ASA5505 Configuration

rsjavahar · ‎08-22-2008

Hi

Here we are configuring our ASA 5505 Fire wall but we have some issues we are not able to see the client PCs in the servers, and we are not able to dial out. our net work follows

Cisco ASA --> WAN + Servers and Clients

Servers : ADC, DC , Linux(internal web & Mail server) and Antivurus Server

WAN : Private Dialup Network to Remote location (some of the WEB pages are installed here)

to access the remote web content we are using Leased line dialup which is being shared for the client access

we have these problem at the configuration

1). we are not able to see the client systems in the servers

2). we are not able to get the shared dialup connection at clients PC

find the configuration attached

Marwan ALshawi · ‎08-23-2008

of course u cant make any communications

because u have made an ACL called in-out

then u applied this ACL to all interfaces in two directions

in ur network u have three interfaces with three diffrent networks

so for each interface u need two saparate ACLs each one address a direction

make an ACL for each interface

and apply it in the direction u want

in will permit inbound direction to that interface

for example in in the inside interface mea any traffic entering inside interface and

in on the outside interface mean any traffic coming from outside to ur firewall through that interface

and make sure u put the right source and destination that corsponding to that interface

and so on

one more important thing to remember

when u make an ACl and apply it to an interface everthign not permited in that ACL will be denied by an imlicite deny in that ACL

unless u put permit ip any any in the end of the acl which is not recomended especially on the inbound dirction on the outside interface becase will allow every thing

also u might dont need a permit ACl on any interface traffic that has higher security level going to lower security level unless u wanna make limitations

good luck

please, if helpful Rate

rsjavahar · ‎08-24-2008

Hi

if you don't mind could you send me some examples how to apply, coz i don't have much experience to the ACL ,

thanQ

Marwan ALshawi · ‎08-24-2008

can ujust send me simple topology or tell me what is ur traffic folow in ur ASA

i mean from which interface to which interface u want to permit what

then i can arrange the ACLs u have based on ur requiremnt

thank you

rsjavahar · ‎08-24-2008

ThanQ

My topology follows

LAN ---> FTP, WEB, HTTP(internal Website), servers should not visible in the network neighbor hood

Server---> FTP, WEB, HTTP(internal Website), all the clients should be visible in the servers

WAN ------> Some of the web pages are in remote location where all of we access through web page and for this we are using Private PPP dial-up (all the clients will connects through Proxy) if Dial up is not enabled if the client clieks the web link which is in remote it should starts dial ..

thanQ

rsjavahar · ‎08-25-2008

HI

waiting for your help . plz

Marwan ALshawi · ‎08-25-2008

hi Javahar

i am sorry but ur discreption confused me

can just answer the following

what u need to be allowed :

from WAN interface to SERVER interface =

from WAN interface to LANinterface =

from SERVER interface to WAN interface =

from SERVER interface to LAN interface =

from LAN interface to SERVER interface =

from LAN interface to WAN interface =

just under each direction put what kind of traffic u want it to be passed and the host destination such as server IP

for example

put

ftp, http from 172.16.0.0 network to host 1.1.1.1 only

under each direction give me the details

ok :)

rsjavahar · ‎08-25-2008

HI

what u need to be followed :

from WAN interface to SERVER interface = from WAN no body should be able to access any thing to Server

from WAN interface to LAN interface = from WAN no body should be able to access any thing to LAN and Server

from SERVER interface to WAN interface = HTTP, FTP, Dial UP Sharing as Wan is connected on shared dialup connections and Server need to access Wan on shared dialup

from SERVER interface to LAN interface = Reply to these services as HTTP, FTP, https, AV server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, ldap

from LAN interface to SERVER interface = HTTP, FTP, https, av server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, netbios, ldap

from LAN interface to WAN interface = HTTP, FTP, Dial UP, https

thanking you

Javahar

rsjavahar · ‎08-26-2008

HI

could you plz help to finish this work . i will be happy if you can send me some example ACL , i will be more happy if you can give your IM ids plz

Marwan ALshawi · ‎08-27-2008

i reallt wanna help u to get it done

read and understand this link

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html

then have a look at the following link

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml

after that u will be able to find out the error in ur ACL

especially u have apllied it in wrong direction because when u read understand the source and distination and the directionin a dn out

u dont need in and out

and always use in better than out

because in deny the packet before it ineter the device but in some sijuations u need the out

good luck

if u need then any more help just post here:)

rsjavahar · ‎08-27-2008

HI

i tried to implement the ACL but due to my confusion and tension to finish the task in time i am not getting the success .. plz give me some sample ACLs i will be more happy

waiting for your extended kind support plz

Marwan ALshawi · ‎08-27-2008

dear Javahar

just send me what u want to be permited

like

u have interfaces right

just tell me what source address and distination address u want it to pass through what interface

for example

any any port 80 mean from any source to any distination allow http

any host 1.1.1.1 port 25

mean any source to server or host ip 1.1.1.1 with smtp

just send me these details and i will sovle it for u

Marwan ALshawi · ‎08-27-2008

Javahar

i have changed ur ACL cong and its much beetr than before

and i have added NATing config for u all the new config attached here

but before u apply this config remove the ACLs applied to all interface

with no then the command

like no access-group in-out in interface LAN

and so on remove all the applied ACLs

then use the fixed ones and the NAT commands as well

nat command start with

static

ok

and after u apply all the new config and the nating reload the ASA then try it

and let me know

good luck

Marwan ALshawi · ‎08-27-2008

the new config file here

good luck