Solved

Cisco ASA 5505 firewall windows 2008 Web server Configuration

Posted on 2010-08-26
7
710 Views
Last Modified: 2012-05-10
I just got a Windows 2008 dedicated server from godaddy with plesk control panel and an ASA 5505 Cisco Firewall and I have no clue what I am doing when it comes to the ASA 5505. I am looking for some expert advice on how to set this up to allow web traffic to get to my webpages and allow FTP traffic from me to be able to manage my sites. So what is the most secure way to obtain this goal? Do I need to setup a DMZ and more importantly how do I implement it? Can anyone offer step by step instructions?
: Saved
:
ASA Version 8.0(4) 
!
terminal width 511
hostname asa5505
domain-name MyWebServer.secureserver.net
enable password wvik82LJVAqZxScq encrypted
passwd wvik82LJVAqZxScq encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.40.187 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
dns server-group DefaultDNS
 domain-name MyWebServer.secureserver.net
access-list outside_access_in extended permit tcp any any eq ftp-data 
access-list outside_access_in extended permit tcp any any eq ftp 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_access_in extended permit tcp any any eq 42 
access-list outside_access_in extended permit udp any any eq nameserver 
access-list outside_access_in extended permit tcp any any eq domain 
access-list outside_access_in extended permit udp any any eq domain 
access-list outside_access_in extended permit tcp any any eq www 
access-list outside_access_in extended permit tcp any any eq pop3 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 465 
access-list outside_access_in extended permit tcp any any eq 587 
access-list outside_access_in extended permit tcp any any eq 995 
access-list outside_access_in extended permit tcp any any eq 993 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list outside_access_in extended permit tcp any any eq 8443 
access-list outside_access_in extended permit tcp any any eq 2006 
access-list outside_access_in extended permit tcp any any eq 8447 
access-list outside_access_in extended permit tcp any any eq 9999 
access-list outside_access_in extended permit tcp any any eq 2086 
access-list outside_access_in extended permit tcp any any eq 2087 
access-list outside_access_in extended permit tcp any any eq 2082 
access-list outside_access_in extended permit tcp any any eq 2083 
access-list outside_access_in extended permit tcp any any eq 2096 
access-list outside_access_in extended permit tcp any any eq 2095 
access-list outside_access_in extended deny tcp any any eq telnet 
access-list outside_access_in extended permit tcp any any eq smtp 
access-list outside_access_in extended deny tcp any any eq imap4 
access-list outside_access_in extended deny tcp any any eq 1433 
access-list outside_access_in extended deny tcp any any eq 3306 
access-list outside_access_in extended deny tcp any any eq 9080 
access-list outside_access_in extended deny tcp any any eq 9090 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any source-quench 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
access-list inside_access_in extended permit ip any any 
no pager
logging enable
logging timestamp
logging buffered warnings
logging history warnings
logging asdm notifications
logging queue 500
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255 
static (inside,outside) xxx.xxx.42.90 10.0.0.1 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.254 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.42.254 1
route outside 0.0.0.0 255.255.255.0 xxx.xxx.40.254 1
route outside 0.0.0.0 255.255.255.0 xxx.xxx.42.254 1
route outside 192.168.101.3 255.255.255.255 xxx.xxx.40.254 1
route outside 192.168.101.3 255.255.255.255 xxx.xxx.42.254 1
route outside 192.168.105.3 255.255.255.255 xxx.xxx.40.254 1
route outside 192.168.105.3 255.255.255.255 xxx.xxx.42.254 1
route outside 192.168.109.3 255.255.255.255 xxx.xxx.40.254 1
route outside 192.168.109.3 255.255.255.255 xxx.xxx.42.254 1
route outside 208.109.96.4 255.255.255.255 xxx.xxx.42.254 1
route outside 208.109.188.4 255.255.255.255 xxx.xxx.42.254 1
route outside 216.69.160.4 255.255.255.255 xxx.xxx.42.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL 
http server enable
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xjx7n1f password Sh2RQ/0T/2KNw4aE encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:75a021e5cdc7dee9170de07fccaa93a8
: end
asdm image disk0:/asdm-613.bin
asdm history enable

Open in new window

0
Comment
Question by:jonesy_33
  • 4
  • 3
7 Comments
 
LVL 4

Accepted Solution

by:
mpickreign earned 500 total points
ID: 33535614
Based on the topography you have described there is no need for a DMZ. A DMZ is typically only used as a medium security zone when there is also a high security zone in play. Such as an office that wants to offer public email and web services (medium security in the DMZ), and then also has internal domain and file servers that they do not want external access to.  However, in the scenario you have laid out a DMZ would offer no additional security.

Currently there is nothing in this firewall that needs to be changed to accomplish what you are asking. I might however suggest removing access to any ports that are not needed. The "access-list outside_access_in" lines show you what ports are currently open to external access. They can be removed by entering config mode and prefixing the no command to the given access-list command.
Example: To remove the first access-list line allowing ftp-data

asa5505# configure terminal
asa5505(config)# no access-list outside_access_in extended permit tcp any any eq ftp-data
asa5505(config)#exit

To save your changes you need to write the configuration to memory.
Example:
asa5505# write memory

I would also remove the following line as it is redundant and misformed (this can again be done by entering config mode and prefixing the statement with the no command.)
static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255
0
 

Author Comment

by:jonesy_33
ID: 33536196
mpickregin,

Thanks for the quick response. so if I understand what you are saying then I should not have a problem connecting using my ftp client, right? but I cannot. Do you have any ideas why this might be?

To remove access lists should I use the command line interface then just take any of the acccess-list that I want to restrict and add no to it?

regarding the redundant line static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255 should I use the command line interface for this too? and would I just enter "no static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255"
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33536430
With the ftp issue I would start by removing the redundant static line. Use the client and enter the command just as you typed it.

no static (outside,inside) 10.0.0.1 xxx.xxx.42.90 netmask 255.255.255.255

I would also remove all but the first "route outside" statement using the same syntax. All but the first are either incorrect or redundant and can only cause problems. The only to keep is
"route outside 0.0.0.0 0.0.0.0 xxx.xxx.40.254 1"

Save the config then for good measure reboot the firewall by issuing the reload command. If you still have ftp issues after that make sure your ftp is on on the server and that the windows internal firewall is not blocking the port.

"To remove access lists should I use the command line interface then just take any of the acccess-list that I want to restrict and add no to it?"

Yes, this will remove the access-list from the config and effectively block access to that given port.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 4

Expert Comment

by:mpickreign
ID: 33536489
One more thing I just noticed.

Your outside interface is xxx.xxx.40.187/24.

xxx.xxx.42.90 is mapped to your internal 10.0.0.1 (Which I am assuming is your 2008 server.)


Is xxx.xxx.42.90 assigned to you by the hosting vendor?  If so is it routed to the xxx.xxx.40.187/24 address?
0
 

Author Comment

by:jonesy_33
ID: 33549624
Yes xxx.xxx.42.90 is the outside address of my 2008 server I am not sure what the xxx.xxx.40.187/24 is or why xxx.xxx.42.90 is mapped to it. What line in the config are you referring to?
0
 
LVL 4

Expert Comment

by:mpickreign
ID: 33566610
Sorry for the delay.  Let me know if you have already solved your problem.

xxx.xxx.40.187/24 is the outside address of the ASA as show on line 21.

Is xxx.xxx.42.90 actually physically assigned to the ethernet card in the 2008 server, or do you want the ASA to NAT it. Right now it appears that the ASA is doing NAT and the actual physical address of the 2008 server is 10.0.0.1.  This is a totally acceptable configuration, its just that the config has elements of both Natting and not natting so I want to make sure what the intent is so that Im not steering you in a wrong direction.
0
 

Author Closing Comment

by:jonesy_33
ID: 33566771

than you for all of your responses. everything is up and working fine. I think the biggest was me and my lack of knowledge with the ASA 5505 and IIS 7.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Manage ASA using outside IP 14 80
Cisco ASA VPN Client Routing 8 60
Receiving wifi on an underground station 22 130
How to append an output to existing file with DOS and IPerf 2 65
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question