08-22-2008 09:21 PM - edited 03-11-2019 06:34 AM
Hi
Here we are configuring our ASA 5505 Fire wall but we have some issues we are not able to see the client PCs in the servers, and we are not able to dial out. our net work follows
Cisco ASA --> WAN + Servers and Clients
Servers : ADC, DC , Linux(internal web & Mail server) and Antivurus Server
WAN : Private Dialup Network to Remote location (some of the WEB pages are installed here)
to access the remote web content we are using Leased line dialup which is being shared for the client access
we have these problem at the configuration
1). we are not able to see the client systems in the servers
2). we are not able to get the shared dialup connection at clients PC
find the configuration attached
08-23-2008 02:25 AM
of course u cant make any communications
because u have made an ACL called in-out
then u applied this ACL to all interfaces in two directions
in ur network u have three interfaces with three diffrent networks
so for each interface u need two saparate ACLs each one address a direction
make an ACL for each interface
and apply it in the direction u want
in will permit inbound direction to that interface
for example in in the inside interface mea any traffic entering inside interface and
in on the outside interface mean any traffic coming from outside to ur firewall through that interface
and make sure u put the right source and destination that corsponding to that interface
and so on
one more important thing to remember
when u make an ACl and apply it to an interface everthign not permited in that ACL will be denied by an imlicite deny in that ACL
unless u put permit ip any any in the end of the acl which is not recomended especially on the inbound dirction on the outside interface becase will allow every thing
also u might dont need a permit ACl on any interface traffic that has higher security level going to lower security level unless u wanna make limitations
good luck
please, if helpful Rate
08-24-2008 09:47 PM
Hi
if you don't mind could you send me some examples how to apply, coz i don't have much experience to the ACL ,
thanQ
08-24-2008 09:57 PM
can ujust send me simple topology or tell me what is ur traffic folow in ur ASA
i mean from which interface to which interface u want to permit what
then i can arrange the ACLs u have based on ur requiremnt
thank you
08-24-2008 10:15 PM
ThanQ
My topology follows
LAN ---> FTP, WEB, HTTP(internal Website), servers should not visible in the network neighbor hood
Server---> FTP, WEB, HTTP(internal Website), all the clients should be visible in the servers
WAN ------> Some of the web pages are in remote location where all of we access through web page and for this we are using Private PPP dial-up (all the clients will connects through Proxy) if Dial up is not enabled if the client clieks the web link which is in remote it should starts dial ..
thanQ
08-25-2008 03:46 AM
HI
waiting for your help . plz
08-25-2008 04:24 AM
hi Javahar
i am sorry but ur discreption confused me
can just answer the following
what u need to be allowed :
from WAN interface to SERVER interface =
from WAN interface to LANinterface =
from SERVER interface to WAN interface =
from SERVER interface to LAN interface =
from LAN interface to SERVER interface =
from LAN interface to WAN interface =
just under each direction put what kind of traffic u want it to be passed and the host destination such as server IP
for example
put
ftp, http from 172.16.0.0 network to host 1.1.1.1 only
under each direction give me the details
ok :)
08-25-2008 10:57 PM
HI
what u need to be followed :
from WAN interface to SERVER interface = from WAN no body should be able to access any thing to Server
from WAN interface to LAN interface = from WAN no body should be able to access any thing to LAN and Server
from SERVER interface to WAN interface = HTTP, FTP, Dial UP Sharing as Wan is connected on shared dialup connections and Server need to access Wan on shared dialup
from SERVER interface to LAN interface = Reply to these services as HTTP, FTP, https, AV server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, ldap
from LAN interface to SERVER interface = HTTP, FTP, https, av server ports, smtp, icmp, netbios, remote desktop, dns, dhcp, netbios, ldap
from LAN interface to WAN interface = HTTP, FTP, Dial UP, https
thanking you
Javahar
08-26-2008 10:10 PM
HI
could you plz help to finish this work . i will be happy if you can send me some example ACL , i will be more happy if you can give your IM ids plz
08-27-2008 05:12 AM
i reallt wanna help u to get it done
read and understand this link
http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/traffic.html
then have a look at the following link
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807fc191.shtml
after that u will be able to find out the error in ur ACL
especially u have apllied it in wrong direction because when u read understand the source and distination and the directionin a dn out
u dont need in and out
and always use in better than out
because in deny the packet before it ineter the device but in some sijuations u need the out
good luck
if u need then any more help just post here:)
08-27-2008 09:36 PM
HI
i tried to implement the ACL but due to my confusion and tension to finish the task in time i am not getting the success .. plz give me some sample ACLs i will be more happy
waiting for your extended kind support plz
08-27-2008 10:00 PM
dear Javahar
just send me what u want to be permited
like
u have interfaces right
just tell me what source address and distination address u want it to pass through what interface
for example
any any port 80 mean from any source to any distination allow http
any host 1.1.1.1 port 25
mean any source to server or host ip 1.1.1.1 with smtp
just send me these details and i will sovle it for u
08-27-2008 10:32 PM
Javahar
i have changed ur ACL cong and its much beetr than before
and i have added NATing config for u all the new config attached here
but before u apply this config remove the ACLs applied to all interface
with no then the command
like no access-group in-out in interface LAN
and so on remove all the applied ACLs
then use the fixed ones and the NAT commands as well
nat command start with
static
ok
and after u apply all the new config and the nating reload the ASA then try it
and let me know
good luck
08-27-2008 10:34 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide