Beginner needs help - ASA 5510 Configuration

tsherven1 · ‎12-13-2007

Hi,

Ok...I'm struggling here. I have always used Watchguard products, and decided to step up and buy my first Cisco. I'm finding that the configuration is not quite as easy, and would love to get some help.

I have a very simple setup. I need to setup my internal interface, external interface, NAT for 2 addresses (OWA and Exchange),No DMZ, no web server.

I took a crack at the configuration using ASDM 5.0 and the Startup Wizard and failed. questions:

1) Does the external ethernet port have to be ethernet port 0? Right now my internal port is port 0.

2) How are security levels used? How do I need to use them in my setup?

3) Should I be able to use ASDM for all of my setup?

4) Do I need to use DHCP on the ASA?

5) Next steps?

info:

External IP: 64.179.10.28

Gateway IP: 64.179.10.1

Internal interface IP: 192.168.0.x

SMTP IP: 64.179.10.29 (NAT to 192.168.0.x)

OWA IP: 64.179.10.32 (NAT to 192.168.0.x)

Anyone see what I've done wrong? Any help would be appreciated!

Result of the command: "show running-config"

: Saved

:

ASA Version 7.0(7)

!

Hostname test

domain-name test.net

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif Internal

security-level 100

ip address 192.168.0.x 255.255.255.0

!

interface Ethernet0/1

nameif External

security-level 0

ip address 64.x.x.28 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list Internal_access_in remark WWW

access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www

access-list External_access_in remark SMTP

access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.53 eq smtp

access-list External_access_out remark HTTP

access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www

pager lines 24

logging asdm informational

mtu Internal 1500

mtu External 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (External) 10 64.179.10.29-64.179.10.32 netmask 255.255.255.0

nat (Internal) 10 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

static (External,Internal) 192.168.0.x 64.179.10.29 netmask 255.255.255.255

static (External,Internal) 192.168.0.x 64.179.10.32 netmask 255.255.255.255

access-group Internal_access_in in interface Internal

access-group External_access_in in interface External

access-group External_access_out out interface External

route External 0.0.0.0 0.0.0.0 63.179.53.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.x 255.255.255.255 Internal

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

acomiskey · ‎12-13-2007

1. No.

2. More secure interface (inside) will have a higher level than lower security (outside). 100 for inside and 0 for outside is what you want.

3. Yes, but you should learn the cli.

4. No.

static (Internal,External) 64.179.10.29 192.168.0.x netmask 255.255.255.255

static (Internal,External) 64.179.10.32 192.168.0.x netmask 255.255.255.255

access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp

access-list External_access_in extended permit tcp any host 64.179.10.32 eq www

access-group External_access_in in interface External

no access-list Internal_access_in remark WWW

no access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www

no access-group Internal_access_in in interface Internal

no access-list External_access_out remark HTTP

no access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www

no access-group External_access_out out interface External

tsherven1 · ‎12-13-2007

Thanks for the reply.

So how do I make the changes that you listed?

acomiskey · ‎12-13-2007

Via the ASDM, console, ssh, telnet...

The "no" statements are easy via the asdm as they just need to be removed. The others may be trial and error via the asdm til you get it to look right. That's why it's good to learn the cli.

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/start.html#wp1039724

tsherven1 · ‎12-13-2007

Thanks for your help!

I'm making progress. I figured out this section:

static (Internal,External) 64.179.10.29 192.168.0.x netmask 255.255.255.255

static (Internal,External) 64.179.10.32 192.168.0.x netmask 255.255.255.255

access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp

access-list External_access_in extended permit tcp any host 64.179.10.32 eq www

access-group External_access_in in interface External

But I can't figure out this section:

no access-list Internal_access_in remark WWW

no access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www

no access-group Internal_access_in in interface Internal

no access-list External_access_out remark HTTP

no access-list External_access_out extended permit tcp 64.179.10.22 255.255.255.240 eq www any eq www

no access-group External_access_out out interface External

How do I do this through ASDM? Can you give me a specific example?

Thanks.

acomiskey · ‎12-13-2007

Just select the entries and delete them.

tsherven1 · ‎12-13-2007

Ok...I'm going to be really stupid here...

When you say "just select the entries and delete them". Can you give me more detail? If I'm in ASDM, do I go under Configuration --> Security Policy? Where in the GUI do I find the items to delete (which screen)?

Thanks again!

acomiskey · ‎12-13-2007

Yes, that's the screen I believe. You should see some under the inside interface and some under the outside interface.

Or go up to Tools -> Command line interface, select multiple lines and copy and paste the following and hit send.

config t

no access-group Internal_access_in in interface Internal

no access-group External_access_out out interface External

tsherven1 · ‎12-14-2007

I can understand most of the commands in the CLI, but can you tell me what this means (or actually does)? Thanks!

config t

no access-group Internal_access_in in interface Internal

no access-group External_access_out out interface External

acomiskey · ‎12-14-2007

You have created access lists, Internal_access_in and External_access_out. These are not necessary and if you even did want them, the statements you have defined for them don't make sense and are not correct. Config t allow you to enter the configuration mode of the cli. The access-group command ties the access list to an interface. Since you don't want them, adding "no" before the command will remove it.

vvii · ‎12-14-2007

no access-group Internal_access_in in interface Internal

It means that you are taking out all the access-lists named Internal_access_in, which apply from your internal network, going toward to your ASA.

no access-group External_access_out out interface External

It means that you are taking out all the access-lists named External_access_out, which apply from the external network (internet), going toward to your ASA.

acomiskey · ‎12-14-2007

Actually,

no access-group External_access_out out interface External

would apply to traffic leaving the External interface outbound away from the ASA.

tsherven1 · ‎12-14-2007

Here is my configuration...Does this make sense?

Result of the command: "show running-config"

: Saved

:

ASA Version 7.0(7)

!

hostname MCD

domain-name mcd.net

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif Internal

security-level 100

ip address 192.168.0.x 255.255.255.0

!

interface Ethernet0/1

nameif External

security-level 0

ip address 64.x.x.28 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Internal_access_in remark WWW

access-list Internal_access_in extended permit tcp host 192.168.0.0 eq www interface External eq www

access-list External_access_in remark SMTP

access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.x eq smtp

access-list External_access_out remark HTTP

access-list External_access_out extended permit tcp 64.179.10.32 255.255.255.240 eq www any eq www

pager lines 24

logging asdm informational

mtu Internal 1500

mtu External 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

global (External) 10 64.179.10.29-64.179.10.32 netmask 255.255.255.0

nat (Internal) 10 0.0.0.0 0.0.0.0

nat (management) 0 0.0.0.0 0.0.0.0

static (External,Internal) 192.168.0.x 64.179.10.29 netmask 255.255.255.255

static (External,Internal) 192.168.0.x 64.179.10.32 netmask 255.255.255.255

access-group External_access_in in interface External

route External 0.0.0.0 0.0.0.0 63.179.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.x 255.255.255.255 Internal

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

acomiskey · ‎12-14-2007

access-list External_access_in extended permit tcp host 64.179.10.29 eq smtp host 192.168.0.x eq smtp

should be...

access-list External_access_in extended permit tcp any host 64.179.10.29 eq smtp

tsherven1 · ‎12-14-2007

Is this the same thing, or is it backwards?

access-list External_access_in extended permit tcp host 64.179.53.39 eq smtp any