03-13-2012 11:56 AM - edited 03-11-2019 03:41 PM
ASDM 6.4ish and ASA 8.4(3) The good news is after much trial and error I have got to this point.
If I may advise novices on what I have learned:
(1) (DONT USE ACL manager to make acl rules - use the ACCESS RULES at the top). (otherwise you wont see where to associate firewall rules with interfaces)
(2) You need a default route created to allow access to the internet from your private lan or dmz (if you have one created). Basically you have to tell the router what is the next hop for the traffic leaving the router on the outside interface ( I guess most routers default to the ISP gateway - which you will have to manually put in for the cisco unit).
(3) NAT rules (static) or port forwarding for the beginner should be done by nesting the nat rule (embedding) within objects. This is the easiest way to create them. (avoid doing it manually its a gonad breaker and you will end up making twice nat rules by accident)
(4) You also need dynamic pat rules so that outgoing traffic is handled appropriately upon return (assuming a number of private hosts and one public WANIP). The router creates this automatically for you by default for the inside lan)...... I had to figure out how to add one for the dmz).
(5) Traffic flow is first controlled by ACLs then nat rules. (which in practical terms means you have to ensure acl rules let in the destination port of incoming ports vice the translated......... for ex expecting incoming 2121 and then going to translate them to 21 for FTP. In this case your FW rule will need to pass through 2121 and nat will still do the port forwarding translation) For my config,
I have success on Lan to Lan traffic, and Lan to Internet Traffic. I get no traffic inbound. :-(( If I put in a global implicit rule of any allow, just prior to the default global implicit rule any deny, then inbound traffic works. So I am guessing that my ACLs are problemeatic???
:
: Saved
:
ASA Version 8.4(3)
!
hostname zyxelbeatsbattlestargalacticaandCisco
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -4
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 555.555.555.98
description Corporate Ojbect for access to TFS, OM
object network -remote-h
subnet 11.111.0.0 255.255.0.0
object network -remote-w
subnet 22.222.222.0 255.255.255.0
object network -remote2
host 33.3.333.4
object network -remote1
host 444.44.444.133
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp source eq www destination eq www
object service OM1
service tcp source eq 5080 destination eq 5080
object service OM2
service tcp source eq 8088 destination eq 8088
object service OM3
service tcp source eq https destination eq https
object service TFS
service tcp source eq 8080 destination eq 8080
object service RDP
service tcp source eq 3389 destination eq 3389
object service RouterAdmin
service tcp source eq 33349 destination eq 33349
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object-group network Router-Admin
description Remote access to adjust router settings
network-object object -remote1
network-object object TrustedInternetUsers
object-group network TFS-usergroup
description Agilegroup Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object -remote-h
network-object object -remote-w
network-object object -remote1
network-object object -remote2
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object input-port
service-object object OM3
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
access-list outside_access_in remark remote access to VS
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
pager lines 24
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 33349
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http 444.44.444.133 255.255.255.255 outside
http ab.abc.def.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh 444.44.444.133 255.255.255.255 outside
ssh ab.abc.def.0 255.255.255.0 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0
dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 66.666.6.96 66.666.6.97 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 66.666.6.96 66.666.6.97 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 66.666.6.96 66.666.6.97 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3 password mAVJxjP/lM8yc59F encrypted
username user4 password w7V/UFyrOwnQknqm encrypted
username user2 password .NJvJ7zi.ROsatP7 encrypted
username user1 password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b8135c36da331e34243baa55a8fe8c5a
: end
no asdm history enabl
03-14-2012 06:12 AM
Bump and two questions:
(1) Object rules, I probably dont need both source and destination ports so is it just either source or destination? These are for ports people on the outisde will be using to approach the router. Of all my incoming ports, I am only changing one port number (as per the nat rule ending "5080 https", since one set of users can get out of their own corporate situation on port 80 and not 5080.
object service input-port service tcp source eq www destination eq www
object service OM1 service tcp source eq 5080 destination eq 5080
(associated nat rule: object network NAT4WWW2OM1 nat (main-lan,outside) static interface service tcp 5080 www)
Should it be??
object service input-port service tcp source eq www
object service OM1 service tcp source eq 5080
2. ACL rule structure looks funny in that i have grouped many things and I am following the instructions and bouncing adsm ball but how come my service group or service group object is in the middle of the rule whereas all the examples I see show them at the end???
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
should it be???
access-list outside_access_in extended permit object Corporate-user object VS-pcIP object TFS
access-list outside_access_in extended permit object-group TFS-usergroup object VS-pcIP object-group OMServiceGroup
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide