Solved

ASA 5510 HELP NEEDED PLS.....

Posted on 2014-01-19
21
699 Views
Last Modified: 2014-01-23
Hello Experts I need you help after 2 days of changing the conifg trying to get this to work, I have decided to ask for help I am sure that this is so simple for you Cisco experts but I am honestly not one...as you will probably see lol  !!!

Ok,,,I have a BT ADSL connection which goes in a BT Router (192.168.0.30,255.255.255.224), this is then plugged in to my 5510 in socket 0 (BTOutside), I then have my inside network (192.168.1.24 255.255.255.224) going from socket 0/1 on the asa to a switch which hosts my pcs servers and AP.

All I want to be able to do, is the traffic to flow through so I can connect my clients to the wireless AP, I also want to be able to RDP into the servers via my dyndns account..

Could someone post the config please to achieve the above I  have included screenshots of asdm too

So then I will have a split network a clean and dirty side! Config below
.Result of the command: "sh run"

: Saved
:
ASA Version 8.2(5)
!
hostname Network1
domain-name
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
 ddns both
 interval maximum 2 0 0 0
!
!
interface Ethernet0/0
 description Connection to Netgear
 nameif Outside-BT
 security-level 0
 ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
 description Connection to Switch
 nameif Inside
 security-level 100
 ddns update dns
 dhcp client update dns
 ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 62.6.40.178
 name-server 62.6.40.162
 name-server 194.72.9.34
 name-server EsxiServer
 domain-name
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
object-group service https tcp
 port-object eq https
object-group service test
 service-object tcp
object-group service tt
 service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp 192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isakmp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isakmp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in remark spiceworks
access-list Outside-BT_access_in extended permit tcp any host natpublicip object-group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
nat (Inside) 101 0.0.0.0 0.0.0.0 dns
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd update dns interface Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
 enable Outside-BT
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec webvpn
username *** password GFDFvLOsuuGuTQnt encrypted privilege 0
username *** attributes
 vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HometestVPN type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:748c51b6d177ee23c52c93df77bc32b9
: end
image1.jpg
image2.jpg
0
Comment
Question by:Jon345
  • 12
  • 8
21 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792104
Am I correct in understanding that what you want is two separate internal networks? Or do you just want an inside and outside network?

Is the BT router performing NAT?

And please use the code feature when posting configs.
0
 

Author Comment

by:Jon345
ID: 39792119
Two internals the BT hub is port forwarding 3389 to 192.168.0.30 that range is the guest network the one behind the Asa is the private but the private accesses the guest for Internet access
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792122
Is the BT router performing NAT?
0
 

Author Comment

by:Jon345
ID: 39792127
No
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792136
Then why is the BT (is it a hub or a router) "port forwarding"?
0
 

Author Comment

by:Jon345
ID: 39792140
For rdp connection on port 3389
0
 

Author Comment

by:Jon345
ID: 39792142
To access the servers behind firewall
0
 

Author Comment

by:Jon345
ID: 39792158
It's a BT home hub 3
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792168
If the BT is not performing NAT, then there is no need to forward traffic.  Forwarding only needs to be done on devices that have NAT enabled.

But whatever. To create a second internal network on the ASA, define one of the other interfaces on the ASA and give it a security level higher than 0 (You can make it the same as the existing inside interface).

For example:
interface Ethernet0/2
 nameif newnet
 security-level 90
 ip address 192.168.2.1 255.255.255.0

Open in new window


Then add an entry (or modify the existing one) to allow the new network access.
0
 

Author Comment

by:Jon345
ID: 39792179
Thanks one to try however the Asa was doing nating this was working last week my colleague changed one of the rules  and all I get now is deny s have you looked at the screen shots of asdm
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792188
No. I don't use ASDM. I do everything from the CLI.

What was changed?
0
 

Author Comment

by:Jon345
ID: 39792193
I think the Nat Rule on  screen grab 2
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39792217
The second rule (dynamic) needs a translated interface. Click on the interface column and make it "outside".
0
 

Author Comment

by:Jon345
ID: 39792341
ok I have done that see attached file getting errors attached too not working yet....
Capture.JPG
Capture1.JPG
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39793243
Please post your current config.
0
 

Author Comment

by:Jon345
ID: 39793450
:
ASA Version 8.2(5)
!
hostname Home-Net
domain-name main
enable password atnRH8XWA15pl7BQ encrypted
passwd atnRH8XWA15pl7BQ encrypted
names
name 192.168.0.30 natpublicip
name 86.174.211.205 A description outbound
name 192.168.1.56 Windows7
name 192.168.1.41 EsxiServer
name 192.168.1.46 Server2012
name 192.168.1.47 ResServer
ddns update method dns
 ddns both
 interval maximum 2 0 0 0
!
!
interface Ethernet0/0
 description Connection to Netgear
 nameif Outside-BT
 security-level 0
 ip address natpublicip 255.255.255.224
!
interface Ethernet0/1
 description Connection to Switch
 nameif Inside
 security-level 100
 ddns update dns
 dhcp client update dns
 ip address 192.168.1.33 255.255.255.224
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside-BT
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 62.6.40.178
 name-server 62.6.40.162
 name-server 194.72.9.34
 name-server EsxiServer
 domain-name Main
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service RDP tcp
 port-object eq 3389
object-group service https tcp
 port-object eq https
object-group service test
 service-object tcp
object-group service tt
 service-object tcp eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object udp
 protocol-object tcp
access-list Inside_access_in extended permit ip interface Inside any
access-list Inside_access_in extended permit ip any 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static remark udp vpn
access-list Outside-BT_nat_static extended permit udp host 192.168.0.1 eq isakmp                                                                                         192.168.1.32 255.255.255.224
access-list Outside-BT_nat_static_1 extended permit udp host 192.168.0.1 eq isak                                                                                        mp 192.168.0.0 255.255.255.224
access-list Outside-BT_nat_static_2 extended permit udp host 192.168.0.1 eq isak                                                                                        mp any
access-list Outside-BT_access_in extended permit tcp any any eq 3389
access-list Outside-BT_access_in extended permit tcp any host natpublicip object                                                                                        -group https
access-list outside-bt_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu Outside-BT 1500
mtu Inside 1500
ip local pool Pool 10.0.0.1-10.0.0.2 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (Outside-BT) 1 interface
global (Inside) 1 192.168.1.34-192.168.1.55 netmask 255.0.0.0
global (Inside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside-BT) interface Server2012 netmask 255.255.255.255
access-group Outside-BT_access_in in interface Outside-BT
access-group Inside_access_in in interface Inside
route Outside-BT 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128                                                                                        -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256                                                                                        -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside-BT_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside-BT_map interface Outside-BT
crypto isakmp enable Outside-BT
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 5
console timeout 0
dhcp-client update dns server both
dhcpd address 192.168.1.45-192.168.1.55 Inside
dhcpd dns 213.120.234.46 194.72.0.114 interface Inside
dhcpd lease 30000 interface Inside
dhcpd enable Inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag                                                                                        e-rate 200
ntp server 194.35.252.7 source Outside-BT prefer
webvpn
 enable Outside-BT
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CiscoRemote internal
group-policy CiscoRemote attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec svc webvpn
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 192.168.1.41 8.8.8.8
 vpn-tunnel-protocol IPSec webvpn
username **** password GFDFvLOsuuGuTQnt encrypted privilege 0
username **** attributes
 vpn-group-policy CiscoVPN
tunnel-group CiscoVPN type remote-access
tunnel-group HomenetVPN type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD                                                                                        CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b1583d8d969b3692192a27ba7637c447
: end
Home-Net# $

Open in new window

0
 

Author Comment

by:Jon345
ID: 39793453
Thanks "Don" your help is really appreciated....
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 500 total points
ID: 39794032
Remove the Inside_access-in ACL from the inside interface.

no access-group Inside_access-in in interface Inside
0
 

Author Comment

by:Jon345
ID: 39794940
"Don" Still not working
upload1.JPG
upload2.JPG
upload3.JPG
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 39796604
Hi,

All you have to do is try configuring Policy on ASA as below :

ASA(Config-t)#policy_map Global-policy
ASA(Config-t)#Class Inspection_default
ASA(Config-t)#Inspect ICMP

Once the above configuration is done with try this command on ASA as below :

ASA(Config-t)#debug icmp  

it will give continuous ping to destination .
0
 

Author Closing Comment

by:Jon345
ID: 39804965
Superb Assistance!!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now