Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA 5510 passing traffic

Posted on 2009-12-30
6
Medium Priority
?
356 Views
Last Modified: 2013-11-16

I really feel like I should not be configuring this ;(
I really know nothing about it. This is a really simple config but it looks like I am not even able to access the internet in my test.
Just want to configure:
Internet access for 192.168.111.0/24
Only 1 external IP
NAT Access for 69.199.189.2 ==> 192.168.111.3 for
HTTP, HTTPS, SMTP
I assume once I get the internet and 1 server working I can do the rest. Tried setting up 3389 to test rdp and see if that works.

This is either 1 simple thing missing or totally wrong ;). Though it was just my static route since I could not get on internet.


I am unign the GUI to configure

Thanks


asdm image disk0:/asdm-508.bin
asdm location DC_EXC-01 255.255.255.255 Inside
asdm location GIP-DC-01 255.255.255.255 Inside
asdm location GIP-FIL-01 255.255.255.255 Inside
asdm location Phone_System 255.255.255.255 Inside
asdm location Mgmt 255.255.255.0 Outside
asdm location 192.168.2.0 255.255.255.0 Outside
asdm location PPTP_VPN 255.255.255.0 Outside
asdm location 200.9.49.66 255.255.255.255 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password OUbDbUuYyAxeu8ym encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.111.6 GIP-DC-01
name 192.168.111.3 DC_EXC-01
name 192.168.111.248 Phone_System
name 192.168.111.9 GIP-FIL-01
name 192.168.101.0 PPTP_VPN
name 192.168.1.0 Mgmt
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 69.199.189.2 255.255.255.252
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.111.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
object-group service RDP tcp
 port-object eq 3389
object-group service 59101 udp
 port-object eq 59101
object-group service 3389 tcp
 port-object eq 3389
access-list Outside_access_in extended permit tcp any object-group 3389 host DC_EXC-01 object-group 3389
access-list Outside_access_in extended permit tcp any eq smtp host DC_EXC-01 eq smtp
access-list Outside_access_in extended permit tcp any eq www host DC_EXC-01 eq www
access-list Outside_access_in extended permit tcp any eq https host DC_EXC-01 eq https
access-list Outside_access_in extended permit tcp any eq pptp host DC_EXC-01 eq pptp
access-list Outside_access_in extended permit udp any host DC_EXC-01
access-list Inside_access_in extended permit tcp any any
access-list Inside_nat0_outbound extended permit ip any 192.168.111.192 255.255.255.224
access-list Outside_access_out extended permit tcp any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool IP 192.168.111.205-192.168.111.210 mask 255.255.255.0
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 69.199.189.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy Outside internal
group-policy Outside attributes
 wins-server value 192.168.111.5
 dns-server value 192.168.111.5
 webvpn
group-policy GIPLaw internal
group-policy GIPLaw attributes
 dns-server value 192.168.111.3
 default-domain value giplaw.com
 webvpn
username test2 password k83iXWPan0Gg1s04 encrypted privilege 0
username test2 attributes
 vpn-group-policy GIPLaw
 webvpn
username test password RP.IjiaLaIUd5xjg encrypted privilege 0
username test attributes
 vpn-group-policy Outside
 webvpn
http server enable
http 207.155.221.0 255.255.255.240 Outside
http 68.33.234.224 255.255.255.255 Outside
http 69.199.189.1 255.255.255.255 Outside
http 192.168.111.0 255.255.255.0 Inside
http Mgmt 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group Outside type ipsec-ra
tunnel-group Outside general-attributes
 address-pool IP
 default-group-policy Outside
tunnel-group Outside ipsec-attributes
 pre-shared-key *
tunnel-group GIPLaw type ipsec-ra
tunnel-group GIPLaw general-attributes
 address-pool IP
 default-group-policy GIPLaw
tunnel-group GIPLaw ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:6c66aa3bb148a279c01492808d8ad94d
: end

0
Comment
Question by:zebulun10305
  • 3
  • 2
6 Comments
 
LVL 7

Expert Comment

by:Anglo
ID: 26144966
static (Inside,Outside) DC_EXC-01 DC_EXC-01 netmask 255.255.255.255 does not look right. You need to name 69.199.189.2 DC_EXC_01_ext and map that in the NAT to DC_EXC-01.  You also need to use this name in the access-in ACLs
0
 

Author Comment

by:zebulun10305
ID: 26145698
69.199.189.2 is the external interface. I can't name it anything like I did on the inside that I can see. I can start from scratch also. Are ACL's in the security Policy or NAT. I alos don't see Access Contol List anywhere listed.
I am using ASDM 5.0 for ASA
I can put in screen shots of what I have or just start over.
0
 
LVL 7

Expert Comment

by:Anglo
ID: 26152865
Add a static NAT rule , original is your inside interface - source DC_EXC_01.  Translated is your outside interface - use Interface IP address.  Yes the ACL I refer to are your security policies.  The outside_in rules need to have the external IP as the destination.  Happy New Year
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:zebulun10305
ID: 26167085
Trying that today. I'll let you know if all works
0
 
LVL 18

Accepted Solution

by:
decoleur earned 2000 total points
ID: 26170621
z-

your NAT is incorrect and the ACLs that are allowing access are incorrect as well.

you need to nat the interesting traffic for the outside interface to the DC_EXC_01 and then allow ACLS for the interesting traffic to that public address.

here is what will do that for the ACLs, notice you are only restricting the traffic destined to your services not sourced from the services, i.e. permit tcp any host eq www
and not permit any eq www host eq www

access-list Outside_access_in extended permit tcp any host 69.199.189.2 eq 3389
access-list Outside_access_in extended permit tcp any host 69.199.189.2 eq smtp
access-list Outside_access_in extended permit tcp any  host 69.199.189.2 eq www
access-list Outside_access_in extended permit tcp any host 69.199.189.2 eq https
access-list Outside_access_in extended permit tcp any  host 69.199.189.2 eq pptp

for your NAT statements you need one for each service
static (inside, outside) tcp interface 3389 DC_EXC-01 3389
static (inside, outside) tcp interface smtp DC_EXC-01 smtp
static (inside, outside) tcp interface www DC_EXC-01 www
static (inside, outside) tcp interface https DC_EXC-01 https
static (inside, outside) tcp interface pptp DC_EXC-01 pptp

get rid of the other outside ACL and the other NAT statement.

hope this helps,

-t
0
 

Author Comment

by:zebulun10305
ID: 26196738
I'll try that tomorrow. That I can follow hopefully.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 3 hours left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question