Solved

Help me sort this configuration out, please.

Posted on 2011-09-08
8
314 Views
Last Modified: 2012-05-12
Hi Experts,

I need help on cleaning up (if any) this configuration, and then configure it so that I can ping the gateway at 192.168.135.1 and hopefully anything beyond the gateway.

@erniebeek and fmarshall - I clean this up a little, just so to see if I can hit the gateway of that subnet first, and then do the site-to-site vpn configuration later.  If you have time, please take a look, and let me know if you have any questions.  Thanks.

ASA Version 8.2(1)18
!
interface Vlan1
 shutdown
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.135.254 255.255.255.0
!
interface Vlan12
 description EDF Network
 nameif EDF
 security-level 100
 ip address 10.47.253.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-18-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 192.168.135.59 eq 5450
pager lines 24
logging enable
logging list All level informational
logging trap All
logging asdm informational
logging host outside 192.168.135.222
logging host outside 192.168.135.220
logging permit-hostdown
mtu inside 1500
mtu outside 1500
mtu EDF 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (EDF,outside) 192.168.135.59 10.47.253.3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.135.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
prompt hostname context
: end

0
Comment
Question by:swgit
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 36507354
Well, I'm not going to do a good job of interpreting a config file.  You might boil it down in put it in English, diagrams, etc.

But, that said, If you want to ping 192.1658.135.1 then it looks like you have to be on VLAN2 in the first place.  That would work.
And, if I understand it then this is a firewall with LAN  or trust side on 192.168.1.0 subnet.
And, if that's right, then you want to be able to see through this box from VLAN2 to VLAN1.  Is that right?

Sheesh!! that's a heck of a complicated way to describe a simple NATting router ... if that's what this is.

If this is a router/firewall and you're comfortable setting it up then I'd do this:

Go back to factory defaults.
Confirm the LAN subnet is 192.168.1.0/24.
Change the other side subnet from the default or blank to 192.168.135.0/24
Turn on NAT/Gateway mode if you must.
Turn on Router/No NAT mode if you must. .... whichever one you need.
Then you may need connection policies between the two.

But at least a simple, functioning router/firewall should be easy to set up for just the basics.
I'm not too up on devices that use the term "VLAN" for the Internet/WAN/Untrust side of the box.  Maybe it's used but it seems weird to me and maybe dangerous.
In my mind a VLAN is a separated LAN (emphaisis on L=LOCAL) and that's all.  Which is not to say that it's an internet connection or anything like that.  But maybe your device is different.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507396
Is there a device that is between this ASA and the INternet? Your outside interface is 131.254, yet your outside default route show 135.1 with no static route to it? What gives?
Also as a side note, you have two or more interfaces with the same security level and yet no same-security traffic permit statement in place to allow even trusted traffic flow? Please, let us know.
0
 
LVL 15

Expert Comment

by:The_Warlock
ID: 36507402
Correction typo from above * 135.254
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36508767
First of all I'm missing: nat (EDF) 1 10.47.253.1 255.255.255.0

Second, let's permit icmp through access-list outside_access_in extended permit icmp any any

Third, let's add some inspection:

class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global

This is the inspection map that should be there by default.
Let's see where that gets us.

And remember, as long as you don't commit the changes to memory (write mem) you can easily roll back by doing a reload.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:swgit
ID: 36513097
@fmarshall - Thank you.  I wish I had that luxury to redo it from scratch.  I come from a sys admin background, and only know very basic on the network side when it come to router/firewall.  However, I'm tasked to get this work, so I just have to do it.

@The_Warlock - Yes, this ASA is inside an MPLS, and I eventually want to have VPN traffic to go through it to a WAN link on 10.1.2.1, then 10.1.1.1, and then go outside to the Internet.  As to what is there on each interfaces, I will need help on how they can be secure, and such.  I'm still finding out and reading about those.

@erniebeek - Thanks much for your help.  That did the trick.  I do have a question those, related to your post.  What does the first line "nat (EDF) 1 10.47.253.1 255.255.255.0" do?  The send suggestion is to allow ping from any hosts to any destinations? and the third part, I'll read into it.  I appreciate your help, and letting me know of what that first line is for.  Thanks.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513694
To do NAT, there are two commands in place:
Nat (interface) x range, this defines where you do the nat from: from what interface and from what range on that interface.
Global (interface) x range/ip, this defines where you nat to: to what interface and to which ip/range (or the ip on the interface).

The second is to allow icmp back in to the outside interface (this could be locked down a bit more), where it goes depends on what is allowed in the rest of the config.

For the third, happy reading :)
0
 
LVL 1

Author Closing Comment

by:swgit
ID: 36513809
Thanks. :)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36513913
My pleasure :)
Thx for the points.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now