ezjurgen
asked on
Problem configuring Cisco ASA 5505
Hello,
I've a problem configuring a CISCO ASA 5505 device, normally we only do in Juniper boxes, but this time the customer want an ASA (whyyyy).
This is my first asa configuration, but the most simple configuration will not work as I want.
What we'll achieve:
FROM LAN: everything is permitted, at a later time we'll block some traffic.
FROM WAN: Access our mail and webserver, some other port forwards (RDP, our monitorring etc..)
As said earlier, this is my first asa config so I've created a lab environment, let me explain the network situation:
ISP----JUNIPER SSG5-------CISCO ASA5505-----ASA LAN
The following IP addresses are applied:
JUNIPER: GW 192.168.100.253
LAN: 192.168.100.x /24
CISCO: WAN: 192.168.100.215
LAN: 192.168.20.x/245
We've installed a web/mailserver in the ASA Lan with IP address 192.168.20.20 /24
On the asa I've created a static route (0.0.0.0 0.0.0.0 192.168.100.253), with this route applied all traffic from LAN to WAN is permitted, what's good, part 1 is finished.
Now part 2 the port forwarding, from what I've understand from my research on Google we need to apply PAT , because we've just 1 WAN IP.
I've created a PAT forward an also a ACL to allow traffic from OUTSIDE to INSIDE, but when I browse to http://192.168.100.215 at port 80, i get an page nog found error, when I look in my ASA log I see the following line:
Routing failed to locate next hop for TCP from outside: 192.168.100.87/9380 to inside: 192.168.100.215/80
This entry tells me that the traffic to the webserver is allowed, but that the asa can not detect the next hop..
I think personal that this is something very stupid, and I hope that someone can help me with this, bellow you find my running config:
I've a problem configuring a CISCO ASA 5505 device, normally we only do in Juniper boxes, but this time the customer want an ASA (whyyyy).
This is my first asa configuration, but the most simple configuration will not work as I want.
What we'll achieve:
FROM LAN: everything is permitted, at a later time we'll block some traffic.
FROM WAN: Access our mail and webserver, some other port forwards (RDP, our monitorring etc..)
As said earlier, this is my first asa config so I've created a lab environment, let me explain the network situation:
ISP----JUNIPER SSG5-------CISCO ASA5505-----ASA LAN
The following IP addresses are applied:
JUNIPER: GW 192.168.100.253
LAN: 192.168.100.x /24
CISCO: WAN: 192.168.100.215
LAN: 192.168.20.x/245
We've installed a web/mailserver in the ASA Lan with IP address 192.168.20.20 /24
On the asa I've created a static route (0.0.0.0 0.0.0.0 192.168.100.253), with this route applied all traffic from LAN to WAN is permitted, what's good, part 1 is finished.
Now part 2 the port forwarding, from what I've understand from my research on Google we need to apply PAT , because we've just 1 WAN IP.
I've created a PAT forward an also a ACL to allow traffic from OUTSIDE to INSIDE, but when I browse to http://192.168.100.215 at port 80, i get an page nog found error, when I look in my ASA log I see the following line:
Routing failed to locate next hop for TCP from outside: 192.168.100.87/9380 to inside: 192.168.100.215/80
This entry tells me that the traffic to the webserver is allowed, but that the asa can not detect the next hop..
I think personal that this is something very stupid, and I hope that someone can help me with this, bellow you find my running config:
fw01(config)# sh ru
: Saved
:
ASA Version 8.0(2)
!
hostname fw01
enable password **** encrypted
names
name 192.168.20.20 Webserver
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.100.215
!
interface Vlan4
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd **** encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 195.238.2.21
dns server-group test
name-server 192.168.100.9
dns-group test
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object tcp eq domain
object-group service RDP udp
description RDP
port-object eq 3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 1
92.168.20.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp host 192.168.100.215 host We
bserver eq www
access-list outside_access_in_1 extended permit tcp 192.168.100.0 255.255.255.0
any eq www
access-list inboundtest extended permit tcp
access-list inbound extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.100.215 www netmask 255.255.25
5.255
access-group inboundtest in interface outside
!
router rip
network 192.168.20.0
network 192.168.100.0
version 2
!
route outside 0.0.0.0 0.0.0.0 192.168.100.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Webserver 255.255.255.255 inside
http 192.168.20.0 255.255.255.0 inside
no snmp-server
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.20.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c990c733c534be0d5c96fdc607727a3c
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you should not use the ACL "access-list inboundtest extended permit tcp" it will open up a whole lot more than you want to make available.
one comment is that you are using the outside address of the ASA for PAT which is fine if you will never need to access resources on your ASA. I often use different IP addresses to provide services for the inside hosts so I can make sure I provide https services for inside hosts as well as SSL VPN access through the ASA.
to accomodate that change MikeKane's recomendations as such using a previously unused address that is on the same network as the outside interface of the ASA:
static (inside,outside) tcp 192.168.100.216 www 192.168.20.20 www netmask 255.255.255.255
and
access-list outside_access_in_1 extended permit tcp any host 192.168.100.216 www
access-group outside_access_in_1 in interface outside
this lets you set up your services for internal users without impacting your services for th ASA itself.
hope this helps,
-t