ASA5505 Configuration

Unanswered Question
Aug 22nd, 2008

Hi


Here we are configuring our ASA 5505 Fire wall but we have some issues we are not able to see the client PCs in the servers, and we are not able to dial out. our net work follows


Cisco ASA --> WAN + Servers and Clients


Servers : ADC, DC , Linux(internal web & Mail server) and Antivurus Server

WAN : Private Dialup Network to Remote location (some of the WEB pages are installed here)


to access the remote web content we are using Leased line dialup which is being shared for the client access



we have these problem at the configuration


1). we are not able to see the client systems in the servers

2). we are not able to get the shared dialup connection at clients PC


find the configuration attached




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Sat, 08/23/2008 - 02:25

of course u cant make any communications

because u have made an ACL called in-out

then u applied this ACL to all interfaces in two directions

in ur network u have three interfaces with three diffrent networks

so for each interface u need two saparate ACLs each one address a direction


make an ACL for each interface

and apply it in the direction u want

in will permit inbound direction to that interface

for example in in the inside interface mea any traffic entering inside interface and

in on the outside interface mean any traffic coming from outside to ur firewall through that interface


and make sure u put the right source and destination that corsponding to that interface


and so on


one more important thing to remember

when u make an ACl and apply it to an interface everthign not permited in that ACL will be denied by an imlicite deny in that ACL


unless u put permit ip any any in the end of the acl which is not recomended especially on the inbound dirction on the outside interface becase will allow every thing


also u might dont need a permit ACl on any interface traffic that has higher security level going to lower security level unless u wanna make limitations


good luck


please, if helpful Rate


rsjavahar Sun, 08/24/2008 - 21:47

Hi


if you don't mind could you send me some examples how to apply, coz i don't have much experience to the ACL ,


thanQ


Marwan ALshawi Sun, 08/24/2008 - 21:57

can ujust send me simple topology or tell me what is ur traffic folow in ur ASA

i mean from which interface to which interface u want to permit what

then i can arrange the ACLs u have based on ur requiremnt


thank you

rsjavahar Sun, 08/24/2008 - 22:15

ThanQ


My topology follows



LAN ---> FTP, WEB, HTTP(internal Website), servers should not visible in the network neighbor hood


Server---> FTP, WEB, HTTP(internal Website), all the clients should be visible in the servers


WAN ------> Some of the web pages are in remote location where all of we access through web page and for this we are using Private PPP dial-up (all the clients will connects through Proxy) if Dial up is not enabled if the client clieks the web link which is in remote it should starts dial ..



thanQ





Marwan ALshawi Mon, 08/25/2008 - 04:24

hi Javahar


i am sorry but ur discreption confused me

can just answer the following


what u need to be allowed :


from WAN interface to SERVER interface =



from WAN interface to LANinterface =



from SERVER interface to WAN interface =


from SERVER interface to LAN interface =



from LAN interface to SERVER interface =



from LAN interface to WAN interface =



just under each direction put what kind of traffic u want it to be passed and the host destination such as server IP


for example


put

ftp, http from 172.16.0.0 network to host 1.1.1.1 only

under each direction give me the details


ok :)



rsjavahar Mon, 08/25/2008 - 22:57

HI


what u need to be followed :


from WAN interface to SERVER interface = from WAN no body should be able to access any thing to Server



from WAN interface to LAN interface = from WAN no body should be able to access any thing to LAN and Server



from SERVER interface to WAN interface = HTTP, FTP, Dial UP Sharing as Wan is connected on shared dialup connections and Server need to access Wan on shared dialup


from SERVER interface to LAN interface = Reply to these services as HTTP, FTP, https, AV server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, ldap



from LAN interface to SERVER interface = HTTP, FTP, https, av server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, netbios, ldap



from LAN interface to WAN interface = HTTP, FTP, Dial UP, https


thanking you

Javahar

rsjavahar Tue, 08/26/2008 - 22:10

HI


could you plz help to finish this work . i will be happy if you can send me some example ACL , i will be more happy if you can give your IM ids plz



Marwan ALshawi Wed, 08/27/2008 - 05:12

i reallt wanna help u to get it done


read and understand this link


http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html


then have a look at the following link


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml


after that u will be able to find out the error in ur ACL

especially u have apllied it in wrong direction because when u read understand the source and distination and the directionin a dn out

u dont need in and out

and always use in better than out

because in deny the packet before it ineter the device but in some sijuations u need the out


good luck

if u need then any more help just post here:)

rsjavahar Wed, 08/27/2008 - 21:36

HI


i tried to implement the ACL but due to my confusion and tension to finish the task in time i am not getting the success .. plz give me some sample ACLs i will be more happy


waiting for your extended kind support plz


Marwan ALshawi Wed, 08/27/2008 - 22:00

dear Javahar


just send me what u want to be permited

like

u have interfaces right


just tell me what source address and distination address u want it to pass through what interface

for example


any any port 80 mean from any source to any distination allow http


any host 1.1.1.1 port 25

mean any source to server or host ip 1.1.1.1 with smtp


just send me these details and i will sovle it for u



Marwan ALshawi Wed, 08/27/2008 - 22:32

Javahar


i have changed ur ACL cong and its much beetr than before


and i have added NATing config for u all the new config attached here


but before u apply this config remove the ACLs applied to all interface


with no then the command

like no access-group in-out in interface LAN


and so on remove all the applied ACLs

then use the fixed ones and the NAT commands as well

nat command start with

static


ok


and after u apply all the new config and the nating reload the ASA then try it

and let me know


good luck



Actions

This Discussion