• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 764
  • Last Modified:

ASA 5510 HELP NEEDED PLS.....

Hello Experts I need you help after 2 days of changing the conifg trying to get this to work, I have decided to ask for help I am sure that this is so simple for you Cisco experts but I am honestly not one...as you will probably see lol  !!!

Ok,,,I have a BT ADSL connection which goes in a BT Router (192.168.0.30,255.255.255.224), this is then plugged in to my 5510 in socket 0 (BTOutside), I then have my inside network (192.168.1.24 255.255.255.224) going from socket 0/1 on the asa to a switch which hosts my pcs servers and AP.

All I want to be able to do, is the traffic to flow through so I can connect my clients to the wireless AP, I also want to be able to RDP into the servers via my dyndns account..

Could someone post the config please to achieve the above I  have included screenshots of asdm too

So then I will have a split network a clean and dirty side! Config below
.Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname Network1
domain-name
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
 ddns both
 interval maximum 2 0 0 0
!
!
interface Ethernet0/0
 description Connection to Netgear
 nameif Outside-BT
 security-level 0
 ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
 description Connection to Switch
 nameif Inside
 security-level 100
 ddns update dns
 dhcp client update dns
 ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 62.6.40.178
 name-server 62.6.40.162
 name-server 194.72.9.34
 name-server EsxiServer
 domain-name
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
object-group service https tcp
 port-object eq https
object-group service test
 service-object tcp
object-group service tt
 service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp 192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isakmp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isakmp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in remark spiceworks
access-list Outside-BT_access_in extended permit tcp any host natpublicip object-group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat (Inside) 101 0.0.0.0 0.0.0.0 dns
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd update dns interface Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
 enable Outside-BT
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec webvpn
username *** password GFDFvLOsuuGuTQnt encrypted privilege 0
username *** attributes
 vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HometestVPN type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:748c51b6d177ee23c52c93df77bc32b9
: end
image1.jpg
image2.jpg
0
Jon345
Asked:
Jon345
  • 12
  • 8
1 Solution
 
Don JohnstonInstructorCommented:
Am I correct in understanding that what you want is two separate internal networks? Or do you just want an inside and outside network?

Is the BT router performing NAT?

And please use the code feature when posting configs.
0
 
Jon345Author Commented:
Two internals the BT hub is port forwarding 3389 to 192.168.0.30 that range is the guest network the one behind the Asa is the private but the private accesses the guest for Internet access
0
 
Don JohnstonInstructorCommented:
Is the BT router performing NAT?
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
Jon345Author Commented:
No
0
 
Don JohnstonInstructorCommented:
Then why is the BT (is it a hub or a router) "port forwarding"?
0
 
Jon345Author Commented:
For rdp connection on port 3389
0
 
Jon345Author Commented:
To access the servers behind firewall
0
 
Jon345Author Commented:
It's a BT home hub 3
0
 
Don JohnstonInstructorCommented:
If the BT is not performing NAT, then there is no need to forward traffic.  Forwarding only needs to be done on devices that have NAT enabled.

But whatever. To create a second internal network on the ASA, define one of the other interfaces on the ASA and give it a security level higher than 0 (You can make it the same as the existing inside interface).

For example:
interface Ethernet0/2
 nameif newnet
 security-level 90
 ip address 192.168.2.1 255.255.255.0

Open in new window


Then add an entry (or modify the existing one) to allow the new network access.
0
 
Jon345Author Commented:
Thanks one to try however the Asa was doing nating this was working last week my colleague changed one of the rules  and all I get now is deny s have you looked at the screen shots of asdm
0
 
Don JohnstonInstructorCommented:
No. I don't use ASDM. I do everything from the CLI.

What was changed?
0
 
Jon345Author Commented:
I think the Nat Rule on  screen grab 2
0
 
Don JohnstonInstructorCommented:
The second rule (dynamic) needs a translated interface. Click on the interface column and make it "outside".
0
 
Jon345Author Commented:
ok I have done that see attached file getting errors attached too not working yet....
Capture.JPG
Capture1.JPG
0
 
Don JohnstonInstructorCommented:
Please post your current config.
0
 
Jon345Author Commented:
:
ASA Version 8.2(5)
!
hostname Home-Net
domain-name main
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
 ddns both
 interval maximum 2 0 0 0
!
!
interface Ethernet0/0
 description Connection to Netgear
 nameif Outside-BT
 security-level 0
 ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
 description Connection to Switch
 nameif Inside
 security-level 100
 ddns update dns
 dhcp client update dns
 ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 62.6.40.178
 name-server 62.6.40.162
 name-server 194.72.9.34
 name-server EsxiServer
 domain-name Main
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
object-group service https tcp
 port-object eq https
object-group service test
 service-object tcp
object-group service tt
 service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp                                                                                         192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isak                                                                                        mp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isak                                                                                        mp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in extended permit tcp any host natpublicip object                                                                                        -group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (Outside-BT) 1 interface
global (Inside) 1 192.168.1.34-192.168.1.55 netmask 255.0.0.0
global (Inside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128                                                                                        -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256                                                                                        -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd address 192.168.1.45-192.168.1.55 Inside
dhcpd dns 213.120.234.46 194.72.0.114 interface Inside
dhcpd lease 30000 interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag                                                                                        e-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
 enable Outside-BT
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec webvpn
username **** password GFDFvLOsuuGuTQnt encrypted privilege 0
username **** attributes
 vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HomenetVPN type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b1583d8d969b3692192a27ba7637c447
: end
Home-Net# $

Open in new window

0
 
Jon345Author Commented:
Thanks "Don" your help is really appreciated....
0
 
Don JohnstonInstructorCommented:
Remove the Inside_access-in ACL from the inside interface.

no access-group Inside_access-in in interface Inside
0
 
Jon345Author Commented:
"Don" Still not working
upload1.JPG
upload2.JPG
upload3.JPG
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

All you have to do is try configuring Policy on ASA as below :

ASA(Config-t)#policy_map Global-policy
ASA(Config-t)#Class Inspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done with try this command on ASA as below :

ASA(Config-t)#debug icmp  

it will give continuous ping to destination .
0
 
Jon345Author Commented:
Superb Assistance!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now