Solved

Cisco ASA 5505 firewall windows 2008 Web server Configuration

Posted on 2010-08-26
7
704 Views
Last Modified: 2012-05-10
I just got a Windows 2008 dedicated server from godaddy with plesk control panel and an ASA 5505 Cisco Firewall and I have no clue what I am doing when it comes to the ASA 5505. I am looking for some expert advice on how to set this up to allow web traffic to get to my webpages and allow FTP traffic from me to be able to manage my sites. So what is the most secure way to obtain this goal? Do I need to setup a DMZ and more importantly how do I implement it? Can anyone offer step by step instructions?
: Saved

:

ASA Version 8.0(4) 

!

terminal width 511

hostname asa5505

domain-name MyWebServer.secureserver.net

enable password wvik82LJVAqZxScq encrypted

passwd wvik82LJVAqZxScq encrypted

names

dns-guard

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.0.0.254 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address xxx.xxx.40.187 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 shutdown

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

ftp mode passive

dns server-group DefaultDNS

 domain-name MyWebServer.secureserver.net

access-list outside_access_in extended permit tcp any any eq ftp-data 

access-list outside_access_in extended permit tcp any any eq ftp 

access-list outside_access_in extended permit tcp any any eq ssh 

access-list outside_access_in extended permit tcp any any eq 42 

access-list outside_access_in extended permit udp any any eq nameserver 

access-list outside_access_in extended permit tcp any any eq domain 

access-list outside_access_in extended permit udp any any eq domain 

access-list outside_access_in extended permit tcp any any eq www 

access-list outside_access_in extended permit tcp any any eq pop3 

access-list outside_access_in extended permit tcp any any eq https 

access-list outside_access_in extended permit tcp any any eq 465 

access-list outside_access_in extended permit tcp any any eq 587 

access-list outside_access_in extended permit tcp any any eq 995 

access-list outside_access_in extended permit tcp any any eq 993 

access-list outside_access_in extended permit tcp any any eq 3389 

access-list outside_access_in extended permit tcp any any eq 8443 

access-list outside_access_in extended permit tcp any any eq 2006 

access-list outside_access_in extended permit tcp any any eq 8447 

access-list outside_access_in extended permit tcp any any eq 9999 

access-list outside_access_in extended permit tcp any any eq 2086 

access-list outside_access_in extended permit tcp any any eq 2087 

access-list outside_access_in extended permit tcp any any eq 2082 

access-list outside_access_in extended permit tcp any any eq 2083 

access-list outside_access_in extended permit tcp any any eq 2096 

access-list outside_access_in extended permit tcp any any eq 2095 

access-list outside_access_in extended deny tcp any any eq telnet 

access-list outside_access_in extended permit tcp any any eq smtp 

access-list outside_access_in extended deny tcp any any eq imap4 

access-list outside_access_in extended deny tcp any any eq 1433 

access-list outside_access_in extended deny tcp any any eq 3306 

access-list outside_access_in extended deny tcp any any eq 9080 

access-list outside_access_in extended deny tcp any any eq 9090 

access-list outside_access_in extended permit icmp any any echo-reply 

access-list outside_access_in extended permit icmp any any source-quench 

access-list outside_access_in extended permit icmp any any unreachable 

access-list outside_access_in extended permit icmp any any time-exceeded 

access-list inside_access_in extended permit ip any any 

no pager

logging enable

logging timestamp

logging buffered warnings

logging history warnings

logging asdm notifications

logging queue 500

mtu inside 1500

mtu outside 1500

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255 

static (inside,outside) xxx.xxx.42.90 10.0.0.1 netmask 255.255.255.255 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.254 1

route outside 0.0.0.0 0.0.0.0 xxx.xxx.42.254 1

route outside 0.0.0.0 255.255.255.0 xxx.xxx.40.254 1

route outside 0.0.0.0 255.255.255.0 xxx.xxx.42.254 1

route outside 192.168.101.3 255.255.255.255 xxx.xxx.40.254 1

route outside 192.168.101.3 255.255.255.255 xxx.xxx.42.254 1

route outside 192.168.105.3 255.255.255.255 xxx.xxx.40.254 1

route outside 192.168.105.3 255.255.255.255 xxx.xxx.42.254 1

route outside 192.168.109.3 255.255.255.255 xxx.xxx.40.254 1

route outside 192.168.109.3 255.255.255.255 xxx.xxx.42.254 1

route outside 208.109.96.4 255.255.255.255 xxx.xxx.42.254 1

route outside 208.109.188.4 255.255.255.255 xxx.xxx.42.254 1

route outside 216.69.160.4 255.255.255.255 xxx.xxx.42.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa authentication ssh console LOCAL 

http server enable

http 10.0.0.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

management-access outside

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username xjx7n1f password Sh2RQ/0T/2KNw4aE encrypted privilege 15

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:75a021e5cdc7dee9170de07fccaa93a8

: end

asdm image disk0:/asdm-613.bin

asdm history enable

Open in new window

0
Comment
Question by:jonesy_33
  • 4
  • 3
7 Comments
 
LVL 4

Accepted Solution

by:
mpickreign earned 500 total points
ID: 33535614
Based on the topography you have described there is no need for a DMZ. A DMZ is typically only used as a medium security zone when there is also a high security zone in play. Such as an office that wants to offer public email and web services (medium security in the DMZ), and then also has internal domain and file servers that they do not want external access to.  However, in the scenario you have laid out a DMZ would offer no additional security.

Currently there is nothing in this firewall that needs to be changed to accomplish what you are asking. I might however suggest removing access to any ports that are not needed. The "access-list outside_access_in" lines show you what ports are currently open to external access. They can be removed by entering config mode and prefixing the no command to the given access-list command.
Example: To remove the first access-list line allowing ftp-data

asa5505# configure terminal
asa5505(config)# no access-list outside_access_in extended permit tcp any any eq ftp-data
asa5505(config)#exit

To save your changes you need to write the configuration to memory.
Example:
asa5505# write memory

I would also remove the following line as it is redundant and misformed (this can again be done by entering config mode and prefixing the statement with the no command.)
static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255
0
 

Author Comment

by:jonesy_33
ID: 33536196
mpickregin,

Thanks for the quick response. so if I understand what you are saying then I should not have a problem connecting using my ftp client, right? but I cannot. Do you have any ideas why this might be?

To remove access lists should I use the command line interface then just take any of the acccess-list that I want to restrict and add no to it?

regarding the redundant line static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255 should I use the command line interface for this too? and would I just enter "no static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255"
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33536430
With the ftp issue I would start by removing the redundant static line. Use the client and enter the command just as you typed it.

no static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255

I would also remove all but the first "route outside" statement using the same syntax. All but the first are either incorrect or redundant and can only cause problems. The only to keep is
"route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.254 1"

Save the config then for good measure reboot the firewall by issuing the reload command. If you still have ftp issues after that make sure your ftp is on on the server and that the windows internal firewall is not blocking the port.

"To remove access lists should I use the command line interface then just take any of the acccess-list that I want to restrict and add no to it?"

Yes, this will remove the access-list from the config and effectively block access to that given port.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Expert Comment

by:mpickreign
ID: 33536489
One more thing I just noticed.

Your outside interface is xxx.xxx.40.187/24.

xxx.xxx.42.90 is mapped to your internal 10.0.0.1 (Which I am assuming is your 2008 server.)


Is xxx.xxx.42.90 assigned to you by the hosting vendor?  If so is it routed to the xxx.xxx.40.187/24 address?
0
 

Author Comment

by:jonesy_33
ID: 33549624
Yes xxx.xxx.42.90 is the outside address of my 2008 server I am not sure what the xxx.xxx.40.187/24 is or why xxx.xxx.42.90 is mapped to it. What line in the config are you referring to?
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33566610
Sorry for the delay.  Let me know if you have already solved your problem.

xxx.xxx.40.187/24 is the outside address of the ASA as show on line 21.

Is xxx.xxx.42.90 actually physically assigned to the ethernet card in the 2008 server, or do you want the ASA to NAT it. Right now it appears that the ASA is doing NAT and the actual physical address of the 2008 server is 10.0.0.1.  This is a totally acceptable configuration, its just that the config has elements of both Natting and not natting so I want to make sure what the intent is so that Im not steering you in a wrong direction.
0
 

Author Closing Comment

by:jonesy_33
ID: 33566771

than you for all of your responses. everything is up and working fine. I think the biggest was me and my lack of knowledge with the ASA 5505 and IIS 7.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 27
Route summarization 9 44
Route Summarization 2 33
E-mail alerts from Cisco ASA Firepower 3 31
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now