Create an access rule on a ASA 5505 firewall

Hi guys,

i I have a vendor  that needs access to my network. He provided me with  a static ip address and and internal ip address. Can i get a step by step on how to create this access rule please. I am new to firewalls.

Thanks in advance.
LVL 6
vmaganAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SuperTacoCommented:
Is her trying to create a site to site VPN?  If not, just use the ASDM, if you're not comfortable with the CLI yet.  Select a new access rule, and allow the public IP of the vendor to access the inside IP of the device on your network.  Then create a NAT rule.

This is a good example using the ASDM.

http://www.gregledet.net/?p=537

this should give you some insight on the CLI

http://serverfault.com/questions/39354/create-nat-rule-and-security-policies-for-port-443-80-on-a-cisco-asa-5510

Let me know if you need any help getting ASDM up and running.   it should be at https://IP of firewall.  if not I can give you the commands to enable it
0
vmaganAuthor Commented:
I do use asdm and they have other devices that already access our network. Now he has another device and he needs that ip address to to be allowed access to our network VIA TCP port 2000.
0
vmaganAuthor Commented:
Can I just have port 2000 forwarded to that ip address for a specific source?
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

SuperTacoCommented:
yup.  that's what the examples are showing you
0
vmaganAuthor Commented:
Yea i tried it and still not working.

10.156.72.130 is the ip address of the machine
255.255.255.0 is the subnet
10.156.72.254 is the gateway
10.156.72.141 is the dns
port 2000 - tcp is only required.

I set up a network object with the ip address 10.156.72.130 and mask: 255.255.255.255

although he wanted me to put a mask of 255.255.255.0 and it doesnt let me.

Then i created an access rule for inside that says source "any" and destination of the new "network objects" which has the information of 10.156.72.130.

I am trying to access my internal network to view cameras via a webpage.
0
vmaganAuthor Commented:
anyone else able to help out there?
0
vmaganAuthor Commented:
The issue  i might be having is that I need to get that mask changed to 255.255.255.0
0
lruiz52Commented:
10.156.72.130 is in the private range so if vendor wants to access your network with that subnet you have to set up a site-to-site VPN.  You could ask him to give you an external ip and set up an access rule such as outside_access_in.
0
vmaganAuthor Commented:
All that is already setup. They have a camera system installed and need to access the camera from a web page. There already are network objects, Nats, and access rules on the firewall for this camera system. I just can't get it do that I can access that page from the outside
0
lruiz52Commented:
Post your config, if the site to site VPN is set up and the rules are inplace, vendor should be able to access it.
0
vmaganAuthor Commented:
: Saved
:
ASA Version 8.2(1)
!
hostname testingASA
enable password IODISN12433mfRw9ughLKLn encrypted
passwd IODISN12433mfRw9ughLKLn encrypted
names
name 10.226.72.141 TestServer description Server
name 14.99.137.803 TestMail
name 10.34.95.0 2nd site192.168.144.4 IntegratedSolar_Cam
name 192.168.144.2 IntegratedSolar_Meter
name 24.89.137.204 IntegratedSolar_MeterPublic
name 24.89.137.205 IntegratedSolar_CamPublic
name 209.124.57.141 IntegratedSolar_Public
name 10.226.73.0 VPN_Pool
name 10.226.72.194 Reynolds1
name 208.67.222.222 OpenDNS1
name 208.67.220.220 OpenDNS2
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.226.72.140 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.89.137.202 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 speed 100
 duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group service IntSolar tcp
 port-object eq 9999
object-group network OpenDNS_Servers
 network-object host OpenDNS2
 network-object host OpenDNS1
access-list inside_access_in extended permit 53 10.226.72.0 255.255.255.0 object-group OpenDNS_Servers
access-list inside_access_in extended deny 53 10.226.72.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.226.72.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host PublicMail eq smtp
access-list outside_access_in extended permit tcp any host PublicMail eq https
access-list outside_access_in extended permit ip host IntegratedSolar_Public host IntegratedSolar_MeterPublic
access-list outside_access_in extended permit ip any host IntegratedSolar_CamPublic
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list inside_access_out extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.226.72.0 255.255.255.0 VPN_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit ip host Reynolds1 10.226.73.12 255.255.255.252
access-list 3000client_splitTunnelAcl standard permit 10.226.72.0 255.255.255.0
access-list 3000client_splitTunnelAcl_1 standard permit 10.226.72.0 255.255.255.0
access-list 4000client_splitTunnelAcl standard permit 10.226.72.0 255.255.255.0
access-list 5000client_splitTunnelAcl standard permit host Reynolds1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ip_pool 10.226.73.106-10.226.73.120
ip local pool pool 10.226.73.121-10.226.73.124
ip local pool test 192.168.0.1-192.168.0.2
ip local pool Vendor 10.226.73.12-10.226.73.15
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.226.72.0 255.255.255.0
static (inside,outside) IntegratedSolar_CamPublic IntegratedSolar_Cam netmask 255.255.255.255
static (inside,outside) PublicMail Hummer1 netmask 255.255.255.255
static (inside,outside) IntegratedSolar_MeterPublic IntegratedSolar_Meter netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.89.137.201 1
route inside 2nd site255.255.255.0 10.226.72.254 1
route inside 192.168.10.0 255.255.255.248 10.226.72.254 1
route inside 192.168.144.0 255.255.255.240 10.226.72.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN protocol radius
aaa-server VPN (inside) host Hummer1
 timeout 5
 key Main5treet
http server enable
http 10.226.72.0 255.255.255.0 inside
http VPN_Pool 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.226.72.0 255.255.255.0 inside
telnet VPN_Pool 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns OpenDNS1 OpenDNS2
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy 3000client internal
group-policy 3000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 3000client_splitTunnelAcl_1
 default-domain value local.hummerofmahwah.com
group-policy 4000client internal
group-policy 4000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 4000client_splitTunnelAcl
 default-domain value local.hummerofmahwah.com
group-policy 5000client internal
group-policy 5000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 5000client_splitTunnelAcl
 default-domain value local.hummerofmahwah.com
username test password OfCuqCU3M7LdNRMg encrypted
username test password k0Y4DjhyuiksfefdafeasrsMOJuHWOxM5x encrypted privilege 0
username test attributes
 vpn-group-policy 5000client
tunnel-group 3000client type remote-access
tunnel-group 3000client general-attributes
 address-pool ip_pool
 default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
 pre-shared-key *
tunnel-group 4000client type remote-access
tunnel-group 4000client general-attributes
 address-pool pool
 authentication-server-group VPN
 default-group-policy 4000client
tunnel-group 4000client ipsec-attributes
 pre-shared-key *
tunnel-group 5000client type remote-access
tunnel-group 5000client general-attributes
 address-pool Vendor
 default-group-policy 5000client
tunnel-group 5000client ipsec-attributes
 pre-shared-key *
!
class-map TCP-BYPASS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
policy-map TCP-BYPASS
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ce6b1744d5260cfbc917fae7e4dbc5ca
: end
asdm location TestServer 255.255.255.255 inside
asdm location TestMail 255.255.255.255 inside
asdm location 2ndsite 255.255.255.0 inside
asdm location VPN_Pool 255.255.255.0 inside
asdm location Reynolds1 255.255.255.255 inside
asdm location OpenDNS2 255.255.255.255 inside
asdm location OpenDNS1 255.255.255.255 inside
no asdm history enable
0
vmaganAuthor Commented:
10.226.72.130 is the address that we are trying to reach from the outside on port 2080. Was port 2000 before but we changed it to 2080.
0
lruiz52Commented:
So if you want to access 10.226.72.30 from the outside you need to create a static nat for this:
static (inside,outside) 24.89.137.xx 10.226.72.30 netmask 255.255.255.255

Then you create an access rule:
access-list outside_access_in extended permit tcp any host 24.89.137.xx 255.255.255.255 eq http

Or you can port forward you external address:
static (inside,outside) tcp interface 2080 10.226.72.30 2080 netmask 255.255.255.255 0 0
access-list outside_access_in extended permit tcp any host 24.89.137.202 255.255.255.255 eq http
0
vmaganAuthor Commented:
Can you walk me thru doing it with thru the GUI.
0
SuperTacoCommented:
Use the links I sent you earlier for the ASDM.  You will have to do it from the Firewall section.  Create a NAT rule and an access rule.  The public IP will be attached to your outside interface, private to the inside.  If it's a newer 5505, there should be a wizard you can use.  
0
vmaganAuthor Commented:
I tried many times with no luck.
0
lruiz52Commented:
Here you go try this.

1.open ASDM and connect to your ASA.
2.at the top of the screen, click on the "Configuration" button.
3.at the bottom left of the screen click on "Firewall".
4.on the top left of the screen click on "Nat Rules"
5.Click on Add, select Network Object.
6.type the following;
      Name:      CAMServer
      Type:      Host
      IP:      10.226.72.30
      Desc:      Camera Server
7. check the "Add Automatic Address Translation Rule" box,
      Type:      Static
      Translation Addr:      Outside
8. Click the "Advanced" button.
      source interface:      inside
      destination interface:      outside
      protocol:            tcp
      real port:            2080
      mapped port:            2080
9. click OK, then OK again.

10. On the top left of the screen click on "Access Rules"
11. click on Add, select "Add Access rule".
      interface:      outside
      action:            any
      destination:      CAMServer
      service:      tcp/2080
      Description:      CAM Access
12. Click OK, then send.

That should be it, let me know if it works for you.
0
vmaganAuthor Commented:
Ok ill try as soon as I get back home and give u an update.
0
vmaganAuthor Commented:
once I click on Nat rules i dont have network objects i can add a dynamic or static rule if that is what you mean. I already have a network object for the device which has this information. name: Cam ip: 10.226.72.130 with a mask of 255.255.255.255

I already set up the access rule but a little confused about the Nat Rule.  ASA NAT Rule
0
SuperTacoCommented:
Simply create another object for the CAM IP public and give it the Public IP of the Camera.  Orignal is usually outside
0
vmaganAuthor Commented:
ok so original:
interface outside and source: public ip of the cam.

Translated:
interface: outside
use ip address or use interface ip address? If i choose use ip address what do i select for the ip? the cam internal ip?

do i have to enable PAT?
0
lruiz52Commented:
Yes enable PAT And enter the port you want to translate (2080)
0
vmaganAuthor Commented:
I did put 2080 and still no good
0
lruiz52Commented:
Did you create the access rule? Step 10.
0
vmaganAuthor Commented:
Yes I did I will double check it now.
0
vmaganAuthor Commented:
Here is what i have done. Please tell me what I am doing wrong.

 access rul   Network Object Nat Rule
0
vmaganAuthor Commented:
I made some changes. nat rule network object network object 2
0
vmaganAuthor Commented:
Let me know if the Nat rule is correct. DId i use the correct external ip address?

Thanks in advance.
0
vmaganAuthor Commented:
anyone?
0
vmaganAuthor Commented:
how can i create the port forwarding?

Iruiz wrote:
Or you can port forward you external address:
static (inside,outside) tcp interface 2080 10.226.72.30 2080 netmask 255.255.255.255 0 0
access-list outside_access_in extended permit tcp any host 24.89.137.202 255.255.255.255 eq http

Can i get some clarification on this? Also, do i do this port forwarding instead of the access rule?
0
shareditCommented:
Do you know how to get into the command line interface?  Can you telnet to the ASA?

These are the commands you need to use:

#enable
#Config T
#access-list outside_access_in extended permit tcp ((This should be "Any," or a specific source IP)) host ((use the public IP you want to use, or its name)) eq 2080
#static (inside,outside) tcp 24.89.137.202 2080 10.156.72.130 2080 netmask 255.255.255.255

Examples:
access-list outside_access_in extended permit tcp any host PublicMail eq 2080
access-list outside_access_in extended permit tcp host 1.1.1.1 host PublicMail eq 2080
access-list outside_access_in extended permit tcp any host 24.89.137.202 eq 2080
access-list outside_access_in extended permit tcp host 1.1.1.1 host 24.89.137.202 eq 2080

static (inside,outside) tcp 24.89.137.202 2080 10.156.72.130 2080 netmask 255.255.255.255
static (inside,outside) tcp publicMail 2080 10.156.72.130 2080 netmask 255.255.255.255

I notice you have more than 1 public IP address, make sure your public IPs match in you ACL and static statements

So you are really only adding two lines. Does this make sense? Using the command line is much quicker.
0
vmaganAuthor Commented:
I will try that when I get home. What if its a ddns instead of an external ip?
0
shareditCommented:
If what is a ddns?

I dont think you can reference a dns name in the ASA.  I think you may be able to in the most recent IOS, using a network object.


0
vmaganAuthor Commented:
The device that they are adding I believe is pointing to a dyn dns address.  I do have option to add a network object on the Asa
0
vmaganAuthor Commented:
when i put in the static address informtaion i got a error message that reads "invalid host name"

i used 24.89.137.202

for both access rule and static.


0
shareditCommented:
show me the commands you used.  My initial guess would be you mis-typed it.
0
vmaganAuthor Commented:
yea i must have typed something wrong. Now when i know i typed it right i get a error that says:

ASA(config)# static (inside,outside) tcp 24.89.137.202 2080 10.226.72.135 2080 netmask 255.255.255.255
ERROR: Static PAT using the interface requires the use of the 'interface' keywor
d instead of the interface IP address

10.226.72.135 is the ip address of  the device i am trying to reach from the outside.
0
shareditCommented:
use interface instead of the ip address.
0
vmaganAuthor Commented:
here is the running config.


ASA Version 8.2(1)
!
hostname ASA
enable password ******** encrypted
passwd *******encrypted
names
name 10.226.72.141 server1 description Server
name 24.89.137.203 PublicMail
name 10.34.95.0 Buick
name 192.168.144.4 IntegratedSolar_Cam
name 192.168.144.2 IntegratedSolar_Meter
name 24.89.137.204 IntegratedSolar_MeterPublic
name 24.89.137.205 IntegratedSolar_CamPublic
name 209.124.57.141 IntegratedSolar_Public
name 10.226.73.0 VPN_Pool
name 10.226.72.194 Reynolds1
name 208.67.222.222 OpenDNS1
name 208.67.220.220 OpenDNS2
name 10.226.72.130 Security_DVR
name 24.89.137.202 Outside_Interface
name 173.225.179.141 IntegratedSolar_Public_New
name 10.226.72.135 New_Camera_System description New_Camera_System
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.226.72.140 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address Outside_Interface 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 speed 100
 duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group service IntSolar tcp
 port-object eq 9999
object-group network OpenDNS_Servers
 network-object host OpenDNS2
 network-object host OpenDNS1
object-group service Security_DVR tcp
 description Security_DVR
 port-object eq 2080
access-list inside_access_in extended permit 53 10.226.72.0 255.255.255.0 object
-group OpenDNS_Servers
access-list inside_access_in extended deny 53 10.226.72.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.226.72.0 255.255.255.0 any
access-list outside_access_in extended permit tcp any host PublicMail eq smtp
access-list outside_access_in extended permit tcp any host PublicMail eq https
access-list outside_access_in extended permit ip host IntegratedSolar_Public hos
t IntegratedSolar_MeterPublic
access-list outside_access_in extended permit ip any host IntegratedSolar_CamPub
lic
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit ip host IntegratedSolar_Public_New
 host IntegratedSolar_MeterPublic
access-list outside_access_in extended permit tcp any host Outside_Interface eq
2080
access-list inside_access_out extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.226.72.0 255.255.255.0 VP
N_Pool 255.255.255.0
access-list inside_nat0_outbound extended permit ip host Reynolds1 10.226.73.12
255.255.255.252
access-list 3000client_splitTunnelAcl standard permit 10.226.72.0 255.255.255.0
access-list 3000client_splitTunnelAcl_1 standard permit 10.226.72.0 255.255.255.
0
access-list 4000client_splitTunnelAcl standard permit 10.226.72.0 255.255.255.0
access-list 5000client_splitTunnelAcl standard permit host Reynolds1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ip_pool 10.226.73.106-10.226.73.120
ip local pool pool 10.226.73.121-10.226.73.124
ip local pool test 192.168.0.1-192.168.0.2
ip local pool Vendor 10.226.73.12-10.226.73.15
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.226.72.0 255.255.255.0
static (inside,outside) IntegratedSolar_CamPublic IntegratedSolar_Cam netmask 25
5.255.255.255
static (inside,outside) PublicMail Hummer1 netmask 255.255.255.255
static (inside,outside) IntegratedSolar_MeterPublic IntegratedSolar_Meter netmas
k 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.89.137.201 1
route inside Buick 255.255.255.0 10.226.72.254 1
route inside 192.168.10.0 255.255.255.248 10.226.72.254 1
route inside 192.168.144.0 255.255.255.240 10.226.72.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN protocol radius
aaa-server VPN (inside) host Server1
 timeout 5
 key
http server enable
http 10.226.72.0 255.255.255.0 inside
http VPN_Pool 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.226.72.0 255.255.255.0 inside
telnet VPN_Pool 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns OpenDNS1 OpenDNS2
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy 3000client internal
group-policy 3000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 3000client_splitTunnelAcl_1
 default-domain value local.server.com
group-policy 4000client internal
group-policy 4000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 4000client_splitTunnelAcl
 default-domain value local.hummerofmahwah.com
group-policy 5000client internal
group-policy 5000client attributes
 wins-server value 10.226.72.141
 dns-server value 10.226.72.141
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 5000client_splitTunnelAcl
 default-domain value local.server.com
username test password ****** encrypted privilege 15
username ***password *** encrypted
username *** password ***encrypted privilege 0
username ***attributes
 vpn-group-policy 5000client
username *** password *****encrypted privilege 15
tunnel-group 3000client type remote-access
tunnel-group 3000client general-attributes
 address-pool ip_pool
 default-group-policy 3000client
tunnel-group 3000client ipsec-attributes
 pre-shared-key *
tunnel-group 4000client type remote-access
tunnel-group 4000client general-attributes
 address-pool pool
 authentication-server-group VPN
 default-group-policy 4000client
tunnel-group 4000client ipsec-attributes
 pre-shared-key *
tunnel-group 5000client type remote-access
tunnel-group 5000client general-attributes
 address-pool Vendor
 default-group-policy 5000client
tunnel-group 5000client ipsec-attributes
 pre-shared-key *
!
class-map TCP-BYPASS
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map TCP-BYPASS
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:******
: end
ASA(config)#

0
vmaganAuthor Commented:
what would be the interface? I'm sorry for the dumb questions Firewalls are not my strong point.
0
shareditCommented:
instead of:

static (inside,outside) tcp 24.89.137.202 2080 10.226.72.135 2080 netmask 255.255.255.255

try:

static (inside,outside) tcp interface 2080 10.226.72.135 2080 netmask 255.255.255.255

it looks like it may want you to use the word interface, becasue the 202 IP is actually assigned to the outside interface.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vmaganAuthor Commented:
I think we are good. Just waiting for confirmation. I am new to this so i apologize. quick question for you while i wait for confirmation. What exactly is this rule saying? static (inside,outside) tcp interface 2080 10.226.72.135 2080 netmask 255.255.255.255

it's easy to type what i'm giving but don't know exactly what its saying.

Thanks
0
shareditCommented:
its saying map port 2080 from the outside interface, to port 2080 for IP 10.226.72.135

(inside,outside) = destination inside from source outside.
0
vmaganAuthor Commented:
Thank you soooooo much. This saved me.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.