Cisco ASA 5505 Setup

Hello Team,

Let me start out by saying I am a newbie. I have a Cisco ASA 5505. What I will like to do is wipe it clean and start from scratch.

What I need:
- Setup to work with a static dsl connection. (216.XXX.XXX.74, 255.255.255.0, 216.XXX.XXX.1)
- There is an SBS server handling dhcp and I will like to keep it that way. So DHCP should be disabled on the ASA.
- This ASA's ip should be 192.168.92.3
- I need the following tcp ports open (25, 443, 444, 1723, & 3389)

If anyone can help me set up a config file for it that would be sweet. thanks
LVL 3
jtorrrresAsked:
Who is Participating?
 
ksims1129Commented:
you can statically open ports to the asa using the following

static (inside,outside) tcp 216.xxx.xxx.74 25 192.168.92.2 25 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 443 192.168.92.2 443 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 444 192.168.92.2 444 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 1723 192.168.92.2 1723 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 3389 192.168.92.2 3389 netmask 255.255.255.255
no access-list OUTSIDE_IN permit tcp any any eq 25
no access-list OUTSIDE_IN permit tcp any any eq 443
no access-list OUTSIDE_IN permit tcp any any eq 444
no access-list OUTSIDE_IN permit tcp any any eq 1723
no access-list OUTSIDE_IN permit tcp any any eq 3389
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 25
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 443
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 444
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 1723
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 3389

this will accomplish what you explained
0
 
ksims1129Commented:
This should work for you

interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 switchport access vlan 3
 no shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

interface vlan 2
ip address 216.xxx.xxx.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface vlan 3
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit permit tcp any any eq 25
access-list OUTSIDE_IN permit permit tcp any any eq 443
access-list OUTSIDE_IN permit permit tcp any any eq 444
access-list OUTSIDE_IN permit permit tcp any any eq 1723
access-list OUTSIDE_IN permit permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside ) 1 192.168.92.0 255.255.255.0

Hope this helps
0
 
jtorrrresAuthor Commented:
thanks, I will give it a try and keep you posted.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
jtorrrresAuthor Commented:
I gave it a try and had no success. I ended up making some changes to the config file because the console was complaining about incorrect commands. Apart from getting a few error messages, I was not able to ping anything. After making the changes below, I can now do so, but the ports are not acting like a switch. It connects to the network allowing me to ping all devices, but I can not get online with the TW connection nor is the server picking up the static dsl connection. I have verified the isp static settings.

Here is a little info. I have 2 isp connections. (Dynamic cable internet & static dsl). The SBS server is using the static dsl connection and via dhcp provided by SBS the workstations are connecting using the timewarner connections. The timewarner connection is on GW 192.168.92.1. This setup has worked just fine with another crappy router I have. I am just looking to implement this ASA instead of the router currently in place.

This is what I have now..

interface vlan1
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

interface vlan2
ip address 216.XXX.XXX.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface Ethernet0/0
 switchport access vlan2
 no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit tcp any any eq 25
access-list OUTSIDE_IN permit tcp any any eq 443
access-list OUTSIDE_IN permit tcp any any eq 444
access-list OUTSIDE_IN permit tcp any any eq 1723
access-list OUTSIDE_IN permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.92.0 255.255.255.0
0
 
ksims1129Commented:
draw a diagram to demonstrate what you are trying to accomplish. it does not seem you are trying to do a straight forward configuation.
0
 
jtorrrresAuthor Commented:
That seemed a bit more complicated that it should have been.

Essentially.. all of the other stuff I mentioned is inrelevant to the ASA. The ASA will act as a switch and host the connection to the Static DSL. From the SBS I will use the ASA's gateway address to use its internet connection there. What I was mentioning before was that, via DHCP provided by the SBS, the workstations were given a gateway of of 192.168.92.1 to connect using the Timewarner connection.

Update: The ASA is working now, but when I check to see if a port is open it does not work. Does it matter that we are not pointing the tcp ports allowed specifically to the SBS (192.168.92.2). If it does, how do we add the ports to point specifically to the SBS.
0
 
jtorrrresAuthor Commented:
thank you for all your help. I was able to figure out the port forwarding right before your last post.

Jorge
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.