Cisco ASA config Help

All i have most of my config done i need some help in a few areas.  One please take a look and see if there are any areas i should change or could improve.  two i cannot resolve on my internal network by name only by ip address. also i want to be able to access my device remotely out of my office on a different port.

Thanks,
Brandon
Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password  encrypted
passwd  encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list outside_access_in extended permit tcp any interface outside eq 3389 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq 587 
access-list RA_VPN_ACL extended permit ip any 172.30.30.0 255.255.255.0 
access-list RA_VPN_SplitTunnel_ACL standard permit 172.25.25.0 255.255.255.0 
access-list NoNAT_ACL extended permit ip 172.25.25.0 255.255.255.0 172.30.30.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_VPN_POOL 172.30.30.100-172.30.30.200
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.5 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.5 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 587 192.168.1.5 587 netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 174.54.14.72 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-aes esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address RA_VPN_ACL
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 65535 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
 dns-server value 192.168.1.5
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RA_VPN_SplitTunnel_ACL
 split-dns value DOMAIN.COM
username xxxxxx password xxxxxxxxx encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool RA_VPN_POOL
 default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:99c1a6d7dce55ac6463f4afba1540164
: end

Open in new window

balintonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
>>also i want to be able to access my device remotely out of my office on a different port.

what on what Port? you mean 192.168.1.5 on a different port from 3389? see

http://petenetlive.com/KB/Article/0000166.htm
or
http://petenetlive.com/KB/Article/0000167.htm

0
Pete LongTechnical ConsultantCommented:
>> two i cannot resolve on my internal network by name only by ip address

On the ASA or an internal client? If its the ASA then this is normal - the ASA is not concerned with names only IP addresses.
0
balintonAuthor Commented:
Hi Pete,

I want to be able to manage my asa from the internet say from work to home on port 4443 maybe?  What is the best practice for doing this should i just VPN in and then connect via local address 192.168.1.1 instead?

name resolution is from my internal network not the asa.  I have AD & DNS setup internally and my client systems cannot resolve internal dns unless i hardcode the internal DNS Server.  The ASA is handing out DHCP so i just need to figure out how to add my DNS Server to the asa.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

vreinaldoCommented:
Hi there:

You can't change the default port for management of : (telnet, ssh) for management purpose...

1) If you're comfortable using the CLI to manage your ASA firewall, you should use ssh, is one of the best options, also you can increase the security, making a vpn, and then just access to the internal ip address (some extra config needed) using some of the management options: (ASDM,ssh, telnet).


2) for the name resolution that's a easy one:

just add the following line to your config.:

dhcpd dns <the local dns servers address, up to two!>
example:
dhcpd dns 192.168.10.10 192.168.10.11


Here some links that can put you in the right direction:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml


http://ciscogeek.org/activate-asdm-as-gui-interface-for-cisco-asapix-firewall/



and for the DHCP here's a good one.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806c1cd5.shtml
0
Pete LongTechnical ConsultantCommented:
>>I want to be able to manage my asa from the internet say from work to home on port 4443 maybe?  

No problem see

http://petenetlive.com/KB/Article/0000068.htm

that details how to change the port for http management.

as pointed out SSH is tied to TCP 22 but you can manage from outside on SSH as well. http://petenetlive.com/KB/Article/0000075.htm

Even if your an UberGeek from your phone http://petenetlive.com/KB/Article/0000158.htm (note this is VERY insecure!!)

Pete
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
balintonAuthor Commented:
reinaldo thanks for the DHCP info i will try that later tonight.

Pete i did try your write up for managing the asa from the internet but i lost all connectivity too it and had to reset  so i could access again.  I will follow this again tonight when i have more time maybe i was impatient.
0
Pete LongTechnical ConsultantCommented:
No Probs - Let me know how you get on :)
0
balintonAuthor Commented:
DHCP is working now thanks reinaldo
Remote access doesnt seem to be working externally but i will double check from work tomrrow just to be sure.  The port is now on 4443 and i can access via 192.168.1.1.

Thanks for your time.
0
vreinaldoCommented:
Hmmm....


Can you post your config after the changes...

but just to be clear, be sure that you have the following commands:

http server enable 4443 <Configure your device to listen to connections on port 4443 for asdm access.
http 0.0.0.0 0.0.0.0 outside

for testing:

from a browser in another computer, out of your company or using other internet connection do:

https://<outside-ip-or-name>:4443

and it should work..!


Good luck!

0
balintonAuthor Commented:
all is working well now thank you both for you time on to the next hurdle.. :)
0
Pete LongTechnical ConsultantCommented:
:) ThanQ
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.