Cisco ASA config
I need to be able to setup the following for work and I'm very limited in the Cisco 5505 environment. I need to accomplish the following:
dns/web server: internal IP 192.168.x.x external IP 209.120.x.x -- all Class C
SMTP: internal IP 192.168.y.y external IP 209.120.y.y -- all Class C
FTP: internal IP 192.168.z.z external IP 209.120.z.z -- all Class C
There will be one pc on the "inside" network and one pc on the "outside" network for testing purposes.
The FTP should be during business hours only which are weekdays from 8:00am to 6:00pm and Saturdays from 9am to 6pm.
The inside PC needs to use DNS resolution for IP address 192.168.x.x with domain name mynetwork. The outside PC needs to use 209.120.x.x with domain name theircompany.com
Only the internal PC/network should be able to access the ASA via ASDM. We also need to allow telnet access from the outside in as well. Both internal and outside PC's should be able to access DNS/WEB, SMTP, and FTP. SSH should be allowed from the outside.
dns/web server: internal IP 192.168.x.x external IP 209.120.x.x -- all Class C
SMTP: internal IP 192.168.y.y external IP 209.120.y.y -- all Class C
FTP: internal IP 192.168.z.z external IP 209.120.z.z -- all Class C
There will be one pc on the "inside" network and one pc on the "outside" network for testing purposes.
The FTP should be during business hours only which are weekdays from 8:00am to 6:00pm and Saturdays from 9am to 6pm.
The inside PC needs to use DNS resolution for IP address 192.168.x.x with domain name mynetwork. The outside PC needs to use 209.120.x.x with domain name theircompany.com
Only the internal PC/network should be able to access the ASA via ASDM. We also need to allow telnet access from the outside in as well. Both internal and outside PC's should be able to access DNS/WEB, SMTP, and FTP. SSH should be allowed from the outside.
Last Comment
ASKER
I don't really have much, I'm completely new to the ASA environment. 825.bin file and ASDM 645.bin
ASKER
Here's my config:
! This is the cleartext configuration of ASA using an ASA5505
ASA Version 8.2(5)
!
hostname ASA5505
enable password cisco
passwd cisco
names
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
no shutdown
!
interface Ethernet0/2
no shutdown
!
interface Ethernet0/3
no shutdown
!
interface Ethernet0/4
no shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.202.1 255.255.255.0
!
!
time-range BUSINESSHOURS
periodic weekdays 8:00 to 17:00
periodic Saturday 8:00 to 12:00
!
time-range CONTRACTORFTPACCESS
absolute start 08:00 01 March 2012 end 17:00 31 March 2012
!
ftp mode passive
object-group protocol TCP_UDP
description Grouping TCP and UDP protocols
protocol-object tcp
protocol-object udp
object-group protocol IP_PROT
description nested object group TCP and UDP, plus GRE
protocol-object gre
group-object TCP_UDP
object-group network LOCAL_NET
description Grouping of Local Networks
network-object 192.168.1.0 255.255.255.0
network-object host 192.168.2.10
object-group service SERVERACCESS tcp
description object group for SMTP, WWW, HTTPS services
port-object eq smtp
port-object eq www
port-object eq https
object-group icmp-type echo
description object group to allow ICMP echo and echo-reply
icmp-object echo
icmp-object echo-reply
access-list OUT_IN extended permit tcp any interface outside object-group SERVERACCESS
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range CONTRACTORFTPACCESS
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range BUSINESSHOURS
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.12 8888 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.14 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.14 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.14 ftp netmask 255.255.255.255
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.202.10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
! This is the cleartext configuration of ASA using an ASA5505
ASA Version 8.2(5)
!
hostname ASA5505
enable password cisco
passwd cisco
names
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
no shutdown
!
interface Ethernet0/2
no shutdown
!
interface Ethernet0/3
no shutdown
!
interface Ethernet0/4
no shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.202.1 255.255.255.0
!
!
time-range BUSINESSHOURS
periodic weekdays 8:00 to 17:00
periodic Saturday 8:00 to 12:00
!
time-range CONTRACTORFTPACCESS
absolute start 08:00 01 March 2012 end 17:00 31 March 2012
!
ftp mode passive
object-group protocol TCP_UDP
description Grouping TCP and UDP protocols
protocol-object tcp
protocol-object udp
object-group protocol IP_PROT
description nested object group TCP and UDP, plus GRE
protocol-object gre
group-object TCP_UDP
object-group network LOCAL_NET
description Grouping of Local Networks
network-object 192.168.1.0 255.255.255.0
network-object host 192.168.2.10
object-group service SERVERACCESS tcp
description object group for SMTP, WWW, HTTPS services
port-object eq smtp
port-object eq www
port-object eq https
object-group icmp-type echo
description object group to allow ICMP echo and echo-reply
icmp-object echo
icmp-object echo-reply
access-list OUT_IN extended permit tcp any interface outside object-group SERVERACCESS
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range CONTRACTORFTPACCESS
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range BUSINESSHOURS
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.1.12 8888 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.14 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.14 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.14 ftp netmask 255.255.255.255
access-group OUT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 209.165.202.10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
I would start by using one of the millions of How-To's and Tutorials available on the internet. Try to get the basics done, and if you need help, come back to this thread and let us know.
http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/
http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html
http://www.routerfreak.com/basic-configuration-tutorial-for-the-cisco-asa-5505-firewall/
http://www.firewall.cx/forum/10-firewall-filtering-idsips-a-security/32041-howto-basic-asa-5505-configuration.html
ASKER
Final question:
I wanted to be able to ping the from inside pc over to the smtp,ftp, and dns, but I can't. Can someone help me out here. Here is my final config:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name company.lcl
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.120.22.1 255.255.255.0
!
!
time-range FTP-access
periodic weekdays 9:00 to 17:00
periodic Saturday 10:00 to 14:00
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.10
domain-name company.lcl
dns server-group company.com
timeout 10
name-server 209.120.22.10
domain-name company.com
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range FTP-access
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range FTP-access
access-list outside_nat_static extended permit ip 209.120.22.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 209.120.22.2 /logs cisco *****
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.10.0 access-list outside_nat_static
static (inside,outside) 209.120.22.10 192.168.10.10 netmask 255.255.255.255
static (inside,outside) 209.120.22.11 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 209.120.22.12 192.168.10.12 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 209.220.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.10.100 255.255.255.255 inside
http 209.120.22.2 255.255.255.255 outside
http authentication-certificate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh 209.120.22.0 255.255.255.0 inside
ssh 209.120.22.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns perset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f0
: end
ciscoasa#
I wanted to be able to ping the from inside pc over to the smtp,ftp, and dns, but I can't. Can someone help me out here. Here is my final config:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name company.lcl
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.120.22.1 255.255.255.0
!
!
time-range FTP-access
periodic weekdays 9:00 to 17:00
periodic Saturday 10:00 to 14:00
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.10
domain-name company.lcl
dns server-group company.com
timeout 10
name-server 209.120.22.10
domain-name company.com
access-list OUT_IN extended permit tcp any interface outside eq ftp time-range FTP-access
access-list OUT_IN extended permit tcp any interface outside eq 8080 time-range FTP-access
access-list outside_nat_static extended permit ip 209.120.22.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 209.120.22.2 /logs cisco *****
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.10.0 access-list outside_nat_static
static (inside,outside) 209.120.22.10 192.168.10.10 netmask 255.255.255.255
static (inside,outside) 209.120.22.11 192.168.10.11 netmask 255.255.255.255
static (inside,outside) 209.120.22.12 192.168.10.12 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 209.220.22.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.10.100 255.255.255.255 inside
http 209.120.22.2 255.255.255.255 outside
http authentication-certificate
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 15
ssh 209.120.22.0 255.255.255.0 inside
ssh 209.120.22.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns perset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f0
: end
ciscoasa#
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
What config do you have so far? can you paste your scrubbed running config?
What model of ASA do you have, and what versions of ASA/ASDM software installed?