11-22-2012 08:57 AM - edited 03-07-2019 10:12 AM
Hey everyone,
I'm working on setting up a template configuration for the Cisco ASA 5505 device that we'll use to configure more routers for various client needs. One of the requirements requested of me is the following:
Internal hosts assigned a DHCP address are blocked from the internet
Internal hosts with a static IP are permitted access to internet
All internal hosts can communicate regardless of state
Now, I'm fairly new to this and I'm certain my terminology isn't correct so googling the problem has been fruitless. I have followed basic configuration guides and have configured the device to hand out DHCP addresses to hosts plugged in ports 1-7. If I'm plugged in and specify my address manually in the OS I am blocked from any access so I can only assume there is an access policy or some rule preventing me from authenticating against the router despite having set up VLAN1 to be the entire class C subnet.
What sort of steps would I need to do to configure this? New access lists?
For the record, the dhcp addresses are in the range of 10.100.31.64-10.100.31.95. VPN users are assigned an address from 10.100.31.220-10.100.31.240 and there seems to be no issues with that configuraiton. I don't wish to constrain what addresses a user can use should they specify a static IP (10.100.31.5 should be just as valid as 10.100.31.100).
I appreciate any help or advice you can provide. If there are improvements or suggestions you have I'm happy to listen.
Solved! Go to Solution.
11-27-2012 07:56 AM
Ok. i have taken a 5505 and actually created the situation you are in and I got the setup to work. Take a look at my code.
what needed to be included are things such as default routes and access lists with the correct ranges.
ciscoasa(config)# sh run
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.100.34.64 Block-DHCP-users-from-Internet description Block-DHCP-users-from-Internet
name 192.168.63.0 Internet description Internet
name 10.100.34.0 Inside-Users-Allow-Internet description Inside-Users-Allow-Internet
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.34.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark Block internet traffic
access-list inside_access_in extended permit tcp Block-DHCP-users-from-Internet 255.255.255.224 Internet 255.255.255.0 obj
ect-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip Inside-Users-Allow-Internet 255.255.255.192 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 <- default route to next hop Internet IP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http Inside-Users-Allow-Internet 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.100.34.65-10.100.34.96 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
ciscoasa(config)#
Joel
_______________________________
Please rate helpful posts and answered questions!
11-25-2012 11:06 AM
hello,
you are correct when you say you can use access lists to filter the traffic from certian ranges. The two ranges you created can be directed using access-lists and equate the traffic type to internet traffic.
Please see the link below on how to configure internet based traffic for ip ranges:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/nwaccess.html
Joel
_______________________________
Please rate helpful posts and answered questions!
11-26-2012 07:07 AM
Hi Joel, thanks for the reply.
Unfortunately following that guide I am still unable to access the internet from the internal interfaces while I have configured a static IP. Is there some feature of the ASA that prevents users from specifying their IP manually when the vlan is configured for DHCP? From what it seems when I set my own IP on the OS the ASA Log just denies/discards all packets I send regardless of destination.
Here is a snip of my running configuration that may help. I am looking right now to just understand how to make these configurations and then cleaning up the rules and making them somewhat sane.
interface Vlan1
description VLAN to inside hosts
nameif inside
security-level 100
ip address 10.100.31.1 255.255.255.0
!
access-list outside_access_in extended permit icmp any any
access-list semc_splitTunnelAcl standard permit 10.100.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.100.31.0 255.255.255.0 10.100.31.0 255.255.255.192
access-list inside_access_in extended permit ip any any
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip interface inside any
access-list ACL_OUT extended permit tcp any any
access-list ANY extended permit ip any any
access-list OUT extended permit ip any any
ip local pool VPN_Pool 10.100.31.220-10.100.31.250 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.100.31.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ANY in interface inside
access-group inside_access_out out interface inside
access-group ACL_OUT in interface outside
access-group OUT out interface outside
dhcpd address 10.100.31.64-10.100.31.95 inside
dhcpd enable inside
11-26-2012 12:20 PM
hello,
From this config, you seem to have your dhcp and static ip's on the same subnet range. what I meant to say was you can use the access lists to have your dhcp on one range and your static on another.
You say you cannot access the internet when using static. what about dhcp, in your current config, if you are dhcp, can u acess the internet?
Joel
_______________________________
Please rate helpful posts and answered questions!
11-26-2012 01:07 PM
Yes I can access the web on DHCP. The resulting config, above, is from following generic guides online to first configure a DHCP range, getting that to work and then revisiting the configuration in order to add static IP support. Seeing how my computer registers with the IP and the ASA log is sending numerous deny messages I would assume it isn't letting me pick my own IP?
11-26-2012 01:35 PM
Hello,
you can choose your own IP, jusy make sure it isnt already being used and reserve it with the command:
ip dhcp excluded-address 192.168.12.1
But in any case, unless you used an IP already assigned to the asa you should not be getting a deny msg if you are within the ranges of allowed ip's. You should be able to use your own IP. what I was getting at is that you can set a range of IP's for dhcp, create an access list for that range not to access services outbound to www and create anrother range for the static where that range could be allowed to access internet.
Joel
_______________________________
Please rate helpful posts and answered questions!
11-27-2012 06:07 AM
>ip dhcp excluded-address 192.168.12.1
That command gives me errors: that dhcp is not a valid arg to the ip command. I couldn't find something similar digging through `help dhcpd` `help ip` or `help dhcp`. Care to point me in the right direction?
11-27-2012 06:56 AM
EDIT²: So, turns out my previous inclination from the edit below is true. If I disable DHCP on the inside interface and properly configure my network settings I am able to reach out to the web. I need to configure a couple access rules to allow it but it *does* work once I have this set up. I guess I'll just work with static IPs and work on placing a company policy on IP managment.
You've been a big help on helping me get this far joel.
----
EDIT: Found this FAQ:
Question—Is it possible to assign a static/permanent IP address to the computer that uses ASA as the DHCP server?
Answer—It is not possible using PIX/ASA.
Could this be a sign of what I'm after?
-----
To hopefully simplify things I've started over. Here's my setup config pasted into the CLI:
--snipped as of edit 2 for bevity--
When I plug into the inside interfaces I'm immediately given address 10.100.34.65 and have access to the web. Checks out.
If I open my network adapter settings and say manually set my interface settings to 10.100.34.5/24 I can connect to the router through ADSM and the like but have no external web access. The ASA log in the ADSM has numerous debug lines stating something akin to:
UDP Request discarded from 10.100.34.5 to inside 10.100.34.1
....on some non-standard port like 54955 or the like.
11-27-2012 07:56 AM
Ok. i have taken a 5505 and actually created the situation you are in and I got the setup to work. Take a look at my code.
what needed to be included are things such as default routes and access lists with the correct ranges.
ciscoasa(config)# sh run
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.100.34.64 Block-DHCP-users-from-Internet description Block-DHCP-users-from-Internet
name 192.168.63.0 Internet description Internet
name 10.100.34.0 Inside-Users-Allow-Internet description Inside-Users-Allow-Internet
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.34.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
access-list inside_access_in remark Block internet traffic
access-list inside_access_in extended permit tcp Block-DHCP-users-from-Internet 255.255.255.224 Internet 255.255.255.0 obj
ect-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip Inside-Users-Allow-Internet 255.255.255.192 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1 <- default route to next hop Internet IP
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http Inside-Users-Allow-Internet 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.100.34.65-10.100.34.96 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
ciscoasa(config)#
Joel
_______________________________
Please rate helpful posts and answered questions!
11-27-2012 07:58 AM
Good timing. I'll take what you've provided and add to what I've learned. Thanks again!
11-27-2012 08:02 AM
Not a problem. Take care and have a great one.
Joel
_______________________________
Please rate helpful posts and answered questions!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide