Cisco ASA config

vulture71
vulture71 used Ask the Experts™
on
I need to be able to setup the following for work and I'm very limited in the Cisco 5505 environment.  I need to accomplish the following:

dns/web server:  internal IP 192.168.x.x  external IP 209.120.x.x -- all Class C
SMTP:           internal IP 192.168.y.y  external IP 209.120.y.y -- all Class C
FTP:              internal IP 192.168.z.z  external IP 209.120.z.z -- all Class C

There will be one pc on the "inside" network and one pc on the "outside" network for testing purposes.

The FTP should be during business hours only which are weekdays from 8:00am to 6:00pm and Saturdays from 9am to 6pm.

The inside PC needs to use DNS resolution for IP address 192.168.x.x with domain name mynetwork.  The outside PC needs to use 209.120.x.x with domain name theircompany.com

Only the internal PC/network should be able to access the ASA via ASDM.  We also need to allow telnet access from the outside in as well.  Both internal and outside PC's should be able to access DNS/WEB, SMTP, and FTP.  SSH should be allowed from the outside.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Wow, you want someone to configure your entire ASA device?
What config do you have so far?  can you paste your scrubbed running config?
What model of ASA do you have, and what versions of ASA/ASDM software installed?

Author

Commented:
I don't really have much, I'm completely new to the ASA environment.  825.bin file and ASDM 645.bin

Author

Commented:
Here's my config:

!  This is the cleartext configuration of ASA using an ASA5505


ASA Version 8.2(5)
!
hostname ASA5505
enable password cisco
passwd cisco
names
!
interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 no shutdown
!
interface Ethernet0/2
 no shutdown
!
interface Ethernet0/3
 no shutdown
!
interface Ethernet0/4
 no shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.165.202.1 255.255.255.0
!
!
time-range BUSINESSHOURS
 periodic weekdays 8:00 to 17:00
 periodic Saturday 8:00 to 12:00
!
time-range CONTRACTORFTPACCESS
 absolute start 08:00 01 March 2012 end 17:00 31 March 2012
!
ftp mode passive
object-group protocol TCP_UDP
 description Grouping TCP and UDP protocols
 protocol-object tcp
 protocol-object udp
object-group protocol IP_PROT
 description nested object group TCP and UDP, plus GRE
 protocol-object gre
 group-object TCP_UDP
object-group network LOCAL_NET
 description Grouping of Local Networks
 network-object 192.168.1.0 255.255.255.0
 network-object host 192.168.2.10
object-group service SERVERACCESS tcp
 description object group for SMTP, WWW, HTTPS services
 port-object eq smtp
 port-object eq www
 port-object eq https
object-group icmp-type echo
 description object group to allow ICMP echo and echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list OUT_IN extended permit tcp any interface outside object-group SERVERACCESS
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range CONTRACTORFTPACCESS
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range BUSINESSHOURS
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.12 8888 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.14 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.14 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.14 ftp netmask 255.255.255.255
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.202.10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

I would start by using one of the millions of How-To's and Tutorials available on the internet. Try to get the basics done, and if you need help, come back to this thread and let us know.

http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/

http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html

Author

Commented:
Final question:

I wanted to be able to ping the from inside pc over to the smtp,ftp, and dns, but I can't.  Can someone help me out here.  Here is my final config:

ASA Version 8.2(5)
!
hostname ciscoasa
domain-name company.lcl
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.120.22.1 255.255.255.0
!
!
time-range FTP-access
 periodic weekdays 9:00 to 17:00
 periodic Saturday 10:00 to 14:00
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.10.10
 domain-name company.lcl
dns server-group company.com
 timeout 10
 name-server 209.120.22.10
 domain-name company.com
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range FTP-access
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range FTP-access
access-list outside_nat_static extended permit ip 209.120.22.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 209.120.22.2 /logs cisco *****
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.10.0  access-list outside_nat_static
static (inside,outside) 209.120.22.10 192.168.10.10 netmask 255.255.255.255
static (inside,outside) 209.120.22.11 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 209.120.22.12 192.168.10.12 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 209.220.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.10.100 255.255.255.255 inside
http 209.120.22.2 255.255.255.255 outside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh 209.120.22.0 255.255.255.0 inside
ssh 209.120.22.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns perset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#
I'm going to make some assumptions here, because according to your ASA config, you only have one subnet (network) behind your ASA; and that's the 192.168.10.x subnet.

You ask how to ping from an inside PC over to: "smtp,ftp, and dns". You're not hosting SMTP or DNS behind your ASA firewall, so are you wanting to ping from inside the ASA - out to different servers on the internet?

If so, let's open up the PING pathways:
access-list OUT_IN line 1 extended permit icmp any any echo-reply
access-list OUT_IN line 2 extended permit icmp any any source-quench
access-list OUT_IN line 3 extended permit icmp any any unreachable
access-list OUT_IN line 4 extended permit icmp any any time-exceeded

Open in new window


...this will allow pings (and ping replies) to go from inside the ASA out to the internet and return back.  You don't have to use the syntax "line 1"  "line 2" etc, I did that to keep things neat and tidy, this puts your ping groups at the top of your access-lists.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial