Avatar of vulture71
vulture71
Flag for Afghanistan asked on

Cisco ASA config

I need to be able to setup the following for work and I'm very limited in the Cisco 5505 environment.  I need to accomplish the following:

dns/web server:  internal IP 192.168.x.x  external IP 209.120.x.x -- all Class C
SMTP:           internal IP 192.168.y.y  external IP 209.120.y.y -- all Class C
FTP:              internal IP 192.168.z.z  external IP 209.120.z.z -- all Class C

There will be one pc on the "inside" network and one pc on the "outside" network for testing purposes.

The FTP should be during business hours only which are weekdays from 8:00am to 6:00pm and Saturdays from 9am to 6pm.

The inside PC needs to use DNS resolution for IP address 192.168.x.x with domain name mynetwork.  The outside PC needs to use 209.120.x.x with domain name theircompany.com

Only the internal PC/network should be able to access the ASA via ASDM.  We also need to allow telnet access from the outside in as well.  Both internal and outside PC's should be able to access DNS/WEB, SMTP, and FTP.  SSH should be allowed from the outside.
CiscoRoutersNetwork Architecture

Avatar of undefined
Last Comment
neilpage99

8/22/2022 - Mon
neilpage99

Wow, you want someone to configure your entire ASA device?
What config do you have so far?  can you paste your scrubbed running config?
What model of ASA do you have, and what versions of ASA/ASDM software installed?
vulture71

ASKER
I don't really have much, I'm completely new to the ASA environment.  825.bin file and ASDM 645.bin
vulture71

ASKER
Here's my config:

!  This is the cleartext configuration of ASA using an ASA5505


ASA Version 8.2(5)
!
hostname ASA5505
enable password cisco
passwd cisco
names
!
interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 no shutdown
!
interface Ethernet0/2
 no shutdown
!
interface Ethernet0/3
 no shutdown
!
interface Ethernet0/4
 no shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.165.202.1 255.255.255.0
!
!
time-range BUSINESSHOURS
 periodic weekdays 8:00 to 17:00
 periodic Saturday 8:00 to 12:00
!
time-range CONTRACTORFTPACCESS
 absolute start 08:00 01 March 2012 end 17:00 31 March 2012
!
ftp mode passive
object-group protocol TCP_UDP
 description Grouping TCP and UDP protocols
 protocol-object tcp
 protocol-object udp
object-group protocol IP_PROT
 description nested object group TCP and UDP, plus GRE
 protocol-object gre
 group-object TCP_UDP
object-group network LOCAL_NET
 description Grouping of Local Networks
 network-object 192.168.1.0 255.255.255.0
 network-object host 192.168.2.10
object-group service SERVERACCESS tcp
 description object group for SMTP, WWW, HTTPS services
 port-object eq smtp
 port-object eq www
 port-object eq https
object-group icmp-type echo
 description object group to allow ICMP echo and echo-reply
 icmp-object echo
 icmp-object echo-reply
access-list OUT_IN extended permit tcp any interface outside object-group SERVERACCESS
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range CONTRACTORFTPACCESS
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range BUSINESSHOURS
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.12 8888 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.14 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.14 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.14 ftp netmask 255.255.255.255
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.202.10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
neilpage99

I would start by using one of the millions of How-To's and Tutorials available on the internet. Try to get the basics done, and if you need help, come back to this thread and let us know.

http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/

http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html
vulture71

ASKER
Final question:

I wanted to be able to ping the from inside pc over to the smtp,ftp, and dns, but I can't.  Can someone help me out here.  Here is my final config:

ASA Version 8.2(5)
!
hostname ciscoasa
domain-name company.lcl
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 209.120.22.1 255.255.255.0
!
!
time-range FTP-access
 periodic weekdays 9:00 to 17:00
 periodic Saturday 10:00 to 14:00
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.10.10
 domain-name company.lcl
dns server-group company.com
 timeout 10
 name-server 209.120.22.10
 domain-name company.com
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range FTP-access
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range FTP-access
access-list outside_nat_static extended permit ip 209.120.22.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 209.120.22.2 /logs cisco *****
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.10.0  access-list outside_nat_static
static (inside,outside) 209.120.22.10 192.168.10.10 netmask 255.255.255.255
static (inside,outside) 209.120.22.11 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 209.120.22.12 192.168.10.12 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 209.220.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.10.100 255.255.255.255 inside
http 209.120.22.2 255.255.255.255 outside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh 209.120.22.0 255.255.255.0 inside
ssh 209.120.22.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect dns perset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#
ASKER CERTIFIED SOLUTION
neilpage99

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question