Solved

Cisco ASA 5505 Setup

Posted on 2009-05-17
7
701 Views
Last Modified: 2012-05-07
Hello Team,

Let me start out by saying I am a newbie. I have a Cisco ASA 5505. What I will like to do is wipe it clean and start from scratch.

What I need:
- Setup to work with a static dsl connection. (216.XXX.XXX.74, 255.255.255.0, 216.XXX.XXX.1)
- There is an SBS server handling dhcp and I will like to keep it that way. So DHCP should be disabled on the ASA.
- This ASA's ip should be 192.168.92.3
- I need the following tcp ports open (25, 443, 444, 1723, & 3389)

If anyone can help me set up a config file for it that would be sweet. thanks
0
Comment
Question by:jtorrrres
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:ksims1129
ID: 24408833
This should work for you

interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 switchport access vlan 3
 no shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

interface vlan 2
ip address 216.xxx.xxx.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface vlan 3
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit permit tcp any any eq 25
access-list OUTSIDE_IN permit permit tcp any any eq 443
access-list OUTSIDE_IN permit permit tcp any any eq 444
access-list OUTSIDE_IN permit permit tcp any any eq 1723
access-list OUTSIDE_IN permit permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.xxx.xxx.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside ) 1 192.168.92.0 255.255.255.0

Hope this helps
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24408907
thanks, I will give it a try and keep you posted.
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24409686
I gave it a try and had no success. I ended up making some changes to the config file because the console was complaining about incorrect commands. Apart from getting a few error messages, I was not able to ping anything. After making the changes below, I can now do so, but the ports are not acting like a switch. It connects to the network allowing me to ping all devices, but I can not get online with the TW connection nor is the server picking up the static dsl connection. I have verified the isp static settings.

Here is a little info. I have 2 isp connections. (Dynamic cable internet & static dsl). The SBS server is using the static dsl connection and via dhcp provided by SBS the workstations are connecting using the timewarner connections. The timewarner connection is on GW 192.168.92.1. This setup has worked just fine with another crappy router I have. I am just looking to implement this ASA instead of the router currently in place.

This is what I have now..

interface vlan1
ip address 192.168.92.3 255.255.255.0
no shutdown
nameif inside
security-level 100

interface vlan2
ip address 216.XXX.XXX.74 255.255.255.0
no shutdown
nameif outside
security-level 0

interface Ethernet0/0
 switchport access vlan2
 no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7

access-list NONAT permit ip 192.168.92.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list OUTSIDE_IN permit tcp any any eq 25
access-list OUTSIDE_IN permit tcp any any eq 443
access-list OUTSIDE_IN permit tcp any any eq 444
access-list OUTSIDE_IN permit tcp any any eq 1723
access-list OUTSIDE_IN permit tcp any any eq 3389

route outside 0.0.0.0 0.0.0.0 216.XXX.XXX.1
global (outside) 1
nat (inside) 0 access-list NONAT
nat (inside) 1 192.168.92.0 255.255.255.0
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 5

Expert Comment

by:ksims1129
ID: 24410978
draw a diagram to demonstrate what you are trying to accomplish. it does not seem you are trying to do a straight forward configuation.
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24411937
That seemed a bit more complicated that it should have been.

Essentially.. all of the other stuff I mentioned is inrelevant to the ASA. The ASA will act as a switch and host the connection to the Static DSL. From the SBS I will use the ASA's gateway address to use its internet connection there. What I was mentioning before was that, via DHCP provided by the SBS, the workstations were given a gateway of of 192.168.92.1 to connect using the Timewarner connection.

Update: The ASA is working now, but when I check to see if a port is open it does not work. Does it matter that we are not pointing the tcp ports allowed specifically to the SBS (192.168.92.2). If it does, how do we add the ports to point specifically to the SBS.
0
 
LVL 5

Accepted Solution

by:
ksims1129 earned 500 total points
ID: 24413185
you can statically open ports to the asa using the following

static (inside,outside) tcp 216.xxx.xxx.74 25 192.168.92.2 25 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 443 192.168.92.2 443 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 444 192.168.92.2 444 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 1723 192.168.92.2 1723 netmask 255.255.255.255
static (inside,outside) tcp 216.xxx.xxx.74 3389 192.168.92.2 3389 netmask 255.255.255.255
no access-list OUTSIDE_IN permit tcp any any eq 25
no access-list OUTSIDE_IN permit tcp any any eq 443
no access-list OUTSIDE_IN permit tcp any any eq 444
no access-list OUTSIDE_IN permit tcp any any eq 1723
no access-list OUTSIDE_IN permit tcp any any eq 3389
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 25
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 443
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 444
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 1723
access-list OUTSIDE_IN permit tcp any 216.xxx.xxx.74 eq 3389

this will accomplish what you explained
0
 
LVL 3

Author Comment

by:jtorrrres
ID: 24413461
thank you for all your help. I was able to figure out the port forwarding right before your last post.

Jorge
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now