Solved: Re: Cisco ASA 5505 - Dynamic and Static Internal hosts setup

GrahamB_SEMC · ‎11-22-2012

Hey everyone,

I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following:

Internal hosts assigned a DHCP address are blocked from the internet

Internal hosts with a static IP are permitted access to internet

All internal hosts can communicate regardless of state

Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet.

What sort of steps would I need to do to configure this? New access lists?

For the record, the dhcp addresses are in the range of 10.100.31.64-10.100.31.95. VPN users are assigned an address from 10.100.31.220-10.100.31.240 and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP (10.100.31.5 should be just as valid as 10.100.31.100).

I appreciate any help or advice you can provide. If there are improvements or suggestions you have I'm happy to listen.

joelgooding · ‎11-27-2012

Ok. i have taken a 5505 and actually created the situation you are in and I got the setup to work. Take a look at my code.

what needed to be included are things such as default routes and access lists with the correct ranges.

ciscoasa(config)# sh run

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.100.34.64 Block-DHCP-users-from-Internet description Block-DHCP-users-from-Internet

name 192.168.63.0 Internet description Internet

name 10.100.34.0 Inside-Users-Allow-Internet description Inside-Users-Allow-Internet

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.34.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list inside_access_in remark Block internet traffic

access-list inside_access_in extended permit tcp Block-DHCP-users-from-Internet 255.255.255.224 Internet 255.255.255.0 obj

ect-group DM_INLINE_TCP_1

access-list inside_access_in extended permit ip Inside-Users-Allow-Internet 255.255.255.192 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 <- default route to next hop Internet IP

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http Inside-Users-Allow-Internet 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.100.34.65-10.100.34.96 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

ciscoasa(config)#

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!

View solution in original post

joelgooding · ‎11-25-2012

hello,

you are correct when you say you can use access lists to filter the traffic from certian ranges. The two ranges you created can be directed using access-lists and equate the traffic type to internet traffic.

Please see the link below on how to configure internet based traffic for ip ranges:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwaccess.html

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!

GrahamB_SEMC · ‎11-26-2012

Hi Joel, thanks for the reply.

Unfortunately following that guide I am still unable to access the internet from the internal interfaces while I have configured a static IP. Is there some feature of the ASA that prevents users from specifying their IP manually when the vlan is configured for DHCP? From what it seems when I set my own IP on the OS the ASA Log just denies/discards all packets I send regardless of destination.

Here is a snip of my running configuration that may help. I am looking right now to just understand how to make these configurations and then cleaning up the rules and making them somewhat sane.

interface Vlan1
 description VLAN to inside hosts
 nameif inside
 security-level 100
 ip address 10.100.31.1 255.255.255.0
!
access-list outside_access_in extended permit icmp any any
access-list semc_splitTunnelAcl standard permit 10.100.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.0 255.255.255.192
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip interface inside any
access-list ACL_OUT extended permit tcp any any
access-list ANY extended permit ip any any
access-list OUT extended permit ip any any

ip local pool VPN_Pool 10.100.31.220-10.100.31.250 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.31.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0

access-group ANY in interface inside
access-group inside_access_out out interface inside
access-group ACL_OUT in interface outside
access-group OUT out interface outside

dhcpd address 10.100.31.64-10.100.31.95 inside
dhcpd enable inside

joelgooding · ‎11-26-2012

hello,

From this config, you seem to have your dhcp and static ip's on the same subnet range. what I meant to say was you can use the access lists to have your dhcp on one range and your static on another.

You say you cannot access the internet when using static. what about dhcp, in your current config, if you are dhcp, can u acess the internet?

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!

GrahamB_SEMC · ‎11-26-2012

Yes I can access the web on DHCP. The resulting config, above, is from following generic guides online to first configure a DHCP range, getting that to work and then revisiting the configuration in order to add static IP support. Seeing how my computer registers with the IP and the ASA log is sending numerous deny messages I would assume it isn't letting me pick my own IP?

joelgooding · ‎11-26-2012

Hello,

you can choose your own IP, jusy make sure it isnt already being used and reserve it with the command:

ip dhcp excluded-address 192.168.12.1

But in any case, unless you used an IP already assigned to the asa you should not be getting a deny msg if you are within the ranges of allowed ip's. You should be able to use your own IP. what I was getting at is that you can set a range of IP's for dhcp, create an access list for that range not to access services outbound to www and create anrother range for the static where that range could be allowed to access internet.

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!

GrahamB_SEMC · ‎11-27-2012

>ip dhcp excluded-address 192.168.12.1

That command gives me errors: that dhcp is not a valid arg to the ip command. I couldn't find something similar digging through `help dhcpd` `help ip` or `help dhcp`. Care to point me in the right direction?

GrahamB_SEMC · ‎11-27-2012

EDIT²: So, turns out my previous inclination from the edit below is true. If I disable DHCP on the inside interface and properly configure my network settings I am able to reach out to the web. I need to configure a couple access rules to allow it but it *does* work once I have this set up. I guess I'll just work with static IPs and work on placing a company policy on IP managment.

You've been a big help on helping me get this far joel.

----

EDIT: Found this FAQ:

Question—Is it possible to assign a static/permanent IP address to the computer that uses ASA as the DHCP server?

Answer—It is not possible using PIX/ASA.

[Source]

Could this be a sign of what I'm after?

-----

To hopefully simplify things I've started over. Here's my setup config pasted into the CLI:

--snipped as of edit 2 for bevity--

When I plug into the inside interfaces I'm immediately given address 10.100.34.65 and have access to the web. Checks out.

If I open my network adapter settings and say manually set my interface settings to 10.100.34.5/24 I can connect to the router through ADSM and the like but have no external web access. The ASA log in the ADSM has numerous debug lines stating something akin to:

UDP Request discarded from 10.100.34.5 to inside 10.100.34.1

....on some non-standard port like 54955 or the like.

joelgooding · ‎11-27-2012

Ok. i have taken a 5505 and actually created the situation you are in and I got the setup to work. Take a look at my code.

what needed to be included are things such as default routes and access lists with the correct ranges.

ciscoasa(config)# sh run

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.100.34.64 Block-DHCP-users-from-Internet description Block-DHCP-users-from-Internet

name 192.168.63.0 Internet description Internet

name 10.100.34.0 Inside-Users-Allow-Internet description Inside-Users-Allow-Internet

!

interface Vlan1

nameif inside

security-level 100

ip address 10.100.34.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

access-list inside_access_in remark Block internet traffic

access-list inside_access_in extended permit tcp Block-DHCP-users-from-Internet 255.255.255.224 Internet 255.255.255.0 obj

ect-group DM_INLINE_TCP_1

access-list inside_access_in extended permit ip Inside-Users-Allow-Internet 255.255.255.192 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 <- default route to next hop Internet IP

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http Inside-Users-Allow-Internet 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.100.34.65-10.100.34.96 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

ciscoasa(config)#

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!

GrahamB_SEMC · ‎11-27-2012

Good timing. I'll take what you've provided and add to what I've learned. Thanks again!

joelgooding · ‎11-27-2012

Not a problem. Take care and have a great one.

Joel

_______________________________
Please rate helpful posts and answered questions!

Joel _______________________________ Please rate helpful posts and answered questions!