12-11-2007 06:28 AM - edited 03-11-2019 04:42 AM
I tried to setup my Cisco ASA 5505 (Version 7.1(1)) @ my own office.
LAN --> ASA --> ADSL router --> Internet
I need to go from outside any to inside 192.168.1.5 eq (www and https)
I need to go from outside any to inside 192.168.1.5 eq (pptp and gre)
(I am not sure if it should go to 192.168.1.5 or 192.168.1.9) I need to go from outside any to inside 192.168.1.4 eq (smtp)
My overall network:
ADSL modem (200.0.0.169/29), which connected ASA outside VLAN2 (200.0.0.170/29) and then it connected to ASA inside VLAN1 (192.168.1.1/24)
200.0.0.169/29 - DSL modem
200.0.0.170/29 - cisco ASA (LAN IP: 192.168.1.1/24)
200.0.0.171/29 - exchange and VPN (LAN IP: 192.168.1.5/24)
no public IP - MAIL FILTER server (LAN IP: 192.168.1.9/24)
12-12-2007 08:28 AM
Please let me know if there any incorrect configuration, I will try to test it out tonight, during off hours.
ASA Version 7.2(1)
!
hostname asa5505
domain-name mydomain.com
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.0.0.170 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
no nameif
no security-level
no ip address
!
passwd xxx
level
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
dns server-group DefaultDNSsunrpc
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit gre any host 200.0.0.171
access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https
access-list outside_access_in extended permit udp any host 200.0.0.173
access-list outside_access_in extended permit tcp any host 200.0.0.173 rangepcanywhere-data 5632
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255
static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255
static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.0.0.179 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
!
!
class-map inspection_
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
12-12-2007 12:18 PM
route outside 0.0.0.0 0.0.0.0 200.0.0.179
should be
route outside 0.0.0.0 0.0.0.0 200.0.0.169
and we better dedicate 171 to 5. Apply the following please
no static (inside,outside) tcp 200.0.0.171 https 192.168.1.5 https netmask 255.255.255.255
no static (inside,outside) tcp 200.0.0.171 www 192.168.1.5 www netmask 255.255.255.255
no static (inside,outside) tcp 200.0.0.171 pptp 192.168.1.5 pptp netmask 255.255.255.255
static (inside,outside) 200.0.0.171 192.168.1.5 netmask 255.255.255.255
access-list outside_access_in permit gre any host 200.0.0.171
12-12-2007 01:21 PM
Thanks husycisco, I will give this a try tonight, here I make the changes accordingly.
ASA Version 7.2(1)
!
hostname asa5505
domain-name mydomain.com
enable password xxx
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 200.0.0.170 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name mydomain.com
dns server-group DefaultDNSsunrpc
object-group service dynamictcp tcp
port-object range 1024 65535
object-group service timetcp udp
port-object eq ntp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit gre any host 200.0.0.171
access-list outside_access_in extended permit tcp any host 200.0.0.173 eq https
access-list outside_access_in extended permit udp any host 200.0.0.173
access-list outside_access_in extended permit tcp any host 200.0.0.173 range pcanywhere-data 5632
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq www
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq https
access-list outside_access_in extended permit tcp any host 200.0.0.171 eq pptp
access-list outside_access_in extended permit tcp any interface outside eq smtp
pager lines 24
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.9 smtp netmask 255.255.255.255
static (inside,outside) 200.0.0.172 192.168.1.3 netmask 255.255.255.255
static (inside,outside) 200.0.0.173 192.168.1.7 netmask 255.255.255.255
static (inside,outside) 200.0.0.171 192.168.1.5 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 200.0.0.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
!
!
class-map inspection_
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
12-12-2007 02:04 PM
You are welcome. Config looks OK.
Good luck
12-14-2007 05:45 AM
With the config above, I have no internet/smtp/VPN/OWA, nothing works.
I then added all my previous inside ACLs and applied
access-group inside_access_in in interface inside
I am then back to the point where I have intenet works, but not smtp/VPN/OWA.
I found that on my old config, internet works, if I have have either:
route outside 0.0.0.0 0.0.0.0 200.0.0.169 1
OR
route outside 0.0.0.0 0.0.0.0 200.0.0.170 1
and intenet stills works.
I have attached my current config, any advise will helps.
Thank you.
12-14-2007 06:28 AM
Believe me there is no difference between the above config in post and the config in attachment that can affect internet connectivity or etc. An ACL grouped to inside interface is just for filtering outbound connections, by default; traffic from inside interface(higher security level) to outside interface (lower sec lvl) is permit already. Maybe you did not run clear xlate clear route and clear arp to config really take effect, or didnt renew IP addresses of the inside clients.
"route outside 0.0.0.0 0.0.0.0 200.0.0.169 1
OR
route outside 0.0.0.0 0.0.0.0 200.0.0.170 1
and intenet stills works. "
Doesnt make sense. You are missing something in modem side in my opinion. Maybe your modem has an additional IP configured as 0.170 which conflicts with ASA interface
Did you forward necessary ports to related IPs in your modem?
You better configure your modem in bridged mode or ask your ISP to configure it.
Regards
12-18-2007 02:06 PM
Thank you again.
I called the ISP and confirm that our modem was in bridged mode already and nothing is blocking it.
I will try it again tomorrow morning with:
clear xlate
clear arp
clear route
I mean my configuration look fine and I will see how things goes.
12-20-2007 01:45 PM
Perfect, now we resolved the issue. If modem was already configured in bridged mode, that means you have to assign a real ip to outside interface.
Assuming that 209.112.47.170 is your gateway. Please ask your ISP for your IP network. It must be a network that covers 209.112.47.170. Then you will add the following route and configure your outside interface a real IP like 209.112.47.171
route outside 0.0.0.0 0.0.0.0 209.112.47.170
Regards
12-20-2007 01:49 PM
Now you got me confuse, should I use:
route outside 0.0.0.0 0.0.0.0 200.0.0.170 1
or
route outside 0.0.0.0 0.0.0.0 200.0.0.169 1
Please verify, since I will be doing this tonight.
12-21-2007 02:09 AM
Internet connection, Outlook Web Access and VPN are all UP !!!!
Only incoming smtp have to be fix, and here is the syslog:
4|Dec 21 2007|02:52:18|106023|213.22.82.144|200.0.0.171|Deny tcp src outside:213.22.82.144/4870 dst inside:200.0.0.171/25 by access-group "outside_access_in" [0x0, 0x0]
4|Dec 21 2007|02:52:18|106023|211.172.54.68|200.0.0.171|Deny tcp src outside:211.172.54.68/15519 dst inside:200.0.0.171/25 by access-group "outside_access_in" [0x0, 0x0]
4|Dec 21
2007|03:20:33|106023|211.136.107.165|200.0.0.171|Deny tcp src outside:211.136.107.165/1874 dst inside:200.0.0.171/53 by access-group "outside_access_in" [0x0, 0x0]
I found that if I change the following:
access_list outside_access_in extended permit tcp any host 200.0.0.171 eq smtp
We do get incoming emails, but it will then by-pass our Mail Filter Server(192.168.1.9), therefore we do got all the junk mails.
Any inputs will helps.
Thank you.
12-21-2007 09:14 AM
please post your current running config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide