zebulun10305
asked on
Cisco ASA 5510 passing traffic
I really feel like I should not be configuring this ;(
I really know nothing about it. This is a really simple config but it looks like I am not even able to access the internet in my test.
Just want to configure:
Internet access for 192.168.111.0/24
Only 1 external IP
NAT Access for 69.199.189.2 ==> 192.168.111.3 for
HTTP, HTTPS, SMTP
I assume once I get the internet and 1 server working I can do the rest. Tried setting up 3389 to test rdp and see if that works.
This is either 1 simple thing missing or totally wrong ;). Though it was just my static route since I could not get on internet.
I am unign the GUI to configure
Thanks
asdm image disk0:/asdm-508.bin
asdm location DC_EXC-01 255.255.255.255 Inside
asdm location GIP-DC-01 255.255.255.255 Inside
asdm location GIP-FIL-01 255.255.255.255 Inside
asdm location Phone_System 255.255.255.255 Inside
asdm location Mgmt 255.255.255.0 Outside
asdm location 192.168.2.0 255.255.255.0 Outside
asdm location PPTP_VPN 255.255.255.0 Outside
asdm location 200.9.49.66 255.255.255.255 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password OUbDbUuYyAxeu8ym encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.111.6 GIP-DC-01
name 192.168.111.3 DC_EXC-01
name 192.168.111.248 Phone_System
name 192.168.111.9 GIP-FIL-01
name 192.168.101.0 PPTP_VPN
name 192.168.1.0 Mgmt
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 69.199.189.2 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.111.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service RDP tcp
port-object eq 3389
object-group service 59101 udp
port-object eq 59101
object-group service 3389 tcp
port-object eq 3389
access-list Outside_access_in extended permit tcp any object-group 3389 host DC_EXC-01 object-group 3389
access-list Outside_access_in extended permit tcp any eq smtp host DC_EXC-01 eq smtp
access-list Outside_access_in extended permit tcp any eq www host DC_EXC-01 eq www
access-list Outside_access_in extended permit tcp any eq https host DC_EXC-01 eq https
access-list Outside_access_in extended permit tcp any eq pptp host DC_EXC-01 eq pptp
access-list Outside_access_in extended permit udp any host DC_EXC-01
access-list Inside_access_in extended permit tcp any any
access-list Inside_nat0_outbound extended permit ip any 192.168.111.192 255.255.255.224
access-list Outside_access_out extended permit tcp any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool IP 192.168.111.205-192.168.11
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 69.199.189.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Outside internal
group-policy Outside attributes
wins-server value 192.168.111.5
dns-server value 192.168.111.5
webvpn
group-policy GIPLaw internal
group-policy GIPLaw attributes
dns-server value 192.168.111.3
default-domain value giplaw.com
webvpn
username test2 password k83iXWPan0Gg1s04 encrypted privilege 0
username test2 attributes
vpn-group-policy GIPLaw
webvpn
username test password RP.IjiaLaIUd5xjg encrypted privilege 0
username test attributes
vpn-group-policy Outside
webvpn
http server enable
http 207.155.221.0 255.255.255.240 Outside
http 68.33.234.224 255.255.255.255 Outside
http 69.199.189.1 255.255.255.255 Outside
http 192.168.111.0 255.255.255.0 Inside
http Mgmt 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Outside type ipsec-ra
tunnel-group Outside general-attributes
address-pool IP
default-group-policy Outside
tunnel-group Outside ipsec-attributes
pre-shared-key *
tunnel-group GIPLaw type ipsec-ra
tunnel-group GIPLaw general-attributes
address-pool IP
default-group-policy GIPLaw
tunnel-group GIPLaw ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:6c66aa3bb14
: end
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255 does not look right. You need to name 69.199.189.2 DC_EXC_01_ext and map that in the NAT to DC_EXC-01. You also need to use this name in the access-in ACLs
ASKER
69.199.189.2 is the external interface. I can't name it anything like I did on the inside that I can see. I can start from scratch also. Are ACL's in the security Policy or NAT. I alos don't see Access Contol List anywhere listed.
I am using ASDM 5.0 for ASA
I can put in screen shots of what I have or just start over.
I am using ASDM 5.0 for ASA
I can put in screen shots of what I have or just start over.
Add a static NAT rule , original is your inside interface - source DC_EXC_01. Translated is your outside interface - use Interface IP address. Yes the ACL I refer to are your security policies. The outside_in rules need to have the external IP as the destination. Happy New Year
ASKER
Trying that today. I'll let you know if all works
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll try that tomorrow. That I can follow hopefully.