Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1732
Views
0
Helpful
2
Replies

Issue Allowing Access Through ASA 5505 Firewall

Go to solution
wholt
Level 1
Level 1

‎01-15-2013 12:23 PM - edited ‎03-11-2019 05:47 PM

                I recently installed an ASA 5505 at a small business, to separate their wired business network from their employee WIFI access. Soon after the firewall installation was complete the office manager had a security camera system installed. The security camera system has a web access feature and asked me setup access though the firewall, so he can view the security system from his smart phone.

                The camera system is located on the Vlan1 (inside) and is assigned a static IP of 192.168.017.040 the web interface is accessed via tcp port 100. The ASA 5505 connects to the web using PPPoe to obtain a static IP, through an ISP provided DSL modem set to “Transparent Bridging”. After a few weeks of research and trying different configuration settings the connection still does not work. I have included the current configuration below. Any advice/instruction on what I’m doing wrong would be greatly appreciated.

Thank you,

Will

: Saved

:

ASA Version 8.2(5)

!

hostname **********ASA5505

enable password ****************** encrypted

passwd ************* encrypted

names

name 192.168.17.2 Cam-srv description **************

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.17.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group *************

ip address pppoe setroute

!

interface Vlan5

no forward interface Vlan1

nameif DMZwireless

security-level 50

ip address 192.168.50.1 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup DMZwireless

dns server-group DefaultDNS

name-server 64.91.3.46

name-server 208.54.220.20

access-list DMZwireless_nat0_outbound extended permit ip any interface outside

access-list outside_access_in extended permit tcp any interface outside eq 100

access-list outside_access_in extended permit icmp any interface outside

access-list outside_access_in extended permit tcp any host 192.168.17.40 eq 100

access-list inside_access_out extended permit tcp any host 192.168.17.40

access-list inside_access_out extended permit icmp any host 192.168.17.40

access-list inside_access_out extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZwireless 1500

ip local pool ************* 192.168.17.200-192.168.17.210 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZwireless) 0 access-list DMZwireless_nat0_outbound

nat (DMZwireless) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.17.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group centurylink.net request dialout pppoe

vpdn group ************ localname *******

vpdn group ************ ppp authentication pap

vpdn username *********** password *****

vpdn username *********** password *****

dhcpd auto_config outside

!

dhcpd address 192.168.17.110-192.168.17.141 inside

dhcpd dns 64.91.3.46 208.54.220.20 interface inside

dhcpd wins Cam-srv interface inside

dhcpd enable inside

!

dhcpd address 192.168.50.2-192.168.50.33 DMZwireless

dhcpd auto_config outside interface DMZwireless

dhcpd enable DMZwireless

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy ************** internal

group-policy ************** attributes

wins-server value 192.168.17.2

dns-server value 64.91.3.46 208.54.220.20

vpn-tunnel-protocol IPSec svc webvpn

default-domain none

username ********* password *********** encrypted privilege 0

username ************ attributes

vpn-group-policy ***********

tunnel-group ************ type remote-access

tunnel-group ************ general-attributes

address-pool ***********

default-group-policy ************

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a0d82f12d37070c836713ccfd930b7bb

: end

asdm location Cam-srv 255.255.255.255 inside

no asdm history enable

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-15-2013 12:58 PM

Hello Will,

Here is what you need to do:

no static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255

static (inside,outside) tcp interface 100 192.168.17.40 100

Let me know how it goes

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-15-2013 12:58 PM

Hello Will,

Here is what you need to do:

no static (inside,outside) 192.168.17.40 192.168.17.40 netmask 255.255.255.255

static (inside,outside) tcp interface 100 192.168.17.40 100

Let me know how it goes

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
wholt
Level 1
Level 1
In response to Julio Carvajal

‎01-21-2013 09:41 AM

jcarvaja,

     Your solution fixed my issue, thank you for the tip.

Will

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card