12-13-2007 11:36 AM - edited 03-12-2019 05:50 PM
Hi,
Ok...I'm struggling here. I have always used Watchguard products, and decided to step up and buy my first Cisco. I'm finding that the configuration is not quite as easy, and would love to get some help.
I have a very simple setup. I need to setup my internal interface, external interface, NAT for 2 addresses (OWA and Exchange),No DMZ, no web server.
I took a crack at the configuration using ASDM 5.0 and the Startup Wizard and failed. questions:
1) Does the external ethernet port have to be ethernet port 0? Right now my internal port is port 0.
2) How are security levels used? How do I need to use them in my setup?
3) Should I be able to use ASDM for all of my setup?
4) Do I need to use DHCP on the ASA?
5) Next steps?
info:
External IP: 64.179.10.28
Gateway IP: 64.179.10.1
Internal interface IP: 192.168.0.x
SMTP IP: 64.179.10.29 (NAT to 192.168.0.x)
OWA IP: 64.179.10.32 (NAT to 192.168.0.x)
Anyone see what I've done wrong? Any help would be appreciated!
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(7)
!
Hostname test
domain-name test.net
enable password xxx
names
dns-guard
!
interface Ethernet0/0
nameif Internal
security-level 100
ip address 192.168.0.x 255.255.255.0
!
interface Ethernet0/1
nameif External
security-level 0
ip address 64.x.x.28 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
access-list Internal_access_in remark WWW
access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www
access-list External_access_in remark SMTP
access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.53 eq smtp
access-list External_access_out remark HTTP
access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www
pager lines 24
logging asdm informational
mtu Internal 1500
mtu External 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (External) 10 64.179.10.29-64.179.10.32 netmask 255.255.255.0
nat (Internal) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (External,Internal) 192.168.0.x 64.179.10.29 netmask 255.255.255.255
static (External,Internal) 192.168.0.x 64.179.10.32 netmask 255.255.255.255
access-group Internal_access_in in interface Internal
access-group External_access_in in interface External
access-group External_access_out out interface External
route External 0.0.0.0 0.0.0.0 63.179.53.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.x 255.255.255.255 Internal
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
12-13-2007 11:44 AM
1. No.
2. More secure interface (inside) will have a higher level than lower security (outside). 100 for inside and 0 for outside is what you want.
3. Yes, but you should learn the cli.
4. No.
static (Internal,External) 64.179.10.29 192.168.0.x netmask 255.255.255.255
static (Internal,External) 64.179.10.32 192.168.0.x netmask 255.255.255.255
access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp
access-list External_access_in extended permit tcp any host 64.179.10.32 eq www
access-group External_access_in in interface External
no access-list Internal_access_in remark WWW
no access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www
no access-group Internal_access_in in interface Internal
no access-list External_access_out remark HTTP
no access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www
no access-group External_access_out out interface External
12-13-2007 12:16 PM
Thanks for the reply.
So how do I make the changes that you listed?
12-13-2007 12:23 PM
Via the ASDM, console, ssh, telnet...
The "no" statements are easy via the asdm as they just need to be removed. The others may be trial and error via the asdm til you get it to look right. That's why it's good to learn the cli.
http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/start.html#wp1039724
12-13-2007 02:14 PM
Thanks for your help!
I'm making progress. I figured out this section:
static (Internal,External) 64.179.10.29 192.168.0.x netmask 255.255.255.255
static (Internal,External) 64.179.10.32 192.168.0.x netmask 255.255.255.255
access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp
access-list External_access_in extended permit tcp any host 64.179.10.32 eq www
access-group External_access_in in interface External
But I can't figure out this section:
no access-list Internal_access_in remark WWW
no access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www
no access-group Internal_access_in in interface Internal
no access-list External_access_out remark HTTP
no access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www
no access-group External_access_out out interface External
How do I do this through ASDM? Can you give me a specific example?
Thanks.
12-13-2007 03:14 PM
Just select the entries and delete them.
12-13-2007 03:26 PM
Ok...I'm going to be really stupid here...
When you say "just select the entries and delete them". Can you give me more detail? If I'm in ASDM, do I go under Configuration --> Security Policy? Where in the GUI do I find the items to delete (which screen)?
Thanks again!
12-13-2007 03:47 PM
Yes, that's the screen I believe. You should see some under the inside interface and some under the outside interface.
Or go up to Tools -> Command line interface, select multiple lines and copy and paste the following and hit send.
config t
no access-group Internal_access_in in interface Internal
no access-group External_access_out out interface External
12-14-2007 06:04 AM
I can understand most of the commands in the CLI, but can you tell me what this means (or actually does)? Thanks!
config t
no access-group Internal_access_in in interface Internal
no access-group External_access_out out interface External
12-14-2007 06:21 AM
You have created access lists, Internal_access_in and External_access_out. These are not necessary and if you even did want them, the statements you have defined for them don't make sense and are not correct. Config t allow you to enter the configuration mode of the cli. The access-group command ties the access list to an interface. Since you don't want them, adding "no" before the command will remove it.
12-14-2007 06:34 AM
no access-group Internal_access_in in interface Internal
It means that you are taking out all the access-lists named Internal_access_in, which apply from your internal network, going toward to your ASA.
no access-group External_access_out out interface External
It means that you are taking out all the access-lists named External_access_out, which apply from the external network (internet), going toward to your ASA.
12-14-2007 06:41 AM
Actually,
no access-group External_access_out out interface External
would apply to traffic leaving the External interface outbound away from the ASA.
12-14-2007 01:52 PM
Here is my configuration...Does this make sense?
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(7)
!
hostname MCD
domain-name mcd.net
enable password xxx
names
dns-guard
!
interface Ethernet0/0
nameif Internal
security-level 100
ip address 192.168.0.x 255.255.255.0
!
interface Ethernet0/1
nameif External
security-level 0
ip address 64.x.x.28 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list Internal_access_in remark WWW
access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www
access-list External_access_in remark SMTP
access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.x eq smtp
access-list External_access_out remark HTTP
access-list External_access_out extended permit tcp 64.179.10.32 255.255.255.240 eq www any eq www
pager lines 24
logging asdm informational
mtu Internal 1500
mtu External 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (External) 10 64.179.10.29-64.179.10.32 netmask 255.255.255.0
nat (Internal) 10 0.0.0.0 0.0.0.0
nat (management) 0 0.0.0.0 0.0.0.0
static (External,Internal) 192.168.0.x 64.179.10.29 netmask 255.255.255.255
static (External,Internal) 192.168.0.x 64.179.10.32 netmask 255.255.255.255
access-group External_access_in in interface External
route External 0.0.0.0 0.0.0.0 63.179.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.x 255.255.255.255 Internal
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
12-14-2007 02:00 PM
access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.x eq smtp
should be...
access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp
12-14-2007 02:20 PM
Is this the same thing, or is it backwards?
access-list External_access_in extended permit tcp host 64.179.53.39 eq smtp any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: