Problem configuring Cisco ASA 5505

Hello,

I've a problem configuring a CISCO ASA 5505 device, normally we only do in Juniper boxes, but this time the customer want an ASA (whyyyy).

This is my first asa configuration, but the most simple configuration will not work as I want.
What we'll achieve:

FROM LAN: everything is permitted, at a later time we'll block some traffic.
FROM WAN: Access our mail and webserver, some other port forwards (RDP, our monitorring etc..)

As said earlier, this is my first asa config so I've created a lab environment, let me explain the network situation:

ISP----JUNIPER SSG5-------CISCO ASA5505-----ASA LAN

The following IP addresses are applied:

JUNIPER: GW 192.168.100.253
               LAN: 192.168.100.x /24

CISCO: WAN: 192.168.100.215
            LAN: 192.168.20.x/245

We've installed a web/mailserver in the ASA Lan with IP address 192.168.20.20 /24

On the asa I've created a static route (0.0.0.0 0.0.0.0 192.168.100.253), with this route applied all traffic from LAN to WAN is permitted, what's good, part 1 is finished.

Now part 2 the port forwarding, from what I've understand from my research on Google we need to apply PAT , because we've just 1 WAN IP.
I've created a PAT forward an also a ACL to allow traffic from OUTSIDE to INSIDE, but when I browse to http://192.168.100.215 at port 80, i get an page nog found error, when I look in my ASA log I see the following line:

Routing failed to locate next hop for TCP from outside: 192.168.100.87/9380 to inside: 192.168.100.215/80

This entry tells me that the traffic to the webserver is allowed, but that the asa can not detect the next hop..

I think personal that this is something very stupid, and I hope that someone can help me with this, bellow you find my running config:


fw01(config)#  sh ru                    
: Saved       
: 
ASA Version 8.0(2)                  
! 
hostname fw01             
enable password  **** encrypted                                          
names     
name 192.168.20.20 Webserver                            
! 
interface Vlan1               
 nameif inside              
 security-level 100                   
 ip address 192.168.20.1 255.255.255.0                                      
! 
interface Vlan2               
 nameif outside               
 security-level 0                 
 ip address 192.168.100.215                           
! 
interface Vlan4               
 no forward interface Vlan1                           
 nameif dmz           
 security-level 50                  
 ip address dhcp                
! 
interface Ethernet0/0                     
 switchport access vlan 2                         
! 
interface Ethernet0/1                     
! 
interface Ethernet0/2                     
! 
interface Ethernet0/3                     
! 
interface Ethernet0/4                     
! 
interface Ethernet0/5                     
! 
interface Ethernet0/6                     
! 
interface Ethernet0/7                     
! 
passwd **** encrypted                                 
ftp mode passive                
dns domain-lookup inside                        
dns server-group DefaultDNS                           
 name-server 195.238.2.21                         
dns server-group test                     
 name-server 192.168.100.9                          
dns-group test              
object-group service DM_INLINE_SERVICE_1                                        
 service-object ip                  
 service-object icmp                    
 service-object tcp eq domain                             
object-group service RDP udp                            
 description RDP                
 port-object eq 3389                    
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 1                                                                                
92.168.20.0 255.255.255.0 any                             
access-list outside_access_in_1 extended permit tcp host 192.168.100.215 host We                                                                                
bserver eq www              
access-list outside_access_in_1 extended permit tcp 192.168.100.0 255.255.255.0                                                                               
any eq www          
access-list inboundtest extended permit tcp                                         
access-list inbound extended permit tcp any interface outside eq www                                                                    
pager lines 24              
logging enable              
logging asdm informational                          
mtu inside 1500               
mtu outside 1500                
mtu dmz 1500            
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-602.bin                              
no asdm history enable                      
arp timeout 14400                 
global (outside) 101 interface                              
nat (inside) 101 0.0.0.0 0.0.0.0                                
static (inside,outside) tcp interface www 192.168.100.215 www netmask 255.255.25                                                                                
5.255     
access-group inboundtest in interface outside                                             
! 
router rip          
 network 192.168.20.0                     
 network 192.168.100.0                      
 version 2          
! 
route outside 0.0.0.0 0.0.0.0 192.168.100.253 1                                               
timeout xlate 3:00:00                     
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                               
timeout uauth 0:05:00 absolute                              
dynamic-access-policy-record DfltAccessPolicy                                             
http server enable                  
http Webserver 255.255.255.255 inside                                     
http 192.168.20.0 255.255.255.0 inside                                      
no snmp-server              
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
no crypto isakmp nat-traversal                              
telnet 192.168.20.0 255.255.255.0 inside                                        
telnet timeout 5                
ssh timeout 5             
console timeout 0                 
 
threat-detection basic-threat                             
threat-detection statistics                           
! 
class-map inspection_default                            
 match default-inspection-traffic                                 
! 
! 
policy-map type inspect dns preset_dns_map                                      
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c990c733c534be0d5c96fdc607727a3c
: end

Open in new window

LVL 1
ezjurgenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Change this line:
static (inside,outside) tcp interface www 192.168.100.215 www netmask 255.255.25  

to this:
static (inside,outside) tcp interface www 192.168.20.20 www netmask 255.255.255.0  
static (inside,outside) tcp interface smtp 192.168.20.20 smtp netmask 255.255.255.0  

That will take all 80 and 25 traffic on the interface and forward it to the internal box.  

Also, your inbound access list should look like this:
access-list outside_access_in_1 extended permit tcp any interface outside www          
access-list outside_access_in_1 extended permit tcp any interface outside smtp        
access-group outside_access_in_1 in interface outside  

Give that a shot....


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
decoleurCommented:
MikeKane is right.

you should not use the ACL "access-list inboundtest extended permit tcp" it will open up a whole lot more than you want to make available.

one comment is that you are using the outside address of the ASA for PAT which is fine if you will never need to access resources on your ASA. I often use different IP addresses to provide services for the inside hosts so I can make sure I provide https services for inside hosts as well as SSL VPN access through the ASA.

to accomodate that change MikeKane's recomendations as such using a previously unused address that is on the same network as the outside interface of the ASA:
static (inside,outside) tcp 192.168.100.216 www 192.168.20.20 www netmask 255.255.255.255
and
access-list outside_access_in_1 extended permit tcp any host 192.168.100.216 www
access-group outside_access_in_1 in interface outside

this lets you set up your services for internal users without impacting your services for th ASA itself.

hope this helps,

-t
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.