Thanks Dinesh,

maxrva · ‎11-11-2015

Well i have to fixed firewall which is configured by someone and i dont understand what he configured and i never configured cisco asa before,

please help

hostname sample
domain-name sample.com
no names
name 10.x.8.14 SMA1 description 10.x.8.14
name 110.x.x.29 WIG description 110.x.x.29
name 10.x.5.205 SMA2 description 10.x.5.20
name 110.x.x.219 Wig-test description 110.x.x.219
dns-guard
!
interface Ethernet0/0
description WAN
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level xxx
ip address 172.x.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level xx
ip address 27.2.x.158 255.255.255.192
!
ftp mode passive
clock timezone ICT x
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server x.x.x.x
domain-name sample.com
object-group service RDP tcp
port-object eq 3389
port-object eq 8443
port-object eq www
port-object eq https
port-object eq ssh
port-object eq telnet
port-object eq echo
port-object eq domain
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service port5224 tcp-udp
port-object eq 5224
object-group network Sma-Svr
network-object host 10.x.8.14
network-object host 10.x.5.205
object-group network BT-Svr
network-object host 172.x.x.3
object-group network WIG-Ntwk
network-object host 110.x.x.29
network-object host 110.x.x.219
access-list outside_access_in extended permit ip any host 27.2.x.159
access-list outside_access_in extended permit ip any host 27.2.x.157
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any host 27.2.x.156
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip host 27.2.x.159 any
access-list vpn_SMA extended permit ip object-group BT-Svr object-group Sma-Svr
access-list outside_1_cryptomap extended permit ip object-group B-Svr object-group Sma-Svr
access-list inside_nat0_outbound extended permit ip object-group B-Svr object-group Sma-Svr
access-list inside_nat0_outbound extended permit ip object-group B-Svr object-group WIG-Ntwk
access-list inside_nat0_outbound extended permit ip object-group B-Svr host 110.x.x.29
access-list outside_2_cryptomap extended permit ip object-group B-Svr host 110.x.x.219
access-list outside_3_cryptomap extended permit ip object-group B-Svr host 110.x.x.29
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) 27.2.x.157 172.x.x.4 netmask 255.255.255.255
static (inside,outside) 27.2.x.156 172.x.x.3 netmask 255.255.255.255
static (inside,outside) 27.2.x.159 172.x.x.5 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 27.2.x.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 81
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map IPSEC 33 match address vpn_SMA
crypto map IPSEC 33 set peer 27.1.x.201
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 27.1.x.201
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 119.x.x.101
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 119.x.x.109
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=sample.null,O=sample,C=com
crl configure
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption xxx

hash xxx
group x
lifetime xxxx
crypto isakmp policy x
authentication pre-share
encryption xxx
hash xxx
group x
lifetime xxxx
no crypto isakmp nat-traversal
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns x.x.x.x
!
dhcpd address 172.x.x.50-172.x.x.50 inside
dhcpd dns x.x.x.2 x.x.x.3 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol IPSec
username admin password xxxx encrypted privilege 15
username test password xxxx encrypted privilege 15
username test attributes
vpn-group-policy DfltGrpPolicy
tunnel-group 27.1.x.201 type ipsec-l2l
tunnel-group 27.1.x.201 ipsec-attributes
pre-shared-key xx
peer-id-validate nocheck
tunnel-group 119.x.x.101 type ipsec-l2l
tunnel-group 119.x.x.101 ipsec-attributes
pre-shared-key xx
isakmp keepalive disable
tunnel-group 119.x.x.109 type ipsec-l2l
tunnel-group 119.x.x.109 ipsec-attributes
pre-shared-key xx
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum xxx
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxx
: end

Sorry i couldn't expose the real ip

Thank you

Dinesh Moudgil · ‎11-12-2015

Hi maxrva,

Can you please be specific about what needs to be accomplished. I see that we have got some basic configuraiton (NAT and acls) plus site to site VPN configuration.

What is the goal here? Is this device in production and not working as expected?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

maxrva · ‎11-12-2015

Hi Dinesh, Thanks for the reply.

Its in production which was configured by some engineer before me and now he left so i have to dig it up as that engineer he left the company and left nothing to me except the clue.

The goal is to let the client from other country to vpn to gain access to these server.

I don't understand the nat part it's totally different from what i learn in CCNA.

-------------------------------------------------------------------------------------

I talked to that enginieer,

#global (outside) 1 interface

From the above line he told me that the "outside" in the bracket is the name of the interface.

and if it's not then i doubt that the configure line is not complete as he missed out to specify what interface name or ip after the "interface" right?

-------------------------------------------------------------------------------------

#static (inside,outside) 27.2.x.157 172.x.x.4 netmask 255.255.255.255

and from this what is it mean? I thought ip after the bracket is in order respect to that specified in the bracket but its seem to be the opposite right?

I'm new to Cisco ASA, please guide me.

-------------------------------------------------------------------------------------

#route outside 0.0.0.0 0.0.0.0 27.2.x.190 1

and what the purpose of this line of config? and what is number 1 at the last?

-------------------------------------------------------------------------------------

I'd like to clear my doubt that by default every port belong to vlan1?

that's why he did not typed this in other interface - switchport access vlan 1

-------------------------------------------------------------------------------------

Dinesh Moudgil · ‎11-17-2015

Hi Max,

Apologies for the late response as I was involved in few other appointments,

1. #global (outside) 1 interface
This command is one of the 2 commands that ASA uses for natting.
Yes, "outside", in this case is name of the interface.

How it works is you specify which network from which interface needs to get natted to which network on which interface.

e.g

nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface

This pair of command tells us that 10.0.0.0 255.255.255.0 , which is on inside interface , will be natted/translated to interface IP which is on outside interface.

The entity that combines both command is the NAT ID i.e. "1" defined in between.
If you wish to create another natting pair, just use a different NAT ID.

2. #static (inside,outside) 27.2.x.157 172.x.x.4 netmask 255.255.255.255
You are correct, they are mapped oppositely.
This command states that IP 172.X.X.4 which is present on inside interface is statically NATed to IP 27.2.X.157 which is on the outside interface.

This is static in nature and will always be present .

3. #route outside 0.0.0.0 0.0.0.0 27.2.x.190 1
This is a default route statement that tells you that if you need to go to any destination, send the packet to next hop of 27.2.X.190.

It is similar to "ip route 0.0.0.0 0.0.0.0 27.2.X.190"
"1" at the end shows the administrative distance for the route. The default is 1 if you do not specify a value thus it is present there.

How it works is let us suppose you have two default route , so the one with lower
administrative distance will be used.

4. I suppose you have ASA 5505 model,so it has 8 ports and all are part of VLAN 1 by default. Thus there is no need to define that on the ports.

P.S. If you have trouble understanding any commanc , look for command in the command reference guide and it will explain what it does and why it is used,

Reference:-
http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-command-reference-list.html

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

maxrva · ‎11-17-2015

Thanks Dinesh,

You just explain me so clear that no any reference could do the same.

I'd like to ask few question-

1.Right now i couldn't ssh to the ASA from outside and i could ping from outside but from within the network i could ssh

Here's the SSH configure-

hostname sample
domain-name sample.com
username admin password xxxx encrypted privilege 15
aaa authentication ssh console LOCAL
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5

What else should i added in order i can ssh from outside to the router public IP?

---------------------------------------------------------------------------------------------------------

2. #static (inside,outside) 27.2.x.157 172.x.x.4 netmask 255.255.255.255
You are correct, they are mapped oppositely.
This command states that IP 172.X.X.4 which is present on inside interface is statically NATed to IP 27.2.X.157 which is on the outside interface.

From the above explaination, If i'm at the outside network i could ping to 172.x.x.4 from this IP nat 27.2.x.157 right? and i can rdp to 27.2.x.157 from outside network to get to 172.x.x.4 as well.

But i couldn't even ping and RDP but i doubt that RDP is blocked by ASA.

How can i fixed these issues?

access-list outside_access_in extended permit ip any any

From the above ACL

Does it imply that any source ip allow to any destination in any (to/from) port

-----------------------------------------------------------------------------------------------------------

3. I think the present configuration of nat is wrong.

object-group network Sma-Svr
network-object host 10.x.8.14
network-object host 10.x.5.205
object-group network BT-Svr
network-object host 172.x.x.3
object-group network WIG-Ntwk
network-object host 110.x.x.29
network-object host 110.x.x.219

access-list inside_nat0_outbound extended permit ip object-group B-Svr object-group Sma-Svr
access-list inside_nat0_outbound extended permit ip object-group B-Svr object-group WIG-Ntwk
access-list inside_nat0_outbound extended permit ip object-group B-Svr host 110.x.x.29

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0

so i should reconfigure it as-

no nat(inside) 101 0.0.0.0 0.0.0.0

no nat (inside) 0 access-list inside_nat0_outbound

global (outside) 1 interface

nat (inside) 1 access-list inside_nat0_outbound

correct?

-added from the previous question, when i plug the cable behind the ASA i got DHCP

and i could ping to below object group

object-group network WIG-Ntwk
network-object host 110.x.x.29
network-object host 110.x.x.219

but when i remote to

object-group network BT-Svr
network-object host 172.x.x.3

I couldn't ping to 110.x.x.29 and 110.x.x.219.

What is wrong?

Could u please rectify the config for me and please tell me if there's anything to modify