01-29-2010 12:54 AM
Hi!
I'm on my first configuration of a Cisco firewall. I'm trying ASA 5505 using Cisco ASDM 5.2 (not GUI). I configured Vlan1 (inside) and Vlan2(outside) and all seems to work correctly. Network clients can use Internet and ping internal LAN. But I've some problems with vpn and other services: 1. when I try to connect to external VPN server the connection procedure stopped in username/password validation (if I try directly, without firewall ASA, there's no problem) 2.I've problems also to see external security cam working trough a web server.
I open port 1723 - 500 and GRE. What can I do more? Thank's all.
ah! this is Cisco ASDM Syslog error message:
Syslog message |
---|
3|Jan 29 2010|10:07:20|305006|88.41.211.232||regular translation creation failed for protocol 47 src inside:192.168.0.2 dst outside:88.41.211.232
|
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 18:37:26.964 UTC Thu Jan 28 2010
!
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password UqJHTo7.2sANHB7y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any eq pptp 192.168.0.0 255.255.255.0 eq pptp
access-list outside_access_in extended permit udp any eq isakmp 192.168.0.0 255.255.255.0 eq isakmp
access-list outside_access_in extended permit gre any 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit esp any 192.168.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd option 3 ip 192.168.0.1
dhcpd option 6 ip 212.216.172.62
!
dhcpd address 192.168.0.2-192.168.0.129 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:74d04070ef0b566c8c95e3024c6b6232
01-29-2010 05:09 AM
Hi Simone
1. if you're using outbound vpn (ipsec) to a headend located in the internet you'll need to open udp 500 for isakmp and udp 4500 for nat-t and IPsec over TCP will be using tcp 10000 if cisco is used.
2. you'll need to add the following to your mpf configuration:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
this will guarantee to let you ESP (protocol 50) to pass the ASA, also known as native IPsec.
3. I'm assuming that you have to setup your NAT or PAT stuff in the right manner. Configure your NAT like below, if you want to present an internal server to the outside world:
static (inside,outside) outsideip insideip netmask 255.255.255.255 0 0 -> for static nat
static (inside,outside) interface insideip netmask 255.255.255.255 0 0 -> for static pat
4. use ipsec instead of pptp, since the cisco vpn client is free and much more secure!
hope this helps
cheers
Nico
01-29-2010 07:31 AM
Thanks, I'll try your solution next Monday. Now I send you two additions:
1. I've configured NAT as dynamic (for future use I'll probably configure static NAT for VPN server)
2. I nedd to connect to evrey PPTP or IPSec external VPN e probably there are not Cisco Router (Dlink, I think)
Bye
02-01-2010 03:11 AM
Ok, now it works!
I simply add flag on PPTP in Security Policy > Server policy rule > Rule action (when you edit the policy.
Now I try to create a VPN server, so ... I think I'll need more help. Bye
11-22-2012 11:04 PM
Hi,
You have to allow PPTP inspection in your default policy group.
Anadi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide