Need help with configuration

jason0923 · ‎03-04-2014

I'm new to Cisco and we just took over a client with an ASA 5505 I need to do 2 things first

I need to know how to open or forward ports to an internal IP address they want me to open ports 3389 and 1433 to an internal address 192.168.192.52

but only from 207.235.73.64 and 255.255.255.192

40.143.46.64 and 255.255.255.192

o and

66.192.91.128 and 255.255.255.192

40.143.28.64 and 255.255.255.192

And second Id link to getb the ASDM downlaoded and working as I;ve used that before in other offices and it helps me out as a non cisco expert. I try going to the device IP in a browser 192.168.192.1/admin and just get a prompt for username and password but it doesn;t take the one I have. Here is the config on the device right now. Any help you guys can point me to Id appreciate. 4 hours of Google research has gotten me no where

sho run

: Saved

:

ASA Version 7.2(3)

!

hostname vmine

domain-name mine

enable password CyQcVKTj6CW8.Vsj encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.192.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan3

mac-address 001f.6ce3.bd99

no forward interface Vlan1

nameif guest

security-level 10

ip address 205.10.2.1 255.255.255.0

!

interface Ethernet0/0

description Internet-Connection

switchport access vlan 2

!

interface Ethernet0/1

description Connection to Inside Network

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

description Connection to Public Network

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd CyQcVKTj6CW8.Vsj encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name domain

access-list guest extended permit icmp any any

access-list guest extended permit ip any any

access-list inside extended permit icmp any any

access-list inside extended permit ip any any

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit tcp any any eq 8440

access-list nonat extended permit ip 192.168.192.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list outside-in extended permit tcp any any eq https

access-list outside-in extended permit tcp host x.x.x.x any eq 1433

pager lines 24

logging enable

logging buffer-size 16384

logging buffered informational

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool vpn-ip 192.168.252.1-192.168.252.

10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.192.0 255.255.255.0
nat (guest) 2 205.10.2.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.192.170 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.192.170 https netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.192.52 netmask 255.255.255.255
access-group inside in interface inside
access-group outside-in in interface outside
access-group guest in interface guest
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.192.0 255.255.255.0 inside
snmp-server host inside 192.168.192.10 poll community ciscosnmp
snmp-server location PIX
no snmp-server contact
snmp-server community ciscosnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynvpn 10 set transform-set DES-MD5
crypto map vpn 65535 ipsec-isakmp dynamic dynvpn
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 209.253.113.10 209.253.113.18
!
dhcpd address 205.10.2.10-205.10.2.99 guest
dhcpd dns 209.253.113.10 209.253.113.18 interface guest
dhcpd enable guest
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
!
service-policy global_policy global
group-policy RA-VPN internal
group-policy RA-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
username VMRemote password .RSNgq92vZTSELWV encrypted
username VMRemote attributes
vpn-group-policy RA-VPN
username VMVPN password jSqp8CjjxHhRa6jk encrypted
username kernels password jDS98nJtthzlEvw5 encrypted
tunnel-group VMVPN type ipsec-ra
tunnel-group VMVPN general-attributes
address-pool vpn-ip
tunnel-group VMVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:52c3d65fc1111c561b1598cc341dc6d5
: end

Vibhor Amrodia · ‎03-04-2014

Hi,

As per your 1st query , I think he Static NAT should work fine.

To restrict the access from the outside only for certain IP , you can use Source Based ACL:-

access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 3389

access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 3389

access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 3389

access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 3389

access-list outside-in extended permit tcp 207.235.73.64 255.255.255.192 host x.x.x.x eq 1433

access-list outside-in extended permit tcp 40.143.46.64 255.255.255.192 host x.x.x.x eq 1433

access-list outside-in extended permit tcp 66.192.91.128 255.255.255.192 host x.x.x.x eq 1433

access-list outside-in extended permit tcp 40.143.28.64 255.255.255.192 host x.x.x.x eq 1433

If you would like to use the LOCAL username and Passowrd on the ASA:-

aaa authentication http console LOCAL

Thanks and Regards,

Vibhor

jason0923 · ‎03-04-2014

So are those commands with 192.168.192.52 in place of x.x.x.x all I need or is that just to restrict access.

For the ASDM I don't know what you mean by would I like to. I have a password I am using to login via ssh. IS that not the same login to get to this asdm page in the browser?

Vibhor Amrodia · ‎03-05-2014

Hi Jason,

This is the Static NAT as per your requirement already configured on the ASA device.:-

static (inside,outside) x.x.x.x 192.168.192.52 netmask 255.255.255.255

If you would like to restrict access from the Outside , you have to use the ACL as mentioned above.

I would request you to add this command to LOGIN to the ASDM using the username and Password:-

aaa authentication http console LOCAL

Thanks and Regards,

Vibhor

jason0923 · ‎03-05-2014

I'll try that for the NAT, for the ASDM I don't have the ASDM S/W installed in other places I could download it from the device which is what I'm trying to do here. So will this command allow me to get to the device from the browser to downlaod the ASDM client? Also will the command aaa authentication http console LOCAL disable anything else like my current ssh login?

jason0923 · ‎03-05-2014

I added the

aaa authentication http console LOCAL command and still cannot access the device via the browser.

bunjiega · ‎03-05-2014

Is the asdm image in the ASA flash memory and specified as the image?

# sh disk0:/ <-- To look into the flash

# sh asdm image <-- To show the current asdm image being served up

ASDM 5.2(4) is the recomended software for the ASA sofware version 7.2

Above, it says "asdm.bin" but usually the filename is more descriptive, for example:

ASA-FW# sh asdm image

Device Manager image file, disk0:/asdm-713.bin

Vibhor Amrodia · ‎03-06-2014

Hi,

In addition to the above recommendations , I would request you to get these output:-

show asp table socket

show run http

Java Version on your PC

Thanks and Regards,

Vibhor

jason0923 · ‎03-06-2014

To answer your questions it says asdm-523.bin

show asp table socket gives me a syntax error

sho run http gives me

http 0.0.0.0 0.0.0.0 inside

http 192.168.192.0 255.255.255.0 inside

I'll check the java version on the server I'm using when I can but the broiwser is asking me for a login and pwd when i try and access the asa so i don't know if Java is even being used at that point