Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
6
Replies

ASA5540 how to proper function.

htimskinorbit
Level 1
Level 1

‎07-26-2018 03:28 PM - edited ‎02-21-2020 08:01 AM

I set up a basic configuration on a 5540. After testing, it seems that the device is letting everything in,  Web traffic, imap(993), and several other things.  I had intended to set up some access lists to allow certain things in from specific IP addresses(company corporate mail server), but I haven't done it yet.  It seems everything is coming in anyway.  The firewall is essentially doing nothing but address translation.  I have PAT overload configured, nat(inside,outside) dynamic interface, since we only have one live IP address facing out to the world.  Is this a side effect of using PAT that I am not aware of, that requires extra access list/groups to block everything coming in?

0 Helpful
6 Replies 6

aaron.hackney
Level 1
Level 1

‎07-26-2018 04:11 PM

Hello,

 

Could you post a copy of your configuration with passwords or other sensitive data redacted?

0 Helpful

htimskinorbit
Level 1
Level 1
In response to aaron.hackney

‎07-27-2018 06:53 AM

Im not near the device right now. It has default config from a clean
wipe.
2 interfaces configured as inside and outside with ip address inside and
setroute for outside.
I added the following.

conf t
inter gi 0/0
ip address 10.20.0.1 255.255.0.0
no shut
nameif inside
int gi 0/1
ip address dhcp setroute
nameif outside
no shut

route 0.0.0.0 0.0.0.0 192.168.1.1

access group LAN_IP's
subnet 10.20.0.0. 255.255.0.0
nat (inside,outside) dynamic interface


show Xlate - reveals the ip addresses being converted to the outside
interface ip address with different port numbers as it should. The problem
is that traffic is not blocked coming in. ASA is supposed to be a
statefull machine. Only allow traffic in that is return traffic for an
inside originating communication. Instead everything comes in....
I was going to add an access list to the outside interface to allow mail
traffic in from the corporate mail server, but I don't even need to. It
comes in anyway!

0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎07-26-2018 04:44 PM

you will need to apply the access list to the interfaces. what have you configured?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

aaron.hackney
Level 1
Level 1
In response to Dennis Mink

‎07-27-2018 01:26 PM

show access-list

show run access-group 

And packet tracer should tell you exactly what is going on.

 

-A

 

0 Helpful

htimskinorbit
Level 1
Level 1
In response to aaron.hackney

‎07-27-2018 01:54 PM

I did that all ready. Shows exactly what it should. I don't have packet
tracer.
0 Helpful

aaron.hackney
Level 1
Level 1
In response to htimskinorbit

‎07-27-2018 02:28 PM

Hello,

 

Often I find a second set of eyes will expose something I have missed, which is we were are offering to take a look at the requested information above to answer your question.

 

If you are running ASA-code, then you do have a packer-tracer commands available.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p1.html

 

Cheers,

-A

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card