balinton
asked on
Cisco ASA config Help
All i have most of my config done i need some help in a few areas. One please take a look and see if there are any areas i should change or could improve. two i cannot resolve on my internal network by name only by ip address. also i want to be able to access my device remotely out of my office on a different port.
Thanks,
Brandon
Thanks,
Brandon
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq 587
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 174.54.14.72 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
dns-server value 192.168.1.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
split-dns value DOMAIN.COM
username xxxxxx password xxxxxxxxx encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool RA_VPN_POOL
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:99c1a6d7dce55ac6463f4afba1540164
: end
>> two i cannot resolve on my internal network by name only by ip address
On the ASA or an internal client? If its the ASA then this is normal - the ASA is not concerned with names only IP addresses.
On the ASA or an internal client? If its the ASA then this is normal - the ASA is not concerned with names only IP addresses.
ASKER
Hi Pete,
I want to be able to manage my asa from the internet say from work to home on port 4443 maybe? What is the best practice for doing this should i just VPN in and then connect via local address 192.168.1.1 instead?
name resolution is from my internal network not the asa. I have AD & DNS setup internally and my client systems cannot resolve internal dns unless i hardcode the internal DNS Server. The ASA is handing out DHCP so i just need to figure out how to add my DNS Server to the asa.
I want to be able to manage my asa from the internet say from work to home on port 4443 maybe? What is the best practice for doing this should i just VPN in and then connect via local address 192.168.1.1 instead?
name resolution is from my internal network not the asa. I have AD & DNS setup internally and my client systems cannot resolve internal dns unless i hardcode the internal DNS Server. The ASA is handing out DHCP so i just need to figure out how to add my DNS Server to the asa.
Hi there:
You can't change the default port for management of : (telnet, ssh) for management purpose...
1) If you're comfortable using the CLI to manage your ASA firewall, you should use ssh, is one of the best options, also you can increase the security, making a vpn, and then just access to the internal ip address (some extra config needed) using some of the management options: (ASDM,ssh, telnet).
2) for the name resolution that's a easy one:
just add the following line to your config.:
dhcpd dns <the local dns servers address, up to two!>
example:
dhcpd dns 192.168.10.10 192.168.10.11
Here some links that can put you in the right direction:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/
and for the DHCP here's a good one.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806c1cd5.shtml
You can't change the default port for management of : (telnet, ssh) for management purpose...
1) If you're comfortable using the CLI to manage your ASA firewall, you should use ssh, is one of the best options, also you can increase the security, making a vpn, and then just access to the internal ip address (some extra config needed) using some of the management options: (ASDM,ssh, telnet).
2) for the name resolution that's a easy one:
just add the following line to your config.:
dhcpd dns <the local dns servers address, up to two!>
example:
dhcpd dns 192.168.10.10 192.168.10.11
Here some links that can put you in the right direction:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml
http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/
and for the DHCP here's a good one.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806c1cd5.shtml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
reinaldo thanks for the DHCP info i will try that later tonight.
Pete i did try your write up for managing the asa from the internet but i lost all connectivity too it and had to reset so i could access again. I will follow this again tonight when i have more time maybe i was impatient.
Pete i did try your write up for managing the asa from the internet but i lost all connectivity too it and had to reset so i could access again. I will follow this again tonight when i have more time maybe i was impatient.
No Probs - Let me know how you get on :)
ASKER
DHCP is working now thanks reinaldo
Remote access doesnt seem to be working externally but i will double check from work tomrrow just to be sure. The port is now on 4443 and i can access via 192.168.1.1.
Thanks for your time.
Remote access doesnt seem to be working externally but i will double check from work tomrrow just to be sure. The port is now on 4443 and i can access via 192.168.1.1.
Thanks for your time.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
all is working well now thank you both for you time on to the next hurdle.. :)
:) ThanQ
what on what Port? you mean 192.168.1.5 on a different port from 3389? see
http://petenetlive.com/KB/Article/0000166.htm
or
http://petenetlive.com/KB/Article/0000167.htm