sasaabir
asked on
configure cisco 800 router for internet and ASA as FW
Hi, I have got knowledge on cisco routers and fair knowledge on FW. This is for our new office in Saudi, currently we have a DSL line and it connected and configured on 800 series router only for ther users to access the internet and OWA access (no servers in that location). I need to implement FW and I have got ASA 5505. I have prepared the configuration of router and ASA by collecting the details hence please some body check the configuration and confirm whether it is fine or not (configuration is attached). the connectivity is DSL connected to the cisco 800 router to Cisco ASA and to hub. The DSL is configured on the router and DHCP pool is configured on the ASA.
ksa111.txt
ksa111.txt
ASKER
What is the access list to be given as I am getting below error whil configuring the access group
Error: access list outside_access_in does not exist
Is the below access list is o.k, is it secured, we need to access the internet
access-list outside_access_in extended permit tcp any any eq www
access-group outside_access_in in interface outside
Error: access list outside_access_in does not exist
Is the below access list is o.k, is it secured, we need to access the internet
access-list outside_access_in extended permit tcp any any eq www
access-group outside_access_in in interface outside
That ACL will allow unsolicited Web traffic in your network. By default traffic flowing from a higher security level to a lower security level is allowed. Use the following and if that doesn't work for you post again.
access-list outside_access_in extended deny ip any any
access-list outside_access_in extended deny ip any any
ASKER
I have pasted that configuration but it is still not working, do I have add any inside access list, please confirm?
No leave the inside open. The reason that acl is not taking is that it is implicit.
you may want to just take off the ACL completely and let the security-level on the interfaces do the work.
you may want to just take off the ACL completely and let the security-level on the interfaces do the work.
ASKER
Below is the configuration pasted on the FW and Router
FW configuration:-
ASA Version 7.2(3)
!
hostname RMKSAASA01
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
description ***Connected-to-DSL-Router ***
nameif outside
security-level 0
ip address 192.168.254.2 255.255.255.252
!
interface Vlan2
description ***LAN-Network***
nameif inside
security-level 100
ip address 192.168.120.100 255.255.255.0
!
interface Ethernet0/0
description ***Connected-to-LAN***
switchport access vlan 2
!
interface Ethernet0/1
description ***Connected-to-DSL-Router ***
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_out extended permit tcp any any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 150
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group outside_access_in in interface outside
access-group outside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.120.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.62.98.10 212.62.98.25
dhcpd lease 691200
dhcpd ping_timeout 10
dhcpd domain domain.local
dhcpd auto_config outside
!
dhcpd address 192.168.120.101-192.168.12 0.151 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f954e6c6e7 b05fd04910 43a3398bfd d
: end
Router configuration:-
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Rasmala
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password **********
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 212.62.98.10
ip name-server 212.62.98.25
!
!
!
username admin password 7 *********
!
!
!
!
!
interface ATM0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ***Connected-to-ASA-FW***
ip address 192.168.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ******@4096.icc.net.sa
ppp chap password 7 ************
ppp pap sent-username ******@4096.icc.net.sa password 7 ************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.120.0 255.255.255.0 192.168.254.2
!
ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
!
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
control-plane
!
banner login ^C
-------------------------- ---------- ---------- ---------- ---------- -----
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-------------------------- ---------- ---------- ---------- ---------- -----
^C
!
line con 0
password 7 0519071C2C4D4208
no modem enable
line aux 0
line vty 0 4
password 7 0214054806070320
transport input telnet ssh
!
scheduler max-task-time 5000
end
FW configuration:-
ASA Version 7.2(3)
!
hostname RMKSAASA01
domain-name default.domain.invalid
enable password
names
!
interface Vlan1
description ***Connected-to-DSL-Router
nameif outside
security-level 0
ip address 192.168.254.2 255.255.255.252
!
interface Vlan2
description ***LAN-Network***
nameif inside
security-level 100
ip address 192.168.120.100 255.255.255.0
!
interface Ethernet0/0
description ***Connected-to-LAN***
switchport access vlan 2
!
interface Ethernet0/1
description ***Connected-to-DSL-Router
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any any eq www
access-list outside_access_out extended permit tcp any any
pager lines 24
logging enable
logging trap debugging
logging asdm informational
logging queue 150
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group outside_access_in in interface outside
access-group outside_access_out in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.254.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.120.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.120.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.62.98.10 212.62.98.25
dhcpd lease 691200
dhcpd ping_timeout 10
dhcpd domain domain.local
dhcpd auto_config outside
!
dhcpd address 192.168.120.101-192.168.12
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8f954e6c6e7
: end
Router configuration:-
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Rasmala
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password **********
!
aaa new-model
!
!
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 212.62.98.10
ip name-server 212.62.98.25
!
!
!
username admin password 7 *********
!
!
!
!
!
interface ATM0
no ip address
ip mtu 1492
ip tcp adjust-mss 1452
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description ***Connected-to-ASA-FW***
ip address 192.168.254.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ******@4096.icc.net.sa
ppp chap password 7 ************
ppp pap sent-username ******@4096.icc.net.sa password 7 ************
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.120.0 255.255.255.0 192.168.254.2
!
ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
!
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
no cdp run
!
control-plane
!
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
password 7 0519071C2C4D4208
no modem enable
line aux 0
line vty 0 4
password 7 0214054806070320
transport input telnet ssh
!
scheduler max-task-time 5000
end
Looks good except you will have problems accessing things the problem will be in your ACLs. To fix it paste these lines. This will let the default configuration work.
no access-group outside_access_in in interface outside
no access-group outside_access_out in interface inside
no access-list outside_access_in extended permit tcp any any eq www
no access-list outside_access_out extended permit tcp any any
The default is
no access-group outside_access_in in interface outside
no access-group outside_access_out in interface inside
no access-list outside_access_in extended permit tcp any any eq www
no access-list outside_access_out extended permit tcp any any
The default is
- ALLOW all traffic coming from the INSIDE to the OUTSIDE interface (and responses are allowed back in)
- DENY all traffic originating from the OUTSIDE
ASKER
Many thanks for your support and quick response, I have done that too but still it is not working, any way the time is 1 in the early morning, I will get back to you with the latest configuration later.
take this out of your ASA "global (outside) 1 interface"
ASKER
I will try this out on end of this weekend and let you know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The ASA looks good except that you don't need to NAT and I couldn't find ACL outside_access_in that you have applied to the outside interface. Also since you shouldn't NAT on the ASA you need to put a static rout to get to the inside network of the ASA onto your router.
So take this out of your ASA config
no nat (inside) 1 0.0.0.0 0.0.0.0
And add this into your router config
interface FastEthernet0
ip nat inside
!
interface Dialer1
ip nat outside
!
ip nat inside source list 100 interface Dialer1 overload
!
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
!
ip route 192.168.113.0 255.255.255.0 192.168.112.2