Need help with configuration

jason0923 · ‎03-04-2014

I'm new to Cisco and we just took over a client with an ASA 5505 I need to do 2 things first

I need to know how to open or forward ports to an internal IP address they want me to open ports 3389 and 1433 to an internal address 192.168.192.52

but only from 207.235.73.64 and 255.255.255.192

40.143.46.64 and 255.255.255.192

o and

66.192.91.128 and 255.255.255.192

40.143.28.64 and 255.255.255.192

And second Id link to getb the ASDM downlaoded and working as I;ve used that before in other offices and it helps me out as a non cisco expert. I try going to the device IP in a browser 192.168.192.1/admin and just get a prompt for username and password but it doesn;t take the one I have. Here is the config on the device right now. Any help you guys can point me to Id appreciate. 4 hours of Google research has gotten me no where

sho run

: Saved

:

ASA Version 7.2(3)

!

hostname vmine

domain-name mine

enable password CyQcVKTj6CW8.Vsj encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.192.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Vlan3

mac-address 001f.6ce3.bd99

no forward interface Vlan1

nameif guest

security-level 10

ip address 205.10.2.1 255.255.255.0

!

interface Ethernet0/0

description Internet-Connection

switchport access vlan 2

!

interface Ethernet0/1

description Connection to Inside Network

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

description Connection to Public Network

switchport access vlan 3

speed 100

duplex full

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd CyQcVKTj6CW8.Vsj encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name domain

access-list guest extended permit icmp any any

access-list guest extended permit ip any any

access-list inside extended permit icmp any any

access-list inside extended permit ip any any

access-list outside extended permit icmp any any echo-reply

access-list outside extended permit tcp any any eq 8440

access-list nonat extended permit ip 192.168.192.0 255.255.255.0 192.168.252.0 255.255.255.0

access-list outside-in extended permit tcp any any eq https

access-list outside-in extended permit tcp host x.x.x.x any eq 1433

pager lines 24

logging enable

logging buffer-size 16384

logging buffered informational

mtu inside 1500

mtu outside 1500

mtu guest 1500

ip local pool vpn-ip 192.168.252.1-192.168.252.

10
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm.bin
no asdm history enable
arp timeout 14400
global (outside) 1 x.x.x.x
global (outside) 2 x.x.x.x
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.192.0 255.255.255.0
nat (guest) 2 205.10.2.0 255.255.255.0
static (inside,outside) tcp interface www 192.168.192.170 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.192.170 https netmask 255.255.255.255
static (inside,outside) x.x.x.x 192.168.192.52 netmask 255.255.255.255
access-group inside in interface inside
access-group outside-in in interface outside
access-group guest in interface guest
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.192.0 255.255.255.0 inside
snmp-server host inside 192.168.192.10 poll community ciscosnmp
snmp-server location PIX
no snmp-server contact
snmp-server community ciscosnmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map dynvpn 10 set transform-set DES-MD5
crypto map vpn 65535 ipsec-isakmp dynamic dynvpn
crypto map vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd dns 209.253.113.10 209.253.113.18
!
dhcpd address 205.10.2.10-205.10.2.99 guest
dhcpd dns 209.253.113.10 209.253.113.18 interface guest
dhcpd enable guest
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ipsec-pass-thru
!
service-policy global_policy global
group-policy RA-VPN internal
group-policy RA-VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
username VMRemote password .RSNgq92vZTSELWV encrypted
username VMRemote attributes
vpn-group-policy RA-VPN
username VMVPN password jSqp8CjjxHhRa6jk encrypted
username kernels password jDS98nJtthzlEvw5 encrypted
tunnel-group VMVPN type ipsec-ra
tunnel-group VMVPN general-attributes
address-pool vpn-ip
tunnel-group VMVPN ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:52c3d65fc1111c561b1598cc341dc6d5
: end

Julio Carvajal · ‎03-06-2014

For ASDM access:

asdm image disk0:/asdm.bin

What is that.... U do not have any image there.

It should be something like

asdm6.4.bin

asdm image disk0:/asdm6.4.bin

Make sure u have a valid ASDM image on flash with the command show flash

For authenticating access

aaa authentication http console LOCAL

For allowing access to internal servers

server 10.10.10.10 on port 3389 will get nated to the outside public IP of the asa on port 3389

static (inside,outside) tcp interface 3389 10.10.10.10 3389

access-list out_in permit tcp any host x.x.x.x (Interface outside IP) eq 3389

access-group out_in in interface outside

So basically

Static NAT

Access-list

Apply the ACL with an access-group.

If more info is required there are tons of documents on this forum about NAT mate.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jason0923 · ‎03-06-2014

It saysit has

asdm-523.bin

I added the

aaa authentication http console LOCAL command, it still aks for a username and password when I try and access it via the browser and doesn;t accept any I try

Julio Carvajal · ‎03-06-2014

Did u use the ASDM command as I requested?

asdm image flash:asdm-523.bin

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jason0923 · ‎03-07-2014

This is what it gives me whan I enter that comand

asdm image flash:asdm-523.bin

^

ERROR: % Invalid input detected at '^' marker.