?
Solved

Cisco ASA 5505 Setup

Posted on 2009-05-17
7
Medium Priority
?
722 Views
Last Modified: 2012-05-07
Hello Team,

Let me start out by saying I am a newbie. I have a Cisco ASA 5505. What I will like to do is wipe it clean and start from scratch.

What I need:
- Setup to work with a static dsl connection. (216.XXX.XXX.74, 255.255.255.0, 216.XXX.XXX.1)
- There is an SBS server handling dhcp and I will like to keep it that way. So DHCP should be disabled on the ASA.
- This ASA's ip should be 192.168.92.3
- I need the following tcp ports open (25, 443, 444, 1723, & 3389)

If anyone can help me set up a config file for it that would be sweet. thanks
0
Comment
Question by:jtorrrres
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:ksims1129
ID: 24408833
This should work for you

interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 switchport access vlan 3
 no shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

interface vlan 2
ip address 216.xxx.xxx.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface vlan 3
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit permit tcp any any eq 25
access-list OUTSIDE_IN permit permit tcp any any eq 443
access-list OUTSIDE_IN permit permit tcp any any eq 444
access-list OUTSIDE_IN permit permit tcp any any eq 1723
access-list OUTSIDE_IN permit permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside ) 1 192.168.92.0 255.255.255.0

Hope this helps
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24408907
thanks, I will give it a try and keep you posted.
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24409686
I gave it a try and had no success. I ended up making some changes to the config file because the console was complaining about incorrect commands. Apart from getting a few error messages, I was not able to ping anything. After making the changes below, I can now do so, but the ports are not acting like a switch. It connects to the network allowing me to ping all devices, but I can not get online with the TW connection nor is the server picking up the static dsl connection. I have verified the isp static settings.

Here is a little info. I have 2 isp connections. (Dynamic cable internet & static dsl). The SBS server is using the static dsl connection and via dhcp provided by SBS the workstations are connecting using the timewarner connections. The timewarner connection is on GW 192.168.92.1. This setup has worked just fine with another crappy router I have. I am just looking to implement this ASA instead of the router currently in place.

This is what I have now..

interface vlan1
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

interface vlan2
ip address 216.XXX.XXX.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface Ethernet0/0
 switchport access vlan2
 no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit tcp any any eq 25
access-list OUTSIDE_IN permit tcp any any eq 443
access-list OUTSIDE_IN permit tcp any any eq 444
access-list OUTSIDE_IN permit tcp any any eq 1723
access-list OUTSIDE_IN permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.92.0 255.255.255.0
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 5

Expert Comment

by:ksims1129
ID: 24410978
draw a diagram to demonstrate what you are trying to accomplish. it does not seem you are trying to do a straight forward configuation.
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24411937
That seemed a bit more complicated that it should have been.

Essentially.. all of the other stuff I mentioned is inrelevant to the ASA. The ASA will act as a switch and host the connection to the Static DSL. From the SBS I will use the ASA's gateway address to use its internet connection there. What I was mentioning before was that, via DHCP provided by the SBS, the workstations were given a gateway of of 192.168.92.1 to connect using the Timewarner connection.

Update: The ASA is working now, but when I check to see if a port is open it does not work. Does it matter that we are not pointing the tcp ports allowed specifically to the SBS (192.168.92.2). If it does, how do we add the ports to point specifically to the SBS.
0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 2000 total points
ID: 24413185
you can statically open ports to the asa using the following

static (inside,outside) tcp 216.xxx.xxx.74 25 192.168.92.2 25 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 443 192.168.92.2 443 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 444 192.168.92.2 444 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 1723 192.168.92.2 1723 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 3389 192.168.92.2 3389 netmask 255.255.255.255
no access-list OUTSIDE_IN permit tcp any any eq 25
no access-list OUTSIDE_IN permit tcp any any eq 443
no access-list OUTSIDE_IN permit tcp any any eq 444
no access-list OUTSIDE_IN permit tcp any any eq 1723
no access-list OUTSIDE_IN permit tcp any any eq 3389
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 25
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 443
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 444
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 1723
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 3389

this will accomplish what you explained
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24413461
thank you for all your help. I was able to figure out the port forwarding right before your last post.

Jorge
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month10 days, 11 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question