Re: Need some help getting started with ASA 5510: Help needed!

thecoffeeguy · ‎02-27-2007

Well, have very very limited experience with ASA and PIX. My new job here as an ASA appliance and I am going to be taking over the duties for it. Which is fine and great and I look forward to it. I am just a little "raw" and need some help.

I will be back here a lot :) , and will post my configs as I look for suggestions and help.

In the meantime, I have been asked to setup a VPN connection, using PPTP from the vendors location (public IP addresses have been given) to servers within our network.

I went out and grabbed some ASA books (Hucaby Handbook) and will be going over it.

In the meantime, does anyone have suggestions on how to get started?

In a nutshell, I need a crash course to get up to speed.

Thanks for the help.

Jason

thecoffeeguy · ‎02-27-2007

Ok...have some more information. Have been reading up on some documentation A LOT. Just need some feedback here.

I have a list of 7 public IP address from the originating PPTP connections from our vendor. I will have the public IP address that will be mapped to our internal Authentication server internally.

for now, lets say public IP address is: 20.10.5.2 (remember, I have 6 more)

Say our internal Authentication server is:

172.15.5.1 inside, public outside is: 32.16.8.4

For simplicity.

When setting up the ACL's, would it be something like this?

access-list inbound_pptp_traffic permit gre host 20.x.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.x.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.x.x.4 172.15.5.1 255.255.0.0

access-group inbound_pptp_traffic in interface outside

Is that right so far?

if it is right, do I need to setup 7 individual rules for each public IP address to get to the internal server?

Thanks.

thecoffeeguy · ‎02-27-2007

Let me edit this again:

20.10.5.2 -- remote host making connection

32.16.8.4 -- public IP statically assigned to internal authentication server

access-list inbound_pptp_traffic permit gre host 20.10.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.10.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.16.8.4 172.15.5.1 255.255.255.255

access-group inbound_pptp_traffic in interface outside

That look right?

do I need to setup a rule to make sure the return traffic would get through?

Thanks.

thecoffeeguy · ‎02-28-2007

can anyone tell me if I am on the right track? :)

suschoud · ‎03-02-2007

hii,

Are u setting up a tunnel between the two locations.

if not,then it's absolutely right.

for inbound connections over normal internet traffic,we need to have a static statement for the mapping n translation purpose and an access-list on the outside interface which is permitting the traffic.

suschoud · ‎03-02-2007

if it's vpn tunnel ( not a vpn passthrough ),then you might need to setup a lot of vpn configuration for setting up both,phase 1 and phase 2 sets on both the ends.

if it's just a passthrough and firewall is not acting as a terminating point of the tunnel,then you are on the right track.

thecoffeeguy · ‎03-02-2007

Thanks for the feedback. Yes, it is not a tunnel between two locations. Just remote connections.

I setup network-objects so I did not have to put in 14 rules.

Thanks for the help!

TCG

ROBERTO TACCON · ‎03-02-2007

Hi,

1) as you can have only 1 access-group (ACL) for an interface maybe it's better to use a generic name like "outside_in"

2) the ASA is a stateful fw

thecoffeeguy · ‎03-02-2007

Yep...made sure my ACL name is the same to match what already exists.

Appreciate it.