04-25-2012 08:33 AM - edited 03-11-2019 03:58 PM
I have a computer behind the ASA 5505 firewall. The computer needs to access Microsoft Activation Server. Reading some website information, I need to allow a huge list of servers that basically points to www and https traffic. Therefore, looking at this heavy requirements, I prefer to allow this computer to navigate to any https or http (www) server outside of the firewall. Below, I have included my current asa 5505 configuration. can you please tell me what needs to be added or so?
hostname ciscoasa
domain-name default.domain.invalid
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 170.18.18.132 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd
banner motd +......................-+
banner motd | |
banner motd | *** Unauthorized Use or Access Prohibited *** |
banner motd | |
banner motd | For Authorized Official Use Only |
banner motd | You must have explicit permission to access or |
banner motd | configure this device. All activities performed |
banner motd | on this device may be logged, and violations of |
banner motd | this policy may result in disciplinary action, and |
banner motd | may be reported to law enforcement authorities. |
banner motd | |
boot system disk0:/asa724-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network obj_any
object-group network microsoft-servers
network-object host 207.46.21.123
network-object host 4.26.252.126
network-object host 8.26.205.253
network-object host 8.27.149.126
network-object host 65.55.58.195
network-object host 94.245.126.107
network-object host 192.70.222.41
network-object host 192.70.222.59
network-object host 157.55.44.71
network-object host 118.108.3.84
network-object host 207.46.131.43
network-object host 207.46.19.190
network-object host 143.127.102.40
network-object host 72.14.204.101
network-object host 64.208.186.114
object-group network other_servers
network-object 118.108.62.236 255.255.255.255
access-list outside_access_in extended permit ip object-group psu-servers any
access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq www
access-list outside_access_in extended permit tcp 10.2.1.0 255.255.255.0 any eq https
access-list inside_access_out extended permit ip any any
access-list inside_access_out extended permit tcp any object-group epay_servers eq https
access-list inside_access_out extended permit ip any object-group psu-servers
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip audit name insidepolicy info action
ip audit name outsidepolicy info action
ip audit interface inside insidepolicy
ip audit interface outside outsidepolicy
ip audit info action
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 170.18.18.133 10.2.1.2 netmask 255.255.255.255
access-group inside_access_out in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 170.18.18.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 170.18.18.132 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
04-25-2012 10:15 AM
Hello Par13,
Yo do not need to allow anything as you are already allowing everything from inside to oustide:
access-group inside_access_out in interface inside
access-list inside_access_out extended permit ip any any
That line allows everything that is innitiated from the inside interface of the ASA, the returning traffic that matches a connection already established from that inside host will be allowed by default ( Stateful inspection aplied by the ASA)
Hope this helps.
Regards,
Do rate all the helpful posts
Julio
04-25-2012 11:01 AM
Thanks for the fast reply. But, as it is now, the computer behind the firewall is not able to connect to www.microsoft.com or to get windows updates, and or to activate windows.
So, I think there is got to be something stopping from allowing this computer to connect to the internet.
04-25-2012 11:22 AM
Hello,
Then you would need to make captures in order to see if the packets are reaching the ASA, if they are going to Microsoft and then if Microsoft replies back to the ASA.
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide