11-30-2017 05:43 AM - edited 03-08-2019 12:56 PM
Hi,
I am a newbie at configuring ASA's and trying to setup a Cisco ASA 5506 for the work flow on the attached image. If anyone could please recommend the best way to setup this ASA to Deny all traffic from LAN PC to Presstek PCs with the exception of port 445 for SMB file transfer. The Presstek computers will have static IP's on the same LAN subnet but they will be connected to the ASA ports and not LAN switch. If you need further info or need me to clarify certain things please let me know. Thanks
Solved! Go to Solution.
12-07-2017 06:17 AM
ok yup I got it just did that right now. I will test it now and see if these changes have helped.
12-07-2017 06:37 AM
Ok that seems to have done the trick as now I can telnet and ping from the DOHMH PC on the LAN to the Presstek computers behind the firewall. But now the only thing that I have noticed is that from the Presstek computers I can telnet to the LAN PC on other ports as well. On the firewall, I want the ACL to only allows one way traffic from the DOHMH production staff subnet to the Presstek PCs over port 445. This will allow the transfer of files that needs to be printed from the DOHMH production staff PCs to the Presstek PCs. All other traffic should be blocked.
There should be no communication initiated from the Presstek PCs to the DOHMH network. How can we tweak the ACL we currently have in place?
12-07-2017 07:17 AM
Ok, then now we solved the basic connectivity issue. This full communication is happening because we configured all the interface on the same security level and added the command "same security traffic permit intra-interface". With this two changes, all traffic is permit through firewall interfaces.
If you change the security level of outside interface from 100 to 0, you'll see that the traffic will be blocked and ACL will be necessary.
Do that and let's see what else we need to adjust.
-If I helped you somehow, please, rate it as useful.-
12-07-2017 07:25 AM
ok I did that and now I am unable to ping or telnet from DOHMH PC to Presstek computer.
12-07-2017 07:30 AM
I am able to ping from Presstek PC to DOH PC and telnet as well but not from the outside in... So it seems to be working the opposite way of how I would want it.
12-08-2017 07:07 AM
Any changes you think we can try to get the ACL correct? Thanks
12-11-2017 06:17 AM
Hi,
Any chance of replicating my test environment within your simulator? Or do you know what ACL is need to apply so that traffic is allowed in on port 445 and nothing out? Thanks
12-11-2017 06:24 AM
Hi, sorry, I've been busy last days. I didn't make it to simulate your environment.
Traffic usually is permitted from lower security level to high security level by default and blocked on the other way around by default.
I messed up who is who on your environment by now but try to change the ACL to the other interface allowing only the 445 port.
Apply ACLs is not difficult, you can easily find very good guides on the internet.
-If I helped you somehow, please, rate it as useful.-
12-11-2017 06:54 AM
ok I applied an ACL to allow outside to inside over port 445 and it works now. But how do I deny traffic from the inside to out? Can you think of an ACL I could apply for this? Thanks
12-11-2017 07:26 AM
Ok disregard I got it working how I want it in the offline setup. I should be god with the ACL's I applied.
Thanks for all your help...
12-13-2017 06:51 AM
Hi I currentlu have the ASA in place and everything is working as planned. The only issue is that I cant SSH or ASDM to the ASA from outside. Below is my configure.
80Centre-FL-ASA-1# sh run
: Saved
:
: Serial Number: JAD21260FF5
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.7(1)4
!
hostname 80Centre-FL-ASA-1
domain-name health.dohmh.nycnet
enable password $sha512$5000$rt4F5uO7E2EVt5mybaoo5Q==$Wp0bH/qRrP+ilbMzhDSjRg== pbkdf2
names
!
interface GigabitEthernet1/1
bridge-group 1
nameif outside
security-level 0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 10.156.23.126 255.255.255.128
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name health.dohmh.nycnet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network outside-network
subnet 10.156.23.0 255.255.255.128
object network DOHMH-LAN
subnet 10.156.23.0 255.255.255.128
description DOHMH-LAN
object network 10.156.23.33
host 10.156.23.33
description Presstek PC1
object network 10.156.23.88
host 10.156.23.88
description Presstek PC3
object network ASA-IP
host 10.156.23.126
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq 137
service-object tcp destination eq 138
service-object tcp destination eq 445
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object udp destination eq 139
service-object udp destination eq netbios-dgm
service-object udp destination eq netbios-ns
service-object udp destination eq 445
object-group network Presstek_PCs
description Presstek PCs
network-object object 10.156.23.33
network-object object 10.156.23.88
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq 137
service-object tcp destination eq 138
service-object tcp destination eq 445
service-object tcp destination eq ftp
service-object tcp destination eq netbios-ssn
service-object udp destination eq 139
service-object udp destination eq 445
service-object udp destination eq netbios-dgm
service-object udp destination eq netbios-ns
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 object DOHMH-LAN object-group Presstek_PCs inactive
access-list outside_access_in extended permit icmp any any inactive
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_2 object DOHMH-LAN object-group Presstek_PCs
access-list outside_access_in_1 extended permit icmp any any
access-list inside_4_access_in extended deny ip any any
access-list inside_3_access_in extended deny ip any any
access-list inside_2_access_in extended deny ip any any
access-list inside_1_access_in extended deny ip any any
access-list inside_5_access_in extended deny ip any any
access-list inside_6_access_in extended deny ip any any
access-list inside_7_access_in extended deny ip any any
access-list inside_access_in extended deny ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group outside_access_in_1 in interface outside
access-group inside_1_access_in in interface inside_1
access-group inside_2_access_in in interface inside_2
access-group inside_3_access_in in interface inside_3
access-group inside_4_access_in in interface inside_4
access-group inside_5_access_in in interface inside_5
access-group inside_6_access_in in interface inside_6
access-group inside_7_access_in in interface inside_7
access-group inside_access_in in interface inside
route inside 0.0.0.0 0.0.0.0 10.156.23.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside_1
http 0.0.0.0 0.0.0.0 inside_2
http 0.0.0.0 0.0.0.0 inside_3
http 0.0.0.0 0.0.0.0 inside_4
http 0.0.0.0 0.0.0.0 inside_5
http 0.0.0.0 0.0.0.0 inside_6
http 0.0.0.0 0.0.0.0 inside_7
snmp-server host outside 10.242.127.245 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server community *****
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.242.127.240 255.255.255.240 outside
ssh 10.151.16.128 255.255.255.128 outside
ssh 10.242.184.0 255.255.255.0 outside
ssh 10.227.255.128 255.255.255.128 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username dohtech password $sha512$5000$ECe+99LxkHkSEEZpgLKVew==$smlQ66EKUqudXucHxT4cjQ== pbkdf2 privilege 15
username dohadmin password $sha512$5000$neBKRsCYMFOBTNC5OnAowg==$4iUCVABzs6Fqyhrra2Ezjw== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a06959b1a96063193bacf2ca1ef3fe21
: end
12-13-2017 07:00 AM
Try this:
ssh 0.0.0.0 0.0.0.0 outside
https 0.0.0.0 0.0.0.0 outside
-If I helped you somehow, please, rate it as useful.-
12-13-2017 07:04 AM
I already have those commands in place but still doesn't work. I think it has to do with the outside interface also being a part of the BVI group 1. Can you look at the config below on my previous post. Thanks
12-13-2017 07:37 AM
You have but you are specify the origin. Are you sure you are trying from the proper origin. The suggestion I gave ignore the origin allowing from everywhere.
-If I helped you somehow, please, rate it as useful.-
12-13-2017 11:35 AM
I got it to work it was the RSA key that wasn't generated for SSH. Once I did that and added my Radius commands I was able to SSH and login with my AD credentials. Thank for all your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: