[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

Configuring Cisco ASA 5505

Good afternoon Experts. A company I do some contracting for has a Cisco ASA 5505 that I installed about a year ago. At that time all they wanted was a VPN and firewall so that they could access files on their one server when traveling. They have decided to host their own email (Exchange) and web page. I just don't set up routers often enough to be proficient. I need to enable FTP, email, and web. Ports 21, 25, 80, and 443.
Here is the current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name company.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.22.xxx.xxx 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 172.22.xxx.xxx
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name company.com
same-security-traffic permit intra-interface
access-list company_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 172.23.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 172.23.0.1-172.23.0.10 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy company internal
group-policy company attributes
 dns-server value 172.22.xxx.xxx 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value company.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy company
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy company
http server enable
http 172.22.0.0 255.255.0.0 inside
http 74.193.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy company
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp


  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:1f785b3eeec2a0d331dc435f6ebe6b40
: end

Your help would be appreciated
0
dw1958
Asked:
dw1958
  • 2
  • 2
1 Solution
 
batry_boyCommented:
Since you didn't mention which IP address you wanted to allow this type of traffic to on the internal network, I will use 172.22.1.5 as the server you want to allow those ports inbound to and will use 76.247.1.1 as the public IP address for which to set up the static NAT translation so that external users can get to it:

static (inside,outside) 76.247.1.1 172.22.1.5 netmask 255.255.255.255
access-list outside_access_in permit tcp any host 76.247.1.1 eq www
access-list outside_access_in permit tcp any host 76.247.1.1 eq https
access-list outside_access_in permit tcp any host 76.247.1.1 eq ftp
access-list outside_access_in permit tcp any host 76.247.1.1 eq smtp
access-group outside_access_in in interface outside

The above lines will create a static NAT for inside host 172.22.1.5 to look like 76.247.1.1 to the outside world.  Then, the four ports will be allowed inbound to that host from any external host.  Finally, the ACL is applied inbound to the outside interface to allow the traffic defined in that ACL.
0
 
dw1958Author Commented:
Thanks barty boy:
 I added the lines to the config and saved it. I tried to connect via ftp but was unable to. Here is the current config. Please let me know if you see something I screwed up on.

show running-config"



: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 172.22.0.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 172.23.0.0 255.255.0.0
access-list outside_access_in extended permit tcp any host 76.247.252.133 eq www
access-list outside_access_in extended permit tcp any host 76.247.252.133 eq https
access-list outside_access_in extended permit tcp any host 76.247.252.133 eq ftp
access-list outside_access_in extended permit tcp any host 76.247.252.133 eq smtp
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 172.23.0.1-172.23.0.10 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 76.247.252.133 172.22.0.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 172.22.0.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username wpeckham password IClMlFp761.P/TM7 encrypted privilege 0
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 172.22.0.0 255.255.0.0 inside
http 74.193.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:716ad67fba3a90c8e968f3f08d455786
: end
0
 
batry_boyCommented:
Since you are using the outside interface IP address for your static translation to the inside host, you need to change the syntax of the commands that I gave to you before and you will need to implement port redirection:

no static (inside,outside) 76.247.252.133 172.22.0.2 netmask 255.255.255.255
static (inside,outside) tcp interface www 172.22.0.2 www netmask 255.255.255.255
static (inside,outside) tcp interface https 172.22.0.2 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 172.22.0.2 ftp netmask 255.255.255.255
static (inside,outside) tcp interface smtp 172.22.0.2 smtp netmask 255.255.255.255
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq ftp
access-list outside_access_in extended permit tcp any interface outside eq smtp
no access-list outside_access_in extended permit tcp any host 76.247.252.133 eq www
no access-list outside_access_in extended permit tcp any host 76.247.252.133 eq https
no access-list outside_access_in extended permit tcp any host 76.247.252.133 eq ftp
no access-list outside_access_in extended permit tcp any host 76.247.252.133 eq smtp

Put in those commands in the order listed above and give it another shot.
0
 
dw1958Author Commented:
batry boy: Thanks for your help. That took care of it. Tested with ftp, www, and smtp.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now