Cisco ASA 5510 configuration questions

I recently purchased a Cisco ASA 5510. I have not worked with Cisco products since 2001 and have a few questions. First i will give you my current setup:

1 Domain Controller - DNS, File server standard 192.168.1.1 network, .254 being the gateway or the router, .1 being the PDC.

I need all outgoing traffic enabled
I only need to allow port 3389 for one external user

I will also be setting up VPN with a few 5505 in the next couple of weeks, but for now, i really need to make sure the initial setup is correct on the 5510. I am using the ASDM because my command line is very rusty.

Any help is greatly appreciated. Thanks in advance.
neves7Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mabutterfieldCommented:
What version of the ASA software are you using?

Plug a laptop into the management port of the asa and browse to https://192.168.1.1 (it is the default address, and has DHCP).

Download and install (or run Java) ASDM.

You can run through the startup wizard to configure the interfaces.  Sounds like you'll only need one access list, with one line allowing 3389/tcp in on the external interface.

Once you have your interfaces setup, configure a different IP range for the management interface, or just unplug it.  Make sure you can access ASDM from your internal range.  (device management, management access).

Let me know what step your at, and where you need more help.
0
neves7Author Commented:
thanks for the quick response

On the 5510 i have ASA Version 7.0(8) and ASDM Version 5.0(8). I have done a few configurations through the ASDM...here is what I have so far:

Interface ------Name ----- Enabled - Security Level ----- IP ------ Subnet -------- Management only - MTU
Ehternet0/0--WAN0/0------Yes----------0-------------x.x.x.121----x.x.x.248------------no-----------1500
Ethernet0/1--LAN0/1-------Yes---------100-------192.168.1.254--255.255.255.0-----no------------1500
Ethernet0/2 disabled
Management0/0-----------Yes-----------100------192.168.20.1----255.255.255.0----Yes-----------1500


I also setup to use PAT to point outgoing traffic to the WAN IP. I also am attaching a word document showing the two security policies setup, one by PAT and one by adding 3389.
Doc2.docx
0
mabutterfieldCommented:
It doesn't look quite right, but that ASDM is quite old, and I don't have access to one to see what it should look like.  

Can you paste the running config?  You should be able to do File, show running config in new window, or download running config.  

I'd also recommend upgrading to either 7.2(4) and ASDM 5.24 or ASA 8.0(4) and ASDM 6.2.1.  
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

neves7Author Commented:
asdm image disk0:/asdm-508.bin
asdm location 192.168.1.70 255.255.255.255 LAN0/1
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname CiscoASA5510
domain-name xx.xxxxx.xxx
enable password ms0PCaGLH60KGsxp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif WAN0/0
 security-level 0
 ip address x.x.x.121 255.255.255.248
!
interface Ethernet0/1
 nameif LAN0/1
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.20.1 255.255.255.0
 management-only
!
ftp mode passive
object-group service RemoteDesktop tcp
 port-object range 3389 3389
access-list WAN0/0_access_in extended permit tcp interface WAN0/0 object-group RemoteDesktop host 192.168.1.70 object-group RemoteDesktop
pager lines 24
logging asdm informational
mtu WAN0/0 1500
mtu LAN0/1 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (WAN0/0) 10 interface
nat (management) 10 0.0.0.0 0.0.0.0
access-group WAN0/0_access_in in interface WAN0/0
route WAN0/0 0.0.0.0 0.0.0.0 x.x.x.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxx password xxxxxxx encrypted privilege 15
http server enable
http 192.168.1.0 255.255.255.255 LAN0/1
http 192.168.20.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access LAN0/1
dhcpd address 192.168.1.100-192.168.1.200 LAN0/1
dhcpd address 192.168.20.2-192.168.20.254 management
dhcpd dns 192.168.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config LAN0/1
dhcpd enable LAN0/1
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:2db3a62d45276bc2ffa1ad258063c713
: end

Here is the running config, i only x'd out the username password and WAN ip. also, i downloaded the ASDM 6.2.1 bin file, how do I upload that to the 5510?

Also, I can only log in to the ASDM through the management port, i cannot login through the LAN0/1.
0
mabutterfieldCommented:
To upgrade, you need to copy both the new ASA os file, and the ASDM file.  (Each os has a corresponding asdm, you need BOTH or you won't be able to log into ASDM).  You should be able to upload them through the tools menu, Upgrade Software, or file management.   You can also copy them logged into the command line "copy tftp flash" and answer the prompts.  This requires you have the files stored in a TFTP server directory on a local machine.  Solar Winds offers a free TFTP server. (Like FTP, but no authentication/etc)


To log into the ASDM from your internal network, you need to add http access. In ASDM, look for 'device access' and 'https/asdm'.  You need to specify an IP allowed to connect, and an Interface. (internal IP address 192.168.1.0 / 255.255.255.0 LAN0/1)
 
You currently have: 'http 192.168.1.0 255.255.255.255 LAN0/1'
It should be:              'http 192.168.1.0 255.255.255.0 LAN0/1' s
This will allow asdm access from the internal network.  (or you can specify a single IP with 255.255.255.255)
1 ip:             http 192.168.1.10 255.255.255.255 LAN0/1



your access is: access-list WAN0/0_access_in extended permit tcp interface WAN0/0 object-group RemoteDesktop host 192.168.1.70

it should look something like this:
access-list WAN0/0_access_in extended permit tcp {external host IP} object-group RemoteDesktop host {terminal server Public IP}
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
neves7Author Commented:
sorry there hasn't been an update. The flash ended up being bad and I had to RMA the unit. As soon as the new one comes in, I will reconfigure it and post the running config.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.