04-22-2012 06:17 AM - edited 03-11-2019 03:56 PM
Afternoon guys,
I have decided I want to learn Cisco so made the decision to pick up a used ASA 5505 from ebay and use it as my main firewall/router. I have it installed and working but have a few questions about configuration, as some of what i have done seems like a very inefficient way of setting things up.
My Basic config is this
O2 ADSL Modem in bridge only mode 192.168.1.254 > ASA 5505 Public Static IP >ASA Inside 192.168.1.1 > Rest of internal LAN.
I have spotted this blog post that details how to get to the modems WebUI through a Cisco router, But i am not sure how I would implement it in my network setup so would like advice on this.
O2 Modem IP: 192.168.1.254
ASA inside IP: 192.168.1.1
Apple Airport: 192.168.1.2 (Wireless Bridge)
LAN : 192.168.1.0/24 (VLAN 1)
The other thing I would like to ask is about PAT, I have configured it to allow Ports 3074TCP/UDP and 88TCP inbound to my Xbox to allow Xbox live to work. But I would like to know if there is a better way to do this using object groups.
This is currenlty how I set it up,
object network xbox_udp_3074
host 192.168.1.5
nat (inside,outside) static interface service udp 3074 3074
exit
access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074
object network xbox_tcp_3074
host 192.168.1.5
nat (inside,outside) static interface service tcp 3074 3074
exit
access-list acl_outside extended permit udp any object xbox_tcp_3074 eq 3074
object network xbox_udp_88
host 192.168.1.5
nat (inside,outside) static interface service udp 88 88
exit
access-list acl_outside extended permit udp any object xbox_udp_88 eq 88
What I would like to know is there a better more efficient way of setting this up as I have 3 network objects with 3 NAT statements and 1 ACL.
Finally I have attempted to configure a Client VPN on the ASA and it works and connects but the problem is it only appears to let web traffic through. If i connect using the VPN built into my iPhone and try a ping using using Ping Lite app i dont get any responce's. but if you open safari and put in 192.168.1.4 I get the WebUI of my NAS device if i try to RDP to my home server the connection times out. If i drop the VPN and connect to Wifi i can ping and RDP from my phone ok so it must be a config problem.
Below is my full config I have masked the password and cryptochecksum
: Saved
: Written by enable_15 at 02:08:45.939 GMT Sat Apr 21 2012
!
ASA Version 8.4(3)
!
hostname warrillow-asa1
domain-name warrillow.local
enable password (Masked) encrypted
passwd (Masked) encrypted
names
!
interface Ethernet0/0
description physical connection to O2 Box IV
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
description to inside VLAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
description to outside interface (O2 Modem)
nameif outside
security-level 0
ip address (Public Static IP) 255.255.254.0
!
ftp mode passive
clock timezone gmt 0
clock summer-time GMT recurring
dns server-group DefaultDNS
domain-name warrillow.local
object network obj_any
subnet 192.168.1.0 255.255.255.0
object service playOn
service tcp destination eq 57331
object service service_xbox_udp_88
service tcp destination eq 88
object network HomeServer_tcp_57331
host 192.168.1.250
object network xbox_udp_3074
host 192.168.1.5
object network xbox_tcp_3074
host 192.168.1.5
object network xbox_udp_88
host 192.168.1.5
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group service xbox_live tcp-udp
port-object eq 3074
port-object eq 88
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list acl_outside extended permit tcp any object HomeServer_tcp_57331 eq 57331
access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074
access-list acl_outside extended permit tcp any object xbox_tcp_3074 eq 3074
access-list acl_outside extended permit udp any object xbox_udp_88 eq 88
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.0.0.2-10.0.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network HomeServer_tcp_57331
nat (inside,outside) static interface service tcp 57331 57331
object network xbox_udp_3074
nat (inside,outside) static interface service udp 3074 3074
object network xbox_tcp_3074
nat (inside,outside) static interface service tcp 3074 3074
object network xbox_udp_88
nat (inside,outside) static interface service udp 88 88
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 (Public Static IP) 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
crypto map warrillow 65535 ipsec-isakmp dynamic dynmap
crypto map warrillow interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 30
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Warrillow internal
group-policy Warrillow attributes
wins-server none
dns-server value 192.168.1.250
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
default-domain value warrillow.local
username mattw password (Masked) encrypted privilege 15
tunnel-group Warrillow-VPN type remote-access
tunnel-group Warrillow-VPN general-attributes
address-pool vpnpool
default-group-policy Warrillow
tunnel-group Warrillow-VPN ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
EDIT: to remove public IP from config posted
Solved! Go to Solution.
04-22-2012 06:34 AM
Hi,
The portforward configurations you have done for your xbox seem to be done the way I would also do them. I dont at the moment know of a simpler way to do the configurations. In the older software the NAT configurations contained less configurations and in that sense were simpler. In the new software however you will have to get used to having alot of objects and object-groups for your NAT configurations.
Regarding the VPN Client configurations.
It seems to me that you lack the NONAT configuration. A configuration that basicly lets your VPN users connect to the local LAN with both end using their ogirinal IP addressess.
In your setup you could try addin the following configurations. (with object names that suite you)
object network LAN
subnet 192.168.1.0 255.255.255.0
object network VPN-POOL
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup
This would mean that your LAN and VPN users could connect to eachother using their original IP addresses. The reason the objects are entered twice is the fact that you would have options to NAT both the source and destination addresses if you wanted.
- Jouni
04-22-2012 06:34 AM
Hi,
The portforward configurations you have done for your xbox seem to be done the way I would also do them. I dont at the moment know of a simpler way to do the configurations. In the older software the NAT configurations contained less configurations and in that sense were simpler. In the new software however you will have to get used to having alot of objects and object-groups for your NAT configurations.
Regarding the VPN Client configurations.
It seems to me that you lack the NONAT configuration. A configuration that basicly lets your VPN users connect to the local LAN with both end using their ogirinal IP addressess.
In your setup you could try addin the following configurations. (with object names that suite you)
object network LAN
subnet 192.168.1.0 255.255.255.0
object network VPN-POOL
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL no-proxy-arp route-lookup
This would mean that your LAN and VPN users could connect to eachother using their original IP addresses. The reason the objects are entered twice is the fact that you would have options to NAT both the source and destination addresses if you wanted.
- Jouni
04-22-2012 06:58 AM
Thanks Jouni,
That Nat statement fixed things up for me, I still cannot ping from the vpn into the network but RDP works now. I guess my inspection rule is blocking IMCP replys.
Also thanks for the advice on the PAT config, if that is the way Cisco intended it to be setup then im cool with that but it seems very strange that you should have a network object for each port to forwards.
Do you know how I would setup NAT overload to allow access to my modems WebUI without having to plug direct to it like they outline in this blog post.
04-22-2012 07:47 AM
Hi,
Adding the following configurations should allow ICMP through the ASA (for the echo-reply to come through also without using ACL)
policy-map global_policy
class inspection_default
inspect icmp
Unless you had already added this.
You might also find the following documents/video helpfull. It shows off some of the common NAT configurations. This was mostly to help the people that were moving from the old to the new format. But it should be helpfull to you also. I know I sometimes double check there.
Document: https://supportforums.cisco.com/docs/DOC-9129
Video: https://supportforums.cisco.com/docs/DOC-12324 (also has a link to the above document)
Regarding the NAT configurations for modem management, I cant guarantee this will work but the first configuration that came to mind is the following (kind resembles the NONAT configuration)
Though I'm not really sure if this would work as the LAN network and the outside management IP is from the same network. But you can always try.
object network LAN
subnet 192.168.1.0 255.255.255.0
object network MODEM-MANAGEMENT
host 192.168.1.254
nat (inside,outside) source static LAN LAN destination static MODEM-MANAGEMENT MODEM-MANAGEMET
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide