Cisco ASA config Help

All i have most of my config done i need some help in a few areas.  One please take a look and see if there are any areas i should change or could improve.  two i cannot resolve on my internal network by name only by ip address. also i want to be able to access my device remotely out of my office on a different port.

Result of the command: "show running-config"

: Saved
ASA Version 8.2(2) 
hostname ciscoasa
enable password  encrypted
passwd  encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list RA_VPN_ACL extended permit ip any 
access-list RA_VPN_SplitTunnel_ACL standard permit 
access-list NoNAT_ACL extended permit ip 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1
static (inside,outside) tcp interface smtp smtp netmask 
static (inside,outside) tcp interface https https netmask 
static (inside,outside) tcp interface 3389 3389 netmask 
static (inside,outside) tcp interface 587 587 netmask 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value DOMAIN.COM
username xxxxxx password xxxxxxxxx encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
 profile CiscoTAC-1
  no active
  destination address http
  destination address email
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
: end

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>also i want to be able to access my device remotely out of my office on a different port.

what on what Port? you mean on a different port from 3389? see

Pete LongTechnical ConsultantCommented:
>> two i cannot resolve on my internal network by name only by ip address

On the ASA or an internal client? If its the ASA then this is normal - the ASA is not concerned with names only IP addresses.
balintonAuthor Commented:
Hi Pete,

I want to be able to manage my asa from the internet say from work to home on port 4443 maybe?  What is the best practice for doing this should i just VPN in and then connect via local address instead?

name resolution is from my internal network not the asa.  I have AD & DNS setup internally and my client systems cannot resolve internal dns unless i hardcode the internal DNS Server.  The ASA is handing out DHCP so i just need to figure out how to add my DNS Server to the asa.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Hi there:

You can't change the default port for management of : (telnet, ssh) for management purpose...

1) If you're comfortable using the CLI to manage your ASA firewall, you should use ssh, is one of the best options, also you can increase the security, making a vpn, and then just access to the internal ip address (some extra config needed) using some of the management options: (ASDM,ssh, telnet).

2) for the name resolution that's a easy one:

just add the following line to your config.:

dhcpd dns <the local dns servers address, up to two!>
dhcpd dns

Here some links that can put you in the right direction:

and for the DHCP here's a good one.
Pete LongTechnical ConsultantCommented:
>>I want to be able to manage my asa from the internet say from work to home on port 4443 maybe?  

No problem see

that details how to change the port for http management.

as pointed out SSH is tied to TCP 22 but you can manage from outside on SSH as well.

Even if your an UberGeek from your phone (note this is VERY insecure!!)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
balintonAuthor Commented:
reinaldo thanks for the DHCP info i will try that later tonight.

Pete i did try your write up for managing the asa from the internet but i lost all connectivity too it and had to reset  so i could access again.  I will follow this again tonight when i have more time maybe i was impatient.
Pete LongTechnical ConsultantCommented:
No Probs - Let me know how you get on :)
balintonAuthor Commented:
DHCP is working now thanks reinaldo
Remote access doesnt seem to be working externally but i will double check from work tomrrow just to be sure.  The port is now on 4443 and i can access via

Thanks for your time.

Can you post your config after the changes...

but just to be clear, be sure that you have the following commands:

http server enable 4443 <Configure your device to listen to connections on port 4443 for asdm access.
http outside

for testing:

from a browser in another computer, out of your company or using other internet connection do:


and it should work..!

Good luck!

balintonAuthor Commented:
all is working well now thank you both for you time on to the next hurdle.. :)
Pete LongTechnical ConsultantCommented:
:) ThanQ
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.