12-28-2011 05:46 PM - edited 03-11-2019 03:07 PM
First time attempting to set up a 5505. Trying to replace a snapgear firewall and replicate the settings to the 5505. The config is below...thanks in advance !
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 71.x.x.x 255.255.255.0
!
interface Vlan12
description Test
nameif Test
security-level 100
ip address 192.8.10.1 255.255.255.0
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
access-list outside_in extended permit tcp any interface outside eq lpd
access-list outside_in extended permit tcp any interface outside eq 9100
access-list outside_in extended permit tcp any interface outside eq pcanywhere-data
access-list outside_in extended permit tcp any interface outside eq 5632
access-list outside_in extended permit tcp any interface outside eq 563
access-list outside_in extended permit tcp any interface outside eq 1658
access-list outside_in extended permit tcp any interface outside eq 2462
access-list outside_in extended permit tcp any interface outside eq 2463
access-list outside_in extended permit tcp any interface outside eq 2464
access-list outside_in extended permit tcp any interface outside eq 2466
access-list outside_in extended permit tcp any interface outside eq 2470
access-list outside_in extended permit tcp any interface outside eq 2474
access-list outside_in extended permit tcp any interface outside eq 2459
access-list outside_in extended permit tcp any interface outside eq 2460
access-list outside_in extended permit tcp any interface outside eq 2475
access-list outside_in extended permit tcp any interface outside eq 2471
access-list outside_in extended permit tcp any interface outside eq 2484
access-list outside_in extended permit tcp any interface outside eq 2485
access-list outside_in extended permit tcp any interface outside eq 2458
access-list outside_in extended permit tcp any interface outside eq 2465
access-list outside_in extended permit tcp any interface outside eq 2473
access-list outside_in extended permit tcp any interface outside eq 2476
access-list outside_in extended permit tcp any interface outside eq 2490
access-list outside_in extended permit tcp any interface outside eq 2491
access-list outside_in extended permit tcp any interface outside eq 2472
access-list outside_in extended permit tcp any interface outside eq 2467
access-list outside_in extended permit tcp any interface outside eq 2468
access-list outside_in extended permit tcp any interface outside eq 5555
access-list outside_in extended permit tcp any interface outside eq 2493
access-list outside_in extended permit tcp any interface outside eq 2461
access-list outside_in extended permit tcp any interface outside eq www
access-list outside_in extended permit tcp any interface outside eq 2494
access-list outside_in extended permit tcp any interface outside eq ftp
access-list outside_in extended permit tcp any interface outside eq 2469
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Test 1500
ip local pool Root_Address_Pool 192.168.1.250-192.168.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface lpd 192.168.1.75 lpd netmask 255.255.255.255
static (inside,outside) tcp interface 9100 192.168.1.75 9100 netmask 255.255.255.255
static (inside,outside) tcp interface pcanywhere-data 192.168.1.77 pcanywhere-data netmask 255.255.255.255
static (inside,outside) tcp interface 5632 192.168.1.77 5632 netmask 255.255.255.255
static (inside,outside) tcp interface 563 192.168.1.207 563 netmask 255.255.255.255
static (inside,outside) tcp interface 1658 192.168.1.207 1658 netmask 255.255.255.255
static (inside,outside) tcp interface 2462 192.168.1.67 2462 netmask 255.255.255.255
static (inside,outside) tcp interface 2463 192.168.1.105 2463 netmask 255.255.255.255
static (inside,outside) tcp interface 2464 192.168.1.98 2464 netmask 255.255.255.255
static (inside,outside) tcp interface 2466 192.168.1.96 2466 netmask 255.255.255.255
static (inside,outside) tcp interface 2470 192.168.1.70 2470 netmask 255.255.255.255
static (inside,outside) tcp interface 2474 192.168.1.97 2474 netmask 255.255.255.255
static (inside,outside) tcp interface 2459 192.168.1.102 2459 netmask 255.255.255.255
static (inside,outside) tcp interface 2460 192.168.1.104 2460 netmask 255.255.255.255
static (inside,outside) tcp interface 2475 192.168.1.90 2475 netmask 255.255.255.255
static (inside,outside) tcp interface 2471 192.168.1.76 2471 netmask 255.255.255.255
static (inside,outside) tcp interface 2484 192.168.1.77 2484 netmask 255.255.255.255
static (inside,outside) tcp interface 2485 192.168.1.108 2485 netmask 255.255.255.255
static (inside,outside) tcp interface 2458 192.168.1.153 2458 netmask 255.255.255.255
static (inside,outside) tcp interface 2465 192.168.1.156 2465 netmask 255.255.255.255
static (inside,outside) tcp interface 2473 192.168.1.247 2473 netmask 255.255.255.255
static (inside,outside) tcp interface 2476 192.168.1.71 2476 netmask 255.255.255.255
static (inside,outside) tcp interface 2490 192.168.1.174 2490 netmask 255.255.255.255
static (inside,outside) tcp interface 2491 192.168.1.90 2491 netmask 255.255.255.255
static (inside,outside) tcp interface 2472 192.168.1.171 2472 netmask 255.255.255.255
static (inside,outside) tcp interface 2467 192.168.1.110 2467 netmask 255.255.255.255
static (inside,outside) tcp interface 2468 192.168.1.121 2468 netmask 255.255.255.255
static (inside,outside) tcp interface 5555 192.168.1.109 5555 netmask 255.255.255.255
static (inside,outside) tcp interface 2493 192.168.1.133 2493 netmask 255.255.255.255
static (inside,outside) tcp interface 2461 192.168.1.185 2461 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.133 www netmask 255.255.255.255
static (inside,outside) tcp interface 2494 192.168.1.143 2494 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.133 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 2469 192.168.1.161 2469 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 71.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8
dhcpd auto_config outside
!
dhcpd address 192.168.1.160-192.168.1.170 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
group-policy root internal
group-policy root attributes
vpn-tunnel-protocol svc
username marc password SOoNa5RWkx5P2AUX encrypted privilege 0
username marc attributes
vpn-group-policy root
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
address-pool Root_Address_Pool
default-group-policy root
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:af8a84dd9c2857610b44de42ce9d056e
: end
Solved! Go to Solution.
12-29-2011 08:01 AM
Hello Marc,
Good thing is that as I told you previously the configuration on the ASA is good.
Now regarding the new issue as MS suggested its looks like an arp issue.
Can you do the following:
interface vlan 2
ip address 2.2.2.2 255.255.255.224
ip address 71.x.x.x 255.255.255.0
This will generate a gratitiuos arp, the Modem will got to learn that the ip address 71.x.x.x.x has the mac address of the ASA.
Do please rate helpful posts.
Julio
01-02-2012 09:51 AM
Hello Marc,
This seems to be a problem on the other side, You can create captures on your asa so you can confirm the packets are being delivered properly but you do not need to open something for the return traffic.
Hope this helps.
Julio
12-28-2011 05:58 PM
Hello Marc,
You are unable to go to the internet from witch interface.
Interface vlan 1 seems to have all the configuration required to go out, now regarding vlan 12 you are missing the nat configuration:
nat (test) 1 0 0
That should do it,
Regards,
Do please rate helpful posts.
Julio
12-28-2011 06:20 PM
Sorry I didnt specify, I cannot get out when directly connected to vlan 1 on port 6.
12-28-2011 10:28 PM
Hello Marc,
Ok lets do some troubleshooting questions on this:
1- Can you ping from the ASA to the default gateway DSL
2-Can you ping from the ASA to 4.2.2.2
3-Can you ping from the computer conected to port 6 to the ASA inside interface
4- Provide the following output
packet-tracer input inside tcp 192.168.1.15 1025 4.2.2.2 80
5-What dns are you using ( If local please use 4.2.2.2 and try it one more time)
I will be more than glad to help, so please provide the answers.
Do rate helpful posts.
Julio
12-29-2011 06:25 AM
I took the unit offsite, changed the outside address, and all worked.
The site that doesnt work uses an Actiontec Modem from Fios, is there any configuration which would need to be done on that end? Or how would I troubleshoot this new scenario?
Thank you so much for all of your help with this.......
12-29-2011 06:52 AM
Have you tried rebooting the Actiontec Modem and any other devices in the path after connecting ASA5505 inplace of snapgear firewall? The clears the ARP on the provider modem.
hth
MS
12-29-2011 07:05 AM
Unfortunately I did already. No luck.
12-29-2011 08:01 AM
Hello Marc,
Good thing is that as I told you previously the configuration on the ASA is good.
Now regarding the new issue as MS suggested its looks like an arp issue.
Can you do the following:
interface vlan 2
ip address 2.2.2.2 255.255.255.224
ip address 71.x.x.x 255.255.255.0
This will generate a gratitiuos arp, the Modem will got to learn that the ip address 71.x.x.x.x has the mac address of the ASA.
Do please rate helpful posts.
Julio
01-01-2012 10:57 AM
OK, so i took the actiontek out of the equation and all is working.
The only problem I have left that I found so far is that when I try to connect to someones remote VPN from inside our network, I am unable to establish a connection.
The Cisco VPN client is set to use the default port 10000.
How do I open the firewall up so that it will allow this outgoing connection? Thanks again !!!!!!!!!!!!!!!!!
01-01-2012 12:33 PM
Your Inside address range and Remote access ip pool are in the same range..
ip local pool Root_Address_Pool 192.168.1.250-192.168.1.254 mask 255.255.255.0
This will cause access issues. cTry changing the remote access pool range to diff. range ..192.168.20.x.
Thx
MS
01-01-2012 04:10 PM
Hello Marc,
So this is an outbound connection, you do not have any ACL to te inside interface of the ASA, so all the communication being started on this side should be accepted.
Regards,
Julio
01-01-2012 04:44 PM
Correct this is an outbound connection, but, do any inbound ports need to be opened for the Cisco van client to work?
01-02-2012 09:51 AM
Hello Marc,
This seems to be a problem on the other side, You can create captures on your asa so you can confirm the packets are being delivered properly but you do not need to open something for the return traffic.
Hope this helps.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide