topic Re: ASA 5505 Help in Network Security

ASA 5505 Help

wendigoulette — Fri, 21 Feb 2020 11:10:43 GMT

I am configuring an ASA 5505 for a small business client to replace Linksys router, and I am having some trouble with it. Any help would be greatly appreciated. Here is my config:

sh run

: Saved

ASA Version 7.2(4)

hostname ciscoasa

names

name 192.168.32.5 mailserver

interface Vlan1

nameif inside

security-level 100

ip address 192.168.32.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address xx.xx.215.35 255.255.255.224

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

port-object eq smtp

port-object eq 444

port-object eq imap4

port-object eq 4125

port-object eq pptp

port-object eq ftp

port-object eq 3389

port-object eq pop3

port-object eq 995

access-list inside_access_in extended permit tcp any host mailserver object-group DM_INLINE_TCP_1

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface ftp mailserver ftp netmask 255.255.255.255

static (inside,outside) tcp interface https mailserver https netmask 255.255.255.255

static (inside,outside) tcp interface smtp mailserver smtp netmask 255.255.255.255

static (inside,outside) tcp interface 444 mailserver 444 netmask 255.255.255.255

static (inside,outside) tcp interface imap4 mailserver imap4 netmask 255.255.255.255

static (inside,outside) tcp interface 4125 mailserver 4125 netmask 255.255.255.255

static (inside,outside) tcp interface pptp mailserver pptp netmask 255.255.255.255

static (inside,outside) tcp interface 3389 mailserver 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 995 mailserver 995 netmask 255.255.255.255

static (inside,outside) tcp interface www mailserver www netmask 255.255.255.255

static (inside,outside) interface mailserver netmask 255.255.255.255

access-group inside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.215.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.32.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Cryptochecksum:916a58426e2cb7b4d44cdbc0446fcfad

: end

ciscoasa#

Here is the routing table (nothing plugged in right now other than console):

Gateway of last resort is not set

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

When I have the client connect the asa, no connectivity in or out works. They have two layer 2 switches, no routers.

Re: ASA 5505 Help

JORGE RODRIGUEZ — Sat, 20 Dec 2008 04:43:58 GMT

Here is the routing table (nothing plugged in right now other than console):

Gateway of last resort is not set

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback<

route outside 0.0.0.0 0.0.0.0 xx.xx.215.33 1

Hi Wendi,

You need to start making the physical connection in your inside switch and outside interfaces first before atempting to connect to internet or from outside internet to inside.

show route does not indicate any physical connectivity to anything .

Regards

Re: ASA 5505 Help

wendigoulette — Sat, 20 Dec 2008 14:42:51 GMT

Hi, thank you for your reply. I noted in my post that when it IS plugged in, nothing works. I am very aware that connectivity to anywhere will not work without a physical connection. 🐵

My concern is mostly my config - I'm looking for any suggestions on what I may have configured incorrectly.

Oh, one other note - shouldn't my static default route be displayed in the routing table whether it is connected or not?

route outside 0.0.0.0 0.0.0.0 xx.xx.215.33 1

Re: ASA 5505 Help

JORGE RODRIGUEZ — Sat, 20 Dec 2008 16:11:42 GMT

Hi Wendy, the default route will show up in routing table once the upstream router is reachable.

I meant also to repost my answer few minutes later thinking that you must have placed back the linksys router becuase connectivity to internet was not happening, my apologies for that, I would have done exactly the same.

When you connect back the firewall connections to inside and outside from firewall itself try pinging your defalt route to confirm you can reach that upstream router. The access from inside to outside by default is permited but you will need some dns configuration for the PC inside to DNS query weblinks.

you could try dhcp address for inside interfaces if you don't have dhcp server and use a public opened DNS servers 208.67.222.222,208.67.220.220

and have this be automatically given to inside hosts dynamically

Example :

dhcpd dns 208.67.222.222 208.67.220.220

dhcpd address 192.168.32.10-192.168.32.100 inside

dhcpd enable inside

for the acl to get access to inside mailserver I would try :

access-list inside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1

access-group inside_access_in in interface outside

but...I would recommend to change the acl name instead of the " inside_access_in " to sort of distinguish what comes from outside to inside within acl names, like outside_access_in gives clear picture for your outside interface acls.

access-list outside_access_in extended permit tcp any interface outside object-group DM_INLINE_TCP_1

access-group outside_access_in in interface outside

remove old one

no access-list inside_access_in extended permit tcp any host mailserver object-group DM_INLINE_TCP_1

Regards

Re: ASA 5505 Help

wendigoulette — Sat, 20 Dec 2008 16:32:07 GMT

so the mailserver is also serving as dhcp server for the inside clients, which is why i turned off DHCP on the router. i have decided that i need to work on this in person - it's difficult to truobleshoot something that isn't plugged in. 🙂 so i'm trying to arrange to make the trek to my client's sit on monday. once I figure out what's wrong I will post it here for future reference. 🙂

Re: ASA 5505 Help

JORGE RODRIGUEZ — Mon, 22 Dec 2008 18:25:55 GMT

Hi Wendi, just touching base to learn if you have any issues or is all ok?

Regards

Re: ASA 5505 Help

wendigoulette — Mon, 29 Dec 2008 16:30:12 GMT

I haven't been able to coordinate a time to visit the customer until now - I will be going over there tomorrow evening. Will post the results here. 🙂