Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
4
Replies

HELP WITH ASA 5505 a 1st timer.

missiongeek
Level 1
Level 1

‎01-22-2011 01:55 PM - edited ‎03-04-2019 11:10 AM

Hi All,
I've been given the task of changing our ISP, I installed a new 2921 Cisco router and all is well. I got a brand new asa 5505 firewall. I am severely stuck. I have no connectivity. Can some of you folk look at my configuration and see what I'm missing? ACL, NAT, Who knows.

I have the circuity (ds3) to router/ router to asa. ASA will be a site to site vpn. I have ommited the Ipaddresses (important ones at least)

I thank you all in advance.
ASA Version 8.2(1)
!
hostname asaconcord
domain-name anydomain.com
enable password .js/XZFY7WdcxGWh encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
description Inside
nameif Inside
security-level 100
ip address 10.10.0.1 255.255.252.0
!
interface Vlan2
description Public
nameif Public
security-level 0
ip address 0.0.0.0 255.255.255.224
!
interface Ethernet0/0
description Public Interaface
!
<--- More --->

interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time edt recurring
dns server-group DefaultDNS
<--- More --->

domain-name terarecon.com
access-list out-in extended permit icmp any any
access-list out-in extended permit tcp any host 0.0.0.0 eq 3306
access-list out-in extended permit tcp any host 0.0.0.0 eq pptp
access-list out-in extended permit tcp any host 0.0.0.0 eq pptp
access-list out-in extended permit tcp any host 0.0.0.0
access-list out-in extended permit tcp any host 0.0.0.0
access-list out-in extended permit icmp any host 0.0.0.0
access-list out-in extended permit tcp any host 0.0.0.0 eq smtp
access-list out-in extended permit tcp any host 0.0.0.0 eq pop3
access-list out-in extended permit tcp any host 0.0.0.0 eq www
access-list out-in extended permit tcp any host 0.0.0.0 eq https
access-list out-in extended permit tcp any host 0.0.0.0 eq 3389
access-list out-in extended permit icmp any host 0.0.0.0
access-list out-in extended permit tcp any host 0.0.0.0 eq 135
access-list out-in extended permit ip any host 0.0.0.0
access-list out-in extended permit tcp any host 0.0.0.0 eq 27008
access-list out-in extended permit tcp any host 0.0.0.0 eq 27009
access-list out-in extended permit tcp any host 0.0.0.0 eq 27008
access-list out-in extended permit tcp any host 0.0.0.0 eq 27009
access-list out-in extended permit tcp any host 0.0.0.0 eq 7800
access-list out-in extended permit udp any host 0.0.0.0 eq 7800
access-list out-in extended permit gre any host 0.0.0.0
access-list out-in extended permit gre any host 0.0.0.0
<--- More --->

access-list out-in extended permit tcp 0.0.0.0 255.255.255.248 host 0.0.0.0 eq https
access-list out-in extended permit tcp host 0.0.0.0 host 0.0.0.0 eq https
access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.0 eq https
access-list out-in extended permit tcp any host 0.0.0.0 eq 3306
access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.09 eq https
access-list out-in extended permit tcp 0.0.0.0 255.255.255.248 host 0.0.0.09 eq https
access-list out-in extended permit ip any host 10.10.3.201
access-list out-in extended permit tcp any host 0.0.0.02 eq ftp
access-list out-in extended permit tcp any host 0.0.0.02 eq ssh
access-list out-in extended permit tcp any host 0.0.0.02 eq www
access-list out-in extended permit icmp any host 0.0.0.02
access-list out-in extended permit tcp any host 0.0.0.02 eq 3389
access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.0 eq https
access-list out-in extended permit tcp 0.0.0.0 255.255.255.0 host 0.0.0.09 eq https
access-list NoNAT extended permit ip 10.10.0.0 255.255.252.0 0.0.0.0 255.255.248.0
access-list 101 extended permit ip 10.10.0.0 255.255.252.0 0.0.0.0 255.255.248.0
access-list in-out extended permit tcp host 10.10.0.10 any eq smtp
access-list in-out extended permit tcp host 10.10.0.104 any eq smtp
access-list in-out extended permit tcp host 10.10.1.15 any eq smtp
access-list in-out extended deny tcp any any eq smtp
access-list in-out extended permit ip any any
pager lines 24
logging enable
logging timestamp
<--- More --->

logging trap debugging
mtu Inside 1500
mtu Public 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (Inside) 0 access-list NoNAT
nat (Inside) 1 0.0.0.0 0.0.0.0
access-group out-in in interface Public
route Public 0.0.0.0 0.0.0.0 0.0.0.0 1
route Public 0.0.0.0 255.255.248.0 63.150.232.1 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
mac-list 50 permit 001c.2395.9ab5 ffff.ffff.ffff
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Inside
<--- More --->

no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set chevelle esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
crypto ipsec transform-set terarecon esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 100 set transform-set 3desmd5
crypto map transam 1 match address 101
crypto map transam 1 set peer 0.0.0.0
crypto map transam 1 set transform-set chevelle
crypto map vpn 1 match address 101
crypto map vpn 1 set peer 0.0.0.0
crypto map vpn 1 set transform-set 3desmd5 terarecon
crypto map vpn 100 ipsec-isakmp dynamic dynmap
crypto map vpn interface Public
crypto isakmp identity address
crypto isakmp enable Public
crypto isakmp policy 1
authentication pre-share
encryption 3des
<--- More --->

hash md5
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption des
hash md5
group 1
lifetime 1000
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 60
ssh version 2
console timeout 0
management-access Inside

threat-detection basic-threat
<--- More --->

threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGROUP internal
group-policy VPNGROUP attributes
split-tunnel-policy tunnelall
tunnel-group 0.0.0.8 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
!
class-map type inspect http match-all asdm_medium_security_methods
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
id-randomization
id-mismatch action log
policy-map global_policy
<--- More --->

class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect http
inspect pptp
inspect icmp
policy-map type inspect http HTTP_inspection
parameters
protocol-violation action drop-connection
class asdm_medium_security_methods
drop-connection
!
<--- More --->

service-policy global_policy global
prompt hostname context
Cryptochecksum:3208c134ee51ea1a9e16d2ab5f986fdf
: end

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-22-2011 05:05 PM

Hi,

Where do you have connectivity problems?

All the 0.0.0.0s IPs are the ones you ommitted?


Federico.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎01-23-2011 12:37 AM

Hi,

I don't see any global(outside) 1 statement.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_dynamic.html#wp1081940

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

missiongeek
Level 1
Level 1
In response to cadet alain

‎01-23-2011 05:45 AM

Hi,

Can you school me what that means in router talk? Default route or ip nat . . Overload? Or am I way off.

Sent from my iPhone

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to missiongeek

‎01-23-2011 09:48 AM

Hi,

you're missing dynamic nat, nat overload is if you translate to interface and not to a pool of addresses.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card