Announcement

Collapse
No announcement yet.

HELP WITH ASA 5505 a 1st timer.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • HELP WITH ASA 5505 a 1st timer.

    Hi All,
    I've been given the task of changing our ISP, I installed a new 2921 Cisco router and all is well. I got a brand new asa 5505 firewall. I am severely stuck. I have no connectivity. Can some of you folk look at my configuration and see what I'm missing? ACL, NAT, Who knows.

    I have the circuity (ds3) to router/ router to asa. ASA will be a site to site vpn. I have ommited the Ipaddresses (important ones at least)

    I thank you all in advance.
    ASA Version 8.2(1)
    !
    hostname asaconcord
    domain-name anydomain.com
    enable password .js/XZFY7WdcxGWh encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    description Inside
    nameif Inside
    security-level 100
    ip address 10.10.0.1 255.255.252.0
    !
    interface Vlan2
    description Public
    nameif Public
    security-level 0
    ip address 0.0.0.0 255.255.255.224
    !
    interface Ethernet0/0
    description Public Interaface
    !
    <--- More --->

    interface Ethernet0/1
    !
    interface Ethernet0/2
    shutdown
    !
    interface Ethernet0/3
    shutdown
    !
    interface Ethernet0/4
    shutdown
    !
    interface Ethernet0/5
    shutdown
    !
    interface Ethernet0/6
    shutdown
    !
    interface Ethernet0/7
    shutdown
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time edt recurring
    dns server-group DefaultDNS
    <--- More --->

    domain-name terarecon.com
    access-list out-in extended permit icmp any any
    access-list out-in extended permit tcp any host 0.0.0.0 eq 3306
    access-list out-in extended permit tcp any host 0.0.0.0 eq pptp
    access-list out-in extended permit tcp any host 0.0.0.0 eq pptp
    access-list out-in extended permit tcp any host 0.0.0.0
    access-list out-in extended permit tcp any host 0.0.0.0
    access-list out-in extended permit icmp any host 0.0.0.0
    access-list out-in extended permit tcp any host 0.0.0.0 eq smtp
    access-list out-in extended permit tcp any host 0.0.0.0 eq pop3
    access-list out-in extended permit tcp any host 0.0.0.0 eq www
    access-list out-in extended permit tcp any host 0.0.0.0 eq https
    access-list out-in extended permit tcp any host 0.0.0.0 eq 3389
    access-list out-in extended permit icmp any host 0.0.0.0
    access-list out-in extended permit tcp any host 0.0.0.0 eq 135
    access-list out-in extended permit ip any host 0.0.0.0
    access-list out-in extended permit tcp any host 0.0.0.0 eq 27008
    access-list out-in extended permit tcp any host 0.0.0.0 eq 27009
    access-list out-in extended permit tcp any host 0.0.0.0 eq 27008
    access-list out-in extended permit tcp any host 0.0.0.0 eq 27009
    access-list out-in extended permit tcp any host 0.0.0.0 eq 7800
    access-list out-in extended permit udp any host 0.0.0.0 eq 7800
    access-list out-in extended permit gre any host 0.0.0.0
    access-list out-in extended permit gre any host 0.0.0.0
    <--- More --->

    access-list out-in extended permit tcp 0.0.0.0 255.255.255.248 host 0.0.0.0 eq https
    access-list out-in extended permit tcp host 0.0.0.0 host 0.0.0.0 eq https
    access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.0 eq https
    access-list out-in extended permit tcp any host 0.0.0.0 eq 3306
    access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.09 eq https
    access-list out-in extended permit tcp 0.0.0.0 255.255.255.248 host 0.0.0.09 eq https
    access-list out-in extended permit ip any host 10.10.3.201
    access-list out-in extended permit tcp any host 0.0.0.02 eq ftp
    access-list out-in extended permit tcp any host 0.0.0.02 eq ssh
    access-list out-in extended permit tcp any host 0.0.0.02 eq www
    access-list out-in extended permit icmp any host 0.0.0.02
    access-list out-in extended permit tcp any host 0.0.0.02 eq 3389
    access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.0 eq https
    access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.09 eq https
    access-list NoNAT extended permit ip 10.10.0.0 255.255.252.0 0.0.0.0 255.255.248.0
    access-list 101 extended permit ip 10.10.0.0 255.255.252.0 0.0.0.0 255.255.248.0
    access-list in-out extended permit tcp host 10.10.0.10 any eq smtp
    access-list in-out extended permit tcp host 10.10.0.104 any eq smtp
    access-list in-out extended permit tcp host 10.10.1.15 any eq smtp
    access-list in-out extended deny tcp any any eq smtp
    access-list in-out extended permit ip any any
    pager lines 24
    logging enable
    logging timestamp
    <--- More --->

    logging trap debugging
    mtu Inside 1500
    mtu Public 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm history enable
    arp timeout 14400
    nat (Inside) 0 access-list NoNAT
    nat (Inside) 1 0.0.0.0 0.0.0.0
    access-group out-in in interface Public
    route Public 0.0.0.0 0.0.0.0 0.0.0.0 1
    route Public 0.0.0.0 255.255.248.0 63.150.232.1 1
    timeout xlate 1:00:00
    timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    mac-list 50 permit 001c.2395.9ab5 ffff.ffff.ffff
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 Inside
    <--- More --->

    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set chevelle esp-des esp-md5-hmac
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
    crypto ipsec transform-set terarecon esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 100 set transform-set 3desmd5
    crypto map transam 1 match address 101
    crypto map transam 1 set peer 0.0.0.0
    crypto map transam 1 set transform-set chevelle
    crypto map vpn 1 match address 101
    crypto map vpn 1 set peer 0.0.0.0
    crypto map vpn 1 set transform-set 3desmd5 terarecon
    crypto map vpn 100 ipsec-isakmp dynamic dynmap
    crypto map vpn interface Public
    crypto isakmp identity address
    crypto isakmp enable Public
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    <--- More --->

    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 2
    authentication pre-share
    encryption des
    hash md5
    group 1
    lifetime 1000
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 Inside
    ssh timeout 60
    ssh version 2
    console timeout 0
    management-access Inside

    threat-detection basic-threat
    <--- More --->

    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy VPNGROUP internal
    group-policy VPNGROUP attributes
    split-tunnel-policy tunnelall
    tunnel-group 0.0.0.8 type ipsec-l2l
    tunnel-group 0.0.0.0 ipsec-attributes
    pre-shared-key *
    !
    class-map type inspect http match-all asdm_medium_security_methods
    match not request method head
    match not request method post
    match not request method get
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    id-randomization
    id-mismatch action log
    policy-map global_policy
    <--- More --->

    class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect dns preset_dns_map
    inspect http
    inspect pptp
    inspect icmp
    policy-map type inspect http HTTP_inspection
    parameters
    protocol-violation action drop-connection
    class asdm_medium_security_methods
    drop-connection
    !
    <--- More --->

    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:3208c134ee51ea1a9e16d2ab5f986fdf
    : end

    asaconcord#

  • #2
    Re: HELP WITH ASA 5505 a 1st timer.

    I couple of things I noticed....

    1) VLAN 2 is configured with public IP, but has not been assigned to switchport interface e0/0 (see underlined addition below). NOTE: By default, VLAN 1 is untagged, so it does not need to be assigned to e0/1.
    Code:
    interface Ethernet0/0
     description Public Interaface
     switchport access vlan 2
    2) The "nat 1" definition does not have an associated "global 1" definition. In other words... what public IP(s) do you want to NAT inside traffic to? Or maybe setup a NAT pool. An example of NAT/PAT overload to the interface public IP would be:
    Code:
    global (Public) 1 interface
    nat (Inside) 1 0.0.0.0 0.0.0.0
    3) Access-list "out-in" is confusing. Especially since I do not see any static mapping statments for public to inside traffic. Suggestion: Until you get nat'd traffic working, I would remove the access-group definition (no access-group out-in in interface Public) that references this ACL. Once you get nat'd traffic working, then re-add the access-group definition and test.

    Also, I can apprecaite not wanting to post your public IP address space to the forum, but it appears you have replaced all public address space with all 0's. This makes interpreting your configuration rather confusing since all 0's is a valid specification. Try changing your public IP's to something like x.x.x.2, x.x.x.3, etc...

    Comment

    Working...
    X