12-08-2013 06:30 PM - edited 03-11-2019 08:14 PM
First, some background.
I started out a number of years ago using the Pix 501s. Now I am using ASA 5505s. I know enough to be dangerous, but not enough to be useful. That being said, assume I know nothing, as this is largely the case. I have a basic understanding of how ASAs are to be configured, but such a low knowledge of syntax that I consider myself to be a noob.
I know how to log on to cli, enter config t, and know to write mem before quitting. I am long on logic, short on specific knowledge of the ASA 5505 syntax.
I have three ASA 5505s. One in my small main office, two in satellite locations, which use site to site (if I am using the correct term) vpn configurations.
I hope this is enough background to be useful, without so much as to put everyone to sleep. Now to my specific questions.
First, some basics. I see people posting configs here. Other than specific public addresses, is there any danger in doing so? For example, the encrypted passwords are shown. Can this info be used to decrypt the passwords? Is is better to redact some info from the config? If so, what?
As I expect people to ask to see the config, I'll wait for a response to the above before posting a specific question and config.
Sincerely,
Stephen C
12-08-2013 06:46 PM
Stephen C
In my experience the passwords on ASA are much more safe and much less likely to be decrypted. Having said that, if it makes you more comfortable then when posting configs you might want to disguise both passwords and public addresses.
So go ahead and post your config and your question.
HTH
Rick
12-08-2013 09:23 PM
So I have Comcast at my main office. Long story short, they swapped my modem to attempt to fix a local node issue (it didn't) and the new modem wouldn't work with my ASA 5505 config. Specifically, the Cisco config would disable routing on the Comcast modem. In attempting to fix the issue, I stripped out everything that seemed related to dns (I told you I was dangerous), which fixed the routing issue, but left me with a VPN problem. I can't seem to get the VPN tunnels to connect. Is there something that I am doing/am not doing with the config that should fix this?
Diagnostically, I can ping the default gateway address from an external machine, but not the fixed IP address that Comcast assigned me. Also, I tried having Comcast put the modem into bridged mode, but that killed the whole connectivity, so with the current config, the Comcast modem is not bridged. I know that this is not as desirable, but it was that way before they swapped the modem, and at this point, I would prefer to get the ASA working properly with the modem unbridged, and then work on a correct bridged config.
ASA Version 8.0(4)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list 101 extended permit icmp any any
access-list 101 extended permit udp any interface outside
access-list 101 extended permit tcp host 69.xx.xx.xx interface outside eq 2222
access-list 101 extended permit tcp host 98.xx.xx.xx interface outside eq 2222
access-list outside_cryptomap_30 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list inside_inbound_pat0_acl extended permit tcp any host 192.168.10.110
access-list inside_inbound_pat0_acl extended permit tcp any host 192.168.10.100
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2222 192.168.10.110 ssh netmask 255.255.255.255
static (inside,outside) udp interface 1194 192.168.10.110 1194 netmask 255.255.255.255
static (inside,outside) tcp interface 25000 192.168.10.100 25000 netmask 255.255.255.255
static (inside,outside) udp interface 25000 192.168.10.100 25000 netmask 255.255.255.255
static (inside,outside) tcp interface 25443 192.168.10.100 25443 netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 74.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 69.xx.xx.xx.xx 255.255.255.255 outside
http 98.xx.xx.xx 255.255.255.255 outside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community trdsnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 24.xx.xx.xx
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 86400
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 64.xx.xx.xx
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 30 set security-association lifetime seconds 86400
crypto map outside_map 30 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh scopy enable
ssh 192.168.10.0 255.255.255.0 inside
ssh 199.120.223.0 255.255.255.0 outside
ssh 67.xx.xx.xx 255.255.255.255 outside
ssh 98.xx.xx.xx 255.255.255.255 outside
ssh 69.xx.xx.xx 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx
dhcpd auto_config outside
!
dhcpd address 192.168.10.2-192.168.10.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 24.xx.xx.xx type ipsec-l2l
tunnel-group 24.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 67.xx.xx.xx type ipsec-l2l
tunnel-group 67.xx.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 64.xx.xx.xx type ipsec-l2l
tunnel-group 64.xx.xx.xx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
12-09-2013 01:05 AM
Have you tried rebuilding the tunnel by clearing ISAKMP and IPsec SA's?
clear crypto isakmp
clear crypto ipsec sa
--
Please remember to rate and select a correct answer
12-09-2013 05:34 AM
There are some things about the description of the problem and the config that puzzle me. The description talks about a fixed address assigned by Comcast. But the config shows that the outside interface is using dhcp to learn an address.
The outside interface dhcp is using setroute which would seem to make the configured default route not necessary and potentially counter productive.
Can you clarify this?
Also you tell us that an external host can ping the gateway. Can that host ping anything beyond the gateway? (especially when pinging by address and not necessarily pinging by name)
HTH
Rick
12-09-2013 07:05 AM
As I said, my knowledge level is more dangerous than useful. The current config is what is working, sort of, after I tried changing the outside interface and the route outside in an effort to fix things, both with the modem in bridged mode, and un-bridged. Currently the modem is un-bridged, and the previous modem was unbridged. I would like to fix the config to work with the modem in un-bridged mode, then possibly go to a bridged mode config.
If you think that changing/deleting the route outside would fix things for an un-bridged modem, please advise what changes you would recommend.
12-09-2013 06:58 AM
I have not. My knowledge of this procedure is low, so any explanation of the steps would be appreciated. Right now, I am concerned about the fact that the fixed IP given to me by Comcast is not pingable from the outside.
12-09-2013 07:37 AM
Stephen C
Lets go one step at a time. The first step is to clarify whether you want to operate with a dhcp assigned address or with a fixed address and then to configure the ASA to do that. Either keep the interface dhcp as it is in the config that you posted and remove the static default route or keep the static default route and configured the ASA interface with an IP address.
After you clear this up we will figure out what comes next.
HTH
Rick
12-09-2013 07:56 AM
I want a fixed IP address, not dhcp. How do I configure the outside interface to be fixed IP, when the Comcast modem is NOT bridged? Also, do I need to change the route outside? The route outside is currently set to the gateway address, which is the IP address of the cable modem.
12-09-2013 08:07 AM
Stephen C
Use this
interface Vlan2
ip address a.a.a.a m.m.m.m
Then see if you can ping the gateway from the ASA and also from an inside host.
HTH
Rick
12-09-2013 09:23 AM
Okay I will try that. Would this be the same config for a bridged mode modem as well?
12-09-2013 10:19 AM
I tried setting the outside interface (Vlan2) to fixed IP (the static IP address I bought) and the netmask that Comcast gave me, and the connection broke. Keep in mind that you didn't say anything about rebooting the Comcast modem after making the changes to the Cisco router, so I did NOT do that.
I did reboot the Comcast modem after changing the config back to dhcp, and that got us back to status quo. So if I did things correctly, then your suggestion didn't work. If I did things incorrectly, please advise.
12-09-2013 07:49 PM
Stephen C
I would not have thought that a reboot of the modem was necessary in changing the interface to use a fixed IP address. But if I am understanding your post correctly then changing the interface to fixed IP and then back to dhcp did not work until you did a reboot. In that case I would sure suggest changing the inteface to fixed IP address and then reboot the modem.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide