level is allowed. Use the following and if that doesn't work for you post again.
access-list outside_access_in extended deny ip any any
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
sasaabirAuthor Commented:
I have pasted that configuration but it is still not working, do I have add any inside access list, please confirm?
0
 
bkepfordCommented:
No leave the inside open. The reason that acl is not taking is that it is implicit.
you may want to just take off the ACL completely and let the security-level on the interfaces do the work.
 
0
 
sasaabirAuthor Commented:
Below is the configuration pasted on the FW and Router

FW configuration:-

ASA Version 7.2(3)
!
hostname RMKSAASA01
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
 description ***Connected-to-DSL-Router***
 nameif outside
 security-level 0
 ip address 192.168.254.2 255.255.255.252
!
interface Vlan2
 description ***LAN-Network***
 nameif inside
 security-level 100
 ip address 192.168.120.100 255.255.255.0
!
interface Ethernet0/0
 description ***Connected-to-LAN***
 switchport access vlan 2
!
interface Ethernet0/1
 description ***Connected-to-DSL-Router***
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_out extended permit tcp any any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 150
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group outside_access_in in interface outside
access-group outside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.120.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.62.98.10 212.62.98.25
dhcpd lease 691200
dhcpd ping_timeout 10
dhcpd domain domain.local
dhcpd auto_config outside
!
dhcpd address 192.168.120.101-192.168.120.151 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f954e6c6e7b05fd0491043a3398bfdd
: end

Router configuration:-

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Rasmala
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password **********
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 212.62.98.10
ip name-server 212.62.98.25
!
!
!
username admin password 7 *********
!
!
!
!
!
interface ATM0
 no ip address
 ip mtu 1492
 ip tcp adjust-mss 1452
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description ***Connected-to-ASA-FW***
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ******@4096.icc.net.sa
 ppp chap password 7 ************
 ppp pap sent-username ******@4096.icc.net.sa password 7 ************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.120.0 255.255.255.0 192.168.254.2
!
ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
!
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 password 7 0519071C2C4D4208
 no modem enable
line aux 0
line vty 0 4
 password 7 0214054806070320
 transport input telnet ssh
!
scheduler max-task-time 5000
end

0
 
bkepfordCommented:
Looks good except you will have problems accessing things the problem will be in your ACLs. To fix it paste these lines. This will let the default configuration work.
no access-group outside_access_in in interface outside
no access-group outside_access_out in interface inside
no access-list outside_access_in extended permit tcp any any eq www
no access-list outside_access_out extended permit tcp any any
The default is
  • ALLOW all traffic coming from the INSIDE to the OUTSIDE interface (and responses are allowed back in)
  • DENY all traffic originating from the OUTSIDE

0
 
sasaabirAuthor Commented:
Many thanks for your support and quick response, I have done that too but still it is not working, any way the time is 1 in the early morning, I will get back to you with the latest configuration later.
0
 
bkepfordCommented:
take this out of your ASA "global (outside) 1 interface"
0
 
sasaabirAuthor Commented:
I will try this out on end of this weekend and let you know.
0
 
bkepfordCommented:
Any word?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now