Link to home
Start Free TrialLog in
Avatar of zebulun10305
zebulun10305

asked on

Cisco ASA 5510 passing traffic


I really feel like I should not be configuring this ;(
I really know nothing about it. This is a really simple config but it looks like I am not even able to access the internet in my test.
Just want to configure:
Internet access for 192.168.111.0/24
Only 1 external IP
NAT Access for 69.199.189.2 ==> 192.168.111.3 for
HTTP, HTTPS, SMTP
I assume once I get the internet and 1 server working I can do the rest. Tried setting up 3389 to test rdp and see if that works.

This is either 1 simple thing missing or totally wrong ;). Though it was just my static route since I could not get on internet.


I am unign the GUI to configure

Thanks


asdm image disk0:/asdm-508.bin
asdm location DC_EXC-01 255.255.255.255 Inside
asdm location GIP-DC-01 255.255.255.255 Inside
asdm location GIP-FIL-01 255.255.255.255 Inside
asdm location Phone_System 255.255.255.255 Inside
asdm location Mgmt 255.255.255.0 Outside
asdm location 192.168.2.0 255.255.255.0 Outside
asdm location PPTP_VPN 255.255.255.0 Outside
asdm location 200.9.49.66 255.255.255.255 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password OUbDbUuYyAxeu8ym encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.111.6 GIP-DC-01
name 192.168.111.3 DC_EXC-01
name 192.168.111.248 Phone_System
name 192.168.111.9 GIP-FIL-01
name 192.168.101.0 PPTP_VPN
name 192.168.1.0 Mgmt
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 69.199.189.2 255.255.255.252
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service RDP tcp
 port-object eq 3389
object-group service 59101 udp
 port-object eq 59101
object-group service 3389 tcp
 port-object eq 3389
access-list Outside_access_in extended permit tcp any object-group 3389 host DC_EXC-01 object-group 3389
access-list Outside_access_in extended permit tcp any eq smtp host DC_EXC-01 eq smtp
access-list Outside_access_in extended permit tcp any eq www host DC_EXC-01 eq www
access-list Outside_access_in extended permit tcp any eq https host DC_EXC-01 eq https
access-list Outside_access_in extended permit tcp any eq pptp host DC_EXC-01 eq pptp
access-list Outside_access_in extended permit udp any host DC_EXC-01
access-list Inside_access_in extended permit tcp any any
access-list Inside_nat0_outbound extended permit ip any 192.168.111.192 255.255.255.224
access-list Outside_access_out extended permit tcp any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool IP 192.168.111.205-192.168.111.210 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 69.199.189.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Outside internal
group-policy Outside attributes
 wins-server value 192.168.111.5
 dns-server value 192.168.111.5
 webvpn
group-policy GIPLaw internal
group-policy GIPLaw attributes
 dns-server value 192.168.111.3
 default-domain value giplaw.com
 webvpn
username test2 password k83iXWPan0Gg1s04 encrypted privilege 0
username test2 attributes
 vpn-group-policy GIPLaw
 webvpn
username test password RP.IjiaLaIUd5xjg encrypted privilege 0
username test attributes
 vpn-group-policy Outside
 webvpn
http server enable
http 207.155.221.0 255.255.255.240 Outside
http 68.33.234.224 255.255.255.255 Outside
http 69.199.189.1 255.255.255.255 Outside
http 192.168.111.0 255.255.255.0 Inside
http Mgmt 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Outside type ipsec-ra
tunnel-group Outside general-attributes
 address-pool IP
 default-group-policy Outside
tunnel-group Outside ipsec-attributes
 pre-shared-key *
tunnel-group GIPLaw type ipsec-ra
tunnel-group GIPLaw general-attributes
 address-pool IP
 default-group-policy GIPLaw
tunnel-group GIPLaw ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:6c66aa3bb148a279c01492808d8ad94d
: end

Avatar of Anglo
Anglo
Flag of United Kingdom of Great Britain and Northern Ireland image
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255 does not look right. You need to name 69.199.189.2 DC_EXC_01_ext and map that in the NAT to DC_EXC-01.  You also need to use this name in the access-in ACLs
Avatar of zebulun10305
zebulun10305

ASKER

69.199.189.2 is the external interface. I can't name it anything like I did on the inside that I can see. I can start from scratch also. Are ACL's in the security Policy or NAT. I alos don't see Access Contol List anywhere listed.
I am using ASDM 5.0 for ASA
I can put in screen shots of what I have or just start over.
Avatar of Anglo
Anglo
Flag of United Kingdom of Great Britain and Northern Ireland image
Add a static NAT rule , original is your inside interface - source DC_EXC_01.  Translated is your outside interface - use Interface IP address.  Yes the ACL I refer to are your security policies.  The outside_in rules need to have the external IP as the destination.  Happy New Year
Avatar of zebulun10305
zebulun10305

ASKER

Trying that today. I'll let you know if all works
ASKER CERTIFIED SOLUTION
Avatar of decoleur
decoleur
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zebulun10305
zebulun10305

ASKER

I'll try that tomorrow. That I can follow hopefully.