ASA 5505 Config

srchowning · ‎12-08-2013

First, some background.

I started out a number of years ago using the Pix 501s. Now I am using ASA 5505s. I know enough to be dangerous, but not enough to be useful. That being said, assume I know nothing, as this is largely the case. I have a basic understanding of how ASAs are to be configured, but such a low knowledge of syntax that I consider myself to be a noob.

I know how to log on to cli, enter config t, and know to write mem before quitting. I am long on logic, short on specific knowledge of the ASA 5505 syntax.

I have three ASA 5505s. One in my small main office, two in satellite locations, which use site to site (if I am using the correct term) vpn configurations.

I hope this is enough background to be useful, without so much as to put everyone to sleep. Now to my specific questions.

First, some basics. I see people posting configs here. Other than specific public addresses, is there any danger in doing so? For example, the encrypted passwords are shown. Can this info be used to decrypt the passwords? Is is better to redact some info from the config? If so, what?

As I expect people to ask to see the config, I'll wait for a response to the above before posting a specific question and config.

Sincerely,

Stephen C

Richard Burts · ‎12-08-2013

Stephen C

In my experience the passwords on ASA are much more safe and much less likely to be decrypted. Having said that, if it makes you more comfortable then when posting configs you might want to disguise both passwords and public addresses.

So go ahead and post your config and your question.

HTH

Rick

HTH

Rick

srchowning · ‎12-08-2013

So I have Comcast at my main office. Long story short, they swapped my modem to attempt to fix a local node issue (it didn't) and the new modem wouldn't work with my ASA 5505 config. Specifically, the Cisco config would disable routing on the Comcast modem. In attempting to fix the issue, I stripped out everything that seemed related to dns (I told you I was dangerous), which fixed the routing issue, but left me with a VPN problem. I can't seem to get the VPN tunnels to connect. Is there something that I am doing/am not doing with the config that should fix this?

Diagnostically, I can ping the default gateway address from an external machine, but not the fixed IP address that Comcast assigned me. Also, I tried having Comcast put the modem into bridged mode, but that killed the whole connectivity, so with the current config, the Comcast modem is not bridged. I know that this is not as desirable, but it was that way before they swapped the modem, and at this point, I would prefer to get the ASA working properly with the modem unbridged, and then work on a correct bridged config.

ASA Version 8.0(4)

!

hostname ciscoasa

enable password xxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa804-k8.bin

ftp mode passive

access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_outbound_nat0_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list 101 extended permit icmp any any

access-list 101 extended permit udp any interface outside

access-list 101 extended permit tcp host 69.xx.xx.xx interface outside eq 2222

access-list 101 extended permit tcp host 98.xx.xx.xx interface outside eq 2222

access-list outside_cryptomap_30 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0

access-list inside_inbound_pat0_acl extended permit tcp any host 192.168.10.110

access-list inside_inbound_pat0_acl extended permit tcp any host 192.168.10.100

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 2222 192.168.10.110 ssh netmask 255.255.255.255

static (inside,outside) udp interface 1194 192.168.10.110 1194 netmask 255.255.255.255

static (inside,outside) tcp interface 25000 192.168.10.100 25000 netmask 255.255.255.255

static (inside,outside) udp interface 25000 192.168.10.100 25000 netmask 255.255.255.255

static (inside,outside) tcp interface 25443 192.168.10.100 25443 netmask 255.255.255.255

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 74.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 0.0.0.0 0.0.0.0 outside

http 69.xx.xx.xx.xx 255.255.255.255 outside

http 98.xx.xx.xx 255.255.255.255 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community trdsnmp

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 24.xx.xx.xx

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 set security-association lifetime seconds 86400

crypto map outside_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 30 match address outside_cryptomap_30

crypto map outside_map 30 set peer 64.xx.xx.xx

crypto map outside_map 30 set transform-set ESP-3DES-MD5

crypto map outside_map 30 set security-association lifetime seconds 86400

crypto map outside_map 30 set security-association lifetime kilobytes 4608000

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh scopy enable

ssh 192.168.10.0 255.255.255.0 inside

ssh 199.120.223.0 255.255.255.0 outside

ssh 67.xx.xx.xx 255.255.255.255 outside

ssh 98.xx.xx.xx 255.255.255.255 outside

ssh 69.xx.xx.xx 255.255.255.255 outside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd dns xx.xx.xx.xx xx.xx.xx.xx

dhcpd auto_config outside

!

dhcpd address 192.168.10.2-192.168.10.33 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 24.xx.xx.xx type ipsec-l2l

tunnel-group 24.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group 67.xx.xx.xx type ipsec-l2l

tunnel-group 67.xx.xx.xx ipsec-attributes

pre-shared-key *

tunnel-group 64.xx.xx.xx type ipsec-l2l

tunnel-group 64.xx.xx.xx ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Marius Gunnerud · ‎12-09-2013

Have you tried rebuilding the tunnel by clearing ISAKMP and IPsec SA's?

clear crypto isakmp

clear crypto ipsec sa

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Richard Burts · ‎12-09-2013

There are some things about the description of the problem and the config that puzzle me. The description talks about a fixed address assigned by Comcast. But the config shows that the outside interface is using dhcp to learn an address.

The outside interface dhcp is using setroute which would seem to make the configured default route not necessary and potentially counter productive.

Can you clarify this?

Also you tell us that an external host can ping the gateway. Can that host ping anything beyond the gateway? (especially when pinging by address and not necessarily pinging by name)

HTH

Rick

HTH

Rick

srchowning · ‎12-09-2013

As I said, my knowledge level is more dangerous than useful. The current config is what is working, sort of, after I tried changing the outside interface and the route outside in an effort to fix things, both with the modem in bridged mode, and un-bridged. Currently the modem is un-bridged, and the previous modem was unbridged. I would like to fix the config to work with the modem in un-bridged mode, then possibly go to a bridged mode config.

If you think that changing/deleting the route outside would fix things for an un-bridged modem, please advise what changes you would recommend.

srchowning · ‎12-09-2013

I have not. My knowledge of this procedure is low, so any explanation of the steps would be appreciated. Right now, I am concerned about the fact that the fixed IP given to me by Comcast is not pingable from the outside.

Richard Burts · ‎12-09-2013

Stephen C

Lets go one step at a time. The first step is to clarify whether you want to operate with a dhcp assigned address or with a fixed address and then to configure the ASA to do that. Either keep the interface dhcp as it is in the config that you posted and remove the static default route or keep the static default route and configured the ASA interface with an IP address.

After you clear this up we will figure out what comes next.

HTH

Rick

HTH

Rick

srchowning · ‎12-09-2013

I want a fixed IP address, not dhcp. How do I configure the outside interface to be fixed IP, when the Comcast modem is NOT bridged? Also, do I need to change the route outside? The route outside is currently set to the gateway address, which is the IP address of the cable modem.

Richard Burts · ‎12-09-2013

Stephen C

Use this

interface Vlan2

ip address a.a.a.a m.m.m.m

Then see if you can ping the gateway from the ASA and also from an inside host.

HTH

Rick

HTH

Rick

srchowning · ‎12-09-2013

Okay I will try that. Would this be the same config for a bridged mode modem as well?

srchowning · ‎12-09-2013

I tried setting the outside interface (Vlan2) to fixed IP (the static IP address I bought) and the netmask that Comcast gave me, and the connection broke. Keep in mind that you didn't say anything about rebooting the Comcast modem after making the changes to the Cisco router, so I did NOT do that.

I did reboot the Comcast modem after changing the config back to dhcp, and that got us back to status quo. So if I did things correctly, then your suggestion didn't work. If I did things incorrectly, please advise.

Richard Burts · ‎12-09-2013

Stephen C

I would not have thought that a reboot of the modem was necessary in changing the interface to use a fixed IP address. But if I am understanding your post correctly then changing the interface to fixed IP and then back to dhcp did not work until you did a reboot. In that case I would sure suggest changing the inteface to fixed IP address and then reboot the modem.

HTH

Rick

HTH

Rick