08-23-2010 06:49 PM - edited 03-11-2019 11:29 AM
Hi,
We have an old Cisco 873 for ADSL but we need the firewall configuration of this to be put into an ASA 5505 7.2(4). Can someone please check the configuration below if correct? If there is needed to change please help.
Cisco 873:
Current configuration : 5442 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ABXC
!
boot-start-marker
boot-end-marker
!
logging count
logging userinfo
logging buffered 51200 warnings
no logging console
enable secret 5 XXXXXXX.
!
no aaa new-model
!
resource policy
!
clock timezone EST 10
ip subnet-zero
ip cef
!
!
ip inspect name firewall cuseeme
ip inspect name firewall ftp
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tcp
ip inspect name firewall tftp
ip inspect name firewall udp
ip inspect name firewall vdolive
ip inspect name firewall smtp
ip domain name nph.com.au
ip name-server 202.xx.xx.68
!
!
crypto pki trustpoint TP-self-signed-1043400621
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1043400621
revocation-check none
rsakeypair TP-self-signed-1043400621
!
!
crypto pki certificate chain TP-self-signed-1043400621
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303433 34303036 3231301E 170D3032 30333031 30303036
33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343334
30303632 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B74E BE67168A 4EC408C6 F9251228 EB9FE03D 47711E81 B378A366 86D025BE
3BA155D0 00F3B41B 0C46BC21 8720BBEA 208F7882 201B5699 38472B7C 798A24BF
ED9CBBE5 7AD31DDA 36B9E538 8F6C9BA1 F5B6B507 AC47234E 8362A372 94F1110A
D58428F7 54BF6CAA 49591A32 488E2F51 351D458D 4561DE1A 6B6C056E 58994880
F7F50203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1441C472 992A94B4 3A4A9ECF 1A386453 C00BD4F4
41301D06 03551D0E 04160414 41C47299 2A94B43A 4A9ECF1A 386453C0 0BD4F441
300D0609 2A864886 F70D0101 04050003 81810094 B3197EB1 054E82DD 4F8F033F
33BD0B01 511D9449 109BA2E9 4B013D9A 22D7AF49 2A402F69 D862FD37 28687895
343B1FB3 B161AB63 3836C168 25275896 11E2B828 585B7187 A53AE424 CA12F341
F58B90DB 53F2C018 5480C7D8 AD3E41AB C9C5D5CC 1F700C17 ED7B097B 85512E43
D9878792 A66ABF71 FE6C95F1 6F1C5AE1 F433EE
quit
username root password 7 xxxxxxxxxxxxxxxxx
username admin password 7 yyyyyyyyyyyyyyyy
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 18
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group clients
key abc$abc$
dns 10.0.0.7
wins 10.0.0.7
domain ABXC.com.au
pool clients
acl 199
!
!
crypto ipsec transform-set strong1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set strong1
!
!
crypto map axis isakmp authorization list groupauthor
crypto map axis client configuration address respond
crypto map axis 20 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 1/34
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.0.254 255.0.0.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Internet Network
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer persistent
no cdp enable
ppp authentication chap callin
ppp chap hostname 000000000000000000
ppp chap password 7 11111111111111111
!
ip local pool clients 192.168.10.1 192.168.10.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.0.0.241 3391 interface Dialer1 3391
ip nat inside source static tcp 10.0.0.241 25 interface Dialer1 25
ip nat inside source static tcp 10.0.0.7 80 interface Dialer1 80
ip nat inside source static tcp 10.0.0.241 443 interface Dialer1 443
ip nat inside source static tcp 10.0.0.240 1723 interface Dialer1 1723
ip nat inside source static tcp 10.0.0.243 5190 interface Dialer1 5190
ip nat inside source static tcp 10.0.0.7 110 interface Dialer1 110
ip nat inside source static tcp 10.0.0.7 3389 interface Dialer1 3390
ip nat inside source static tcp 10.0.0.8 3389 interface Dialer1 3389
ip nat inside source route-map dialer-route-map interface Dialer1 overload
!
logging origin-id hostname
logging 10.0.0.7
access-list 108 deny ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255
access-list 108 permit ip 10.0.0.0 0.255.255.255 any
access-list 199 permit ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community NPH RO
no cdp run
route-map dialer-route-map permit 1
match ip address 108
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 202.xx.xx.2
end
-----------------------------------------------------------------------------------------------
Cisco ASA 5505:
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd xxxx encrypted
names
name 10.0.0.8 psvr03
name 10.0.0.7 psvr02
name 10.0.0.240 vsvr02
name 10.0.0.241 vsvr01
name 10.0.0.243 vwks02
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.242 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 125.xx.xx.238 255.0.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any interface outside eq 3391
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list inbound extended permit tcp any host 125.xx.xx.238 eq 3391
access-list inbound extended permit tcp any host 125.xx.xx.238 eq smtp
access-list inbound extended permit tcp any host 125.xx.xx.238 eq http
access-list inbound extended permit tcp any host 125.xx.xx.238 eq https
access-list inbound extended permit tcp any host 125.xx.xx.238 eq pptp
access-list inbound extended permit tcp any host 125.xx.xx.238 eq pop3
access-list inbound extended permit tcp any host 125.xx.xx.238 eq 3389
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3391 vsvr01 3391 netmask 255.255.255.255
static (inside,outside) tcp interface smtp vsvr01 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https vsvr01 https netmask 255.255.255.255
static (inside,outside) tcp interface www psvr02 www netmask 255.255.255.255
static (inside,outside) tcp interface pptp vsvr02 pptp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 psvr02 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 psvr02 3389 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 125.xx.xx.237 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http Axis 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
asdm image disk0:/asdm-524.bin
asdm location 10.0.0.0 255.0.0.0 inside
no asdm history enable
Thanks and Regards
Michael
Solved! Go to Solution.
08-23-2010 07:32 PM
Hello,
Everything else looks good except that the access-list is not applied to any
interface. Also, the policy NAT is missing.
access-group outside_access_in in interface outside
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
Other than above three lines, everything else looks good.
Hope this helps.
Regards,
NT
08-23-2010 07:32 PM
Hello,
Everything else looks good except that the access-list is not applied to any
interface. Also, the policy NAT is missing.
access-group outside_access_in in interface outside
access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
Other than above three lines, everything else looks good.
Hope this helps.
Regards,
NT
08-23-2010 10:36 PM
Hi NT,
Thanks for a quick reply.
I have added the 3 lines you have told me. But I when I go to test still it would not let me get-in from outside to inside. I test the Packet Tracker in ASDM from outside to inside. It show and cut-off at "access list" look-up (implicit rule) which is blank.
Any idea why is this so?
Regards
Michael
08-24-2010 08:08 AM
Hello,
Can you please post your latest configuration again (with the changes you
have made)?
Regards,
NT
08-24-2010 01:55 PM
Hi NT,
Sorry I have found the typo error I made and do the changes correctly. It is all working now.
Thanks for a big help
Regards
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide