topic Re: ASA5505 basic settings in Network Security

ASA5505 basic settings

mahellma — Mon, 11 Mar 2019 13:54:57 GMT

I'm having some problems getting my ASA5505 running like I wan't it to. To be clear this is my first ever Cisco firewall. My experience is with Juniper and Watchguard.

The DMZ is just for future sake. For now the email server runs in the internal network here at home.

I wan't the email server to be published on ports smtp and https.

I used ASDM to configure my device but there are some strange things going on here and I have no idea why.

The publish seems to work because I can access the server from the outside world, but, the ASA sometimes, not all the time but sometimes starts blocking internal network traffic! How is that even possible since it should not even be routed trough the gateway.

The problem can be DNS,MS remote desktop, Exchange server connection, filesharing. So I messed up something really bad here.

Some help needed here.

The configuration as follows

ASA Version 7.2(4)

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.128

ospf cost 10

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.X

ospf cost 10

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.128

ospf cost 10

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 3

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server mars

domain-name nixadmins.net

object-group service DM_INLINE_TCP_1 tcp

port-object eq https

port-object eq smtp

access-list outside_access_in extended permit tcp any host mail object-group DM_INLINE_TCP_1

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.128 10.10.10.0 255.255.255.128 log disable

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.128 any log disable

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.128 10.10.10.0 255.255.255.128

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Default 10.10.10.81-10.10.10.90 mask 255.255.255.128

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 mail-X.X.X.X netmask 255.255.255.X

global (outside) 2 webmail netmask 255.255.255.255

global (outside) 3 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 3 0.0.0.0 0.0.0.0

static (inside,inside) tcp mars https mail https netmask 255.255.255.255

static (inside,inside) tcp mars smtp mail smtp netmask 255.255.255.255

static (inside,outside) tcp mail https mars https netmask 255.255.255.255

static (inside,outside) tcp mail smtp mars smtp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.33 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server NixadminsAD protocol nt

aaa-server NixadminsAD (inside) host mars

nt-auth-domain-controller mars

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.0 255.255.255.128 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no vpn-addr-assign local

telnet timeout 5

console timeout 0

dhcpd auto_config outside

Re: ASA5505 basic settings

Fernando_Meza — Wed, 08 Oct 2008 21:27:40 GMT

Hi ..I am not too sure what you are trying to achieve ..

global (outside) 1 mail-X.X.X.X netmask 255.255.255.X <- What are you trying to achieve here ? there is not corresponding nat ID (1) for this entry

global (outside) 2 webmail netmask 255.255.255.255 <- What are you trying to achieve here ? there is not corresponding nat ID (2) for this entry

global (outside) 3 interface

nat (inside) 0 access-list inside_nat0_outbound <- what are you trying to achieve here ?

nat (inside) 3 0.0.0.0 0.0.0.0 (This together with the access-list applied to the inside interface will allow outbound access from inside to be translated to the IP of the outside interface)

static (inside,inside) tcp mars https mail https netmask 255.255.255.255 <- what are you trying to achieve here ?

static (inside,inside) tcp mars smtp mail smtp netmask 255.255.255.255 <- what are you trying to achieve here ?

static (inside,outside) tcp mail https mars https netmask 255.255.255.255 (here you are using port forwarding for inbound traffic hitting mail on port 443 to be redirected to mars on port 443)

static (inside,outside) tcp mail smtp mars smtp netmask 255.255.255.255 (as above but using port 25)

Basically you need to specify what you want to achieve first and then we can work out the configuration.

I hope it helps .. please rate helpful posts

Re: ASA5505 basic settings

mahellma — Thu, 09 Oct 2008 06:06:36 GMT

The config is from ASDM. And I'm guessing there is alot wrong there. So instead of looking at that what I need is the following.

Interfaces Outside,Inside and DMZ.

ASA to NAT everything outgoing.

I have five static IP:s and one of them is for the ASAs SSL vpn(34), one for the mailserver(35).

The mailserver is in the internal network, not DMZ, because it's a Domain controller also. So I need ports 443(https) and 25(smtp) redirected to the inside when comming to the outside IP X.X.X.35.

I'm guessing from your What are you trying to achieve here lines that I should dump the config and start over. And also since that is ASDM genereated source I might be better of doing this trough the cli so I get a hang of it.

Re: ASA5505 basic settings

mahellma — Thu, 09 Oct 2008 07:19:39 GMT

And to make it more? clear here is a image of it.

http://www.nixadmins.net/pics/explain.jpg