Solved: Re: ASA5505 Setup Questions - Page 2

vbdotnetman · ‎01-23-2009

I've come to the conclusion that Cisco should rename their â€œCisco ASA 5505 Getting Started Guideâ€ to â€œCisco ASA 550 A Guide To Spending A Lot Of Money And Receive Utter Frustration In Returnâ€. Nothing in this manual is consistent. On one page they use one set of IP addresses and on another they use something totally different. I'm not sure what IP addresses to place where anymoreâ€¦ I'm beginning to wonder about Cisco's ability to provide quality documentation. Anyway, I didn't mean to vent here but I am totally frustratedâ€¦..

On with the problem at handâ€¦â€¦

I have 3 pc's. Two are on the inside network and one in the dmz which acts as a Web/E-Mail server. I use an ISP which provides a public internet address of let's say 216.130.17.10 via DHCP. I also have a base license for the ASA 5505 so I realize the dmz cannot initiate any contact with the inside vlan but the inside vlan can talk to the dmz vlan. Oh, also I'm using the ASDM interface.

Question 1: Does the dmz have to have a separate public ip address provided by the ISP?

Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.

Any help with this would be greatly appreciatedâ€¦..

Best Regards

Jon Marshall · ‎01-23-2009

Okay, i'm a bit confused here. If you want to access from outside then you need to use the public IP address in your access-list.

If you want to access from inside to DMZ then use the 192.168.5.2 address. You will also need a static statement eg. lets say your inside network is 192.168.1.0/24

static (inside,DMZ) 192.168.1.0 192.168.1.0 255.255.255.0

Jon

vbdotnetman · ‎01-23-2009

Jon,

the static statement you wrote has the same addresses in it?

Best Regards

Jon Marshall · ‎01-23-2009

Yes i know. This is how you tell the ASA that the inside addresses will appear as the same IP addresses on the DMZ.

Jon

vbdotnetman · ‎01-23-2009

why would I want to do this?

Jon Marshall · ‎01-23-2009

With the greatest respect if you don't want to read the manuals you should perhaps take the advice of people who have :-)

It's a pix/asa idiosyncracy that is basically telling the device not to NAT. On other vendor firewalls you don't have to do this. On an pix/asa you do unless you want to disable nat-control.

Jon

vbdotnetman · ‎01-23-2009

Thanks for the clarification, that makes sense.......

vbdotnetman · ‎01-23-2009

Jon,

I do appreciate what you are trying to do here but I think working in the blind is just going to frustrate you... So with deep appreciation below is a copy of my configuration as it stands right now...

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password ***** Taken out by me ***** encrypted

passwd ***** Taken out by me ***** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq smt

p

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq pop

3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

static (outside,dmz) tcp 192.168.8.10 smtp 98.122.121.101 smtp netmask 255.255.2

55.255

static (outside,dmz) tcp 192.168.8.10 pop3 98.122.121.101 pop3 netmask 255.255.2

55.255

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 98.122.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum: ***** Taken out by me *****

: end

Jon Marshall · ‎01-23-2009

Okay, few things.

1) what is IP address 98.122.121.101 - is that the outside interface address ? If so change the static statements from

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

to

static (dmz,outside) tcp interface www 192.168.8.10 www netmask 255.255.255.255

etc.. for all statics.

If it isn't the outside address then let me know.

2) remove this line

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

3) add in to your config

global (dmz) 1 interface

this is instead of the previous static statement i gave you.

4) Your default route on the ASA points to

98.122.112.1.

Again what is 98.122.121.101 ?

Can you do all this config on the command line - i don't use ASDM but it looks like it has put things the wrong way round - certainly in terms of the statics.

Jon

vbdotnetman · ‎01-23-2009

If I hook my pc straight to the cable modem and do an ipdonfig /all this is what I get:

ip address 98.122.126.212

subnet mask 255.255.240.0

default gateway 98.122.112.1

I had placed a previous call to Cisco and was told to use 98.122.121.101 by their technician. It seems to work I can get from the inside network to the outside internet.

Hope this helps....

vbdotnetman · ‎01-24-2009

O.K Jon,

I created the above configuration.

A few problems though:

I can access my web page from outside but not from inside vlan.

I can send E-Mail from outside and the dmz email server receives it but cannot send or receive E-Mail from the inside vlan.

I cannot Remote desktop from inside to the dmz server...

Below is the config:

ciscoasa> ena

Password:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password :*** Commented Out *** encrypted

passwd :*** Commented Out *** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host xx.yyy.121.101

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255

static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:*** Commented Out ***

: end

Jon Marshall · ‎01-24-2009

Well at least we are making some progress :-)

You have this statement -

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

When you try to access from inside - what IP address are you using as the destination IP address ?

Jon

vbdotnetman · ‎01-24-2009

It a good thing :)

I use www."domain name".com which is translated by DynDns.org to xx.yyy.121.101.

I also tried typing in 192.168.8.2 in the ie browser with same results....

What I think may be happening is I dont have the "interface" keyword on the static statement? Just guessing?

Jose

vbdotnetman · ‎01-25-2009

Fixed it.. But when I try to send or receive e-mail from inside vpn I get:

6 Jan 25 2009 07:54:16 106015 75.180.132.77 98.122.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1805 flags RST ACK on interface outside.

75.180.132.77 is RoadRunner cable my isp provider.

Do I need a nat rule or access rule? Not sure..

Best Regards

Jose

vbdotnetman · ‎01-23-2009

Jon,

I placed the static statement in my configuration. Can't send an email from inside and receive an email from dmz. Not sure what going on. Have followed your instructions.

2go2marketing · ‎01-23-2009

Have you considered maybe using a managed firewall service like that of http://www.firewalloptions.com or http://www.viawest.net instead of doing it yourself? This may be a lot less stressful for you and you wouldn't have to read those manuals you dislike.