topic ASA 5505 Configuration Issues in Network Security

ASA 5505 Configuration Issues

bettston1 — Tue, 12 Mar 2019 06:45:42 GMT

Hi,

I have been given the task of configuring an ASA 5505 from scratch and been wrestling unsuccesfully with it now for over a week. The scenario is 3 vlans outside, inside and dmz. dmz has one fixed ip server (at the moment)

what i need to get to is:

outside -> dmz webserver

inside -> no access to outside

inside -> access to dmz webserver with rdp and ping

Here is the current no working config, intersingly rdp gets a response but thats all. I deally i would like to do all setup through asdm 6.3 but any ting that help, even a complete teardown would be great

Thanks

Tony

interface Vlan1
no forward interface Vlan2
nameif inside
security-level 100
ip address 160.100.30.253 255.255.252.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.0.253 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
ip address 11.0.200.253 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Dmztrans
host 160.100.31.145
object network dmzhost
host 11.0.200.145
description DMZ Host Machine
object network PublicServer_NAT1
host 11.0.200.145
object network network1
subnet 11.0.200.0 255.255.255.0
object network inside-network
subnet 160.100.30.0 255.255.255.0
object network inside-network2
subnet 160.100.30.0 255.255.255.0
object network dmz
subnet 11.0.200.0 255.255.255.0
object-group service RDP tcp
port-object eq 3389
object-group network DM_INLINE_NETWORK_1
network-object object Dmztrans
network-object object dmzhost
access-list dmz_access_in extended permit tcp any object Dmztrans object-group RDP
access-list inside_access extended permit tcp any host 11.0.200.145 object-group RDP
access-list inside_access extended permit icmp any host 11.0.200.145 echo-reply
access-list inside_access extended permit icmp any host 11.0.200.145
access-list inside-in extended permit icmp 11.0.200.0 255.255.255.0 any
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any
access-list global_access extended permit tcp object-group DM_INLINE_NETWORK_1 object Dmztrans object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (dmz,inside) source static dmzhost dmzhost destination static Dmztrans Dmztrans
nat (inside,dmz) source static inside-network inside-network destination static dmz dmz
!
object network obj_any
nat (inside,outside) dynamic interface
object network PublicServer_NAT1
nat (dmz,inside) static Dmztrans
object network network1
nat (dmz,inside) dynamic interface
access-group inside_access in interface inside
access-group dmz_access_in in interface dmz
access-group global_access global
route inside 0.0.0.0 0.0.0.0 160.100.30.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 160.100.28.0 255.255.252.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 11.0.200.0 255.255.255.0 dmz
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 160.100.31.1-160.100.31.32 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp

Hello, It could be a license

stevechege — Tue, 20 Oct 2015 22:08:52 GMT

Hello, It could be a license issue.

If you can SSH into the device, try and do a show version as shown below.

or through the ASDM

Configuration > Device Management > Licensing >

ASA-PLUS# show version

For security plus License

~ out-put~

Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual

This platform has an ASA 5505 Security Plus license.

ASA-BASE# show version

For Base License

~ out-put~

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 50 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

SSL VPN Peers : 2 perpetual

Total VPN Peers : 10 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

AnyConnect Essentials : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

If it says 3 DMZ restricted. That could be your problem.

The inside <==> DMZ might not be able to talk to each other.

"The Base license restricts you to three(3) VLAN's, with the third VLAN only being able to initiate communicate with one of the other two."

Source.

http://security.stackexchange.com/questions/57045/asa5505-dmz-issue