ASA5505 Setup Questions

Answered Question
Jan 23rd, 2009

I've come to the conclusion that Cisco should rename their “Cisco ASA 5505 Getting Started Guide” to “Cisco ASA 550 A Guide To Spending A Lot Of Money And Receive Utter Frustration In Return”. Nothing in this manual is consistent. On one page they use one set of IP addresses and on another they use something totally different. I'm not sure what IP addresses to place where anymore… I'm beginning to wonder about Cisco's ability to provide quality documentation. Anyway, I didn't mean to vent here but I am totally frustrated…..

On with the problem at hand……

I have 3 pc's. Two are on the inside network and one in the dmz which acts as a Web/E-Mail server. I use an ISP which provides a public internet address of let's say 216.130.17.10 via DHCP. I also have a base license for the ASA 5505 so I realize the dmz cannot initiate any contact with the inside vlan but the inside vlan can talk to the dmz vlan. Oh, also I'm using the ASDM interface.

Question 1: Does the dmz have to have a separate public ip address provided by the ISP?

Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.

Any help with this would be greatly appreciated…..

Best Regards

Correct Answer by Jon Marshall about 8 years 3 weeks ago

Well at least we are making some progress :-)

You have this statement -

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

When you try to access from inside - what IP address are you using as the destination IP address ?

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jkgraham40 Fri, 01/23/2009 - 08:02

The ASA is a very flexible device. As you know the license you have is limiting. I am sorry to tell you that for what you want you will need good knowledge of address translation(NAT) and access control lists (ACL). These are topics in the configuration manual. If you continue to use ASDM before understanding these chapters you will only get more frustrated.

Question 1: Does the dmz have to have a separate public ip address provided by the ISP?

Answer: The ASA can answer for multiple IP addresses through the use of address translation. You can use one public address or many.

Question 2: How do you do port forwarding on this thing? I'd like to forward the web and mail server ports to the dmz.

Answer: Very basic answer... You must first create a NAT then an ACL to identify the proper traffic.

Hope this helps get you started.

vbdotnetman Fri, 01/23/2009 - 08:23

I was hoping to get some simple explinations here, not to be sent back to the very manuals that caused the frustration? I understand what net work translation and access list are. What I'm asking is this:

Given the configuration I've explained above,

Question 1: Does the dmz have to have a separate public ip address provided by the ISP? Or do I just make up an address?

Question 2: How does port forwarding work on the ASA-5505?

Best Regards

vbdotnetman Fri, 01/23/2009 - 09:55

Well, where do I start.

Thank you for your reference to the manual I've already read it and followed to the letter.

It still does not work...

Instead of telling me what I don't and sending me back to the manual I just used a simple answer to the two questions would surfice?

Best Regards

kwillacey Fri, 01/23/2009 - 10:10

I don't think there is anything wrong with the documentation when I first started out that was what I used but anyway..... how far have you reached with configuring the device? Can you post your config?

You do not need to make up any IP addresses because otherwise what you are doing would not work. You do not need to assign any public addresses to your dmz hosts or dmz interface. The translations that are done will make the hosts appear as if it has a public IP when in fact it does not.

Also based on the fact that your outside address is assigned via dhcp any translations (assuming you have some dynamic dns setup so that mail can come in regardless of the public IP) you do will have to contain the interface keyword and not an IP address for it to work, I think.

All you need is the translations from outside to dmz and an access-list permitting that traffic inbound on the outside interface. So what will happen is anyone that attempts to send mail to your public IP on port 25, the ASA will forward that traffic to the host on the dmz.

Hope this helps.

***Also I don't think what you want is gonna work with the base license, but then again I have never worked with one with a base license. I always ensure that it comes with a security plus license.***

vbdotnetman Fri, 01/23/2009 - 10:48

Hi kwillacey,

Thank you so much for your time and response.

Right now I have 1 PC connected to the dmz via port switch 0/7 and if I do a IPCONFIG /ALL on that PC it shows a bogus ip address of 169.254.58.220(this is not on my network or lan).

As I understand it the 169.254.58.220 address is a bogus address generated by windows when it does not have access to the network/router.

I know this is not a proper address to use to properly configure my dmz, so what address do I use?

Thankful for your response

Best Regards

Confused

Jon Marshall Fri, 01/23/2009 - 10:58

Jose

Use any private address space you like. I don't know what addresses your internal LAN is using but as an example lets assign 192.168.5.0/24 to the DMZ.

On the ASA you will need to assign the DMZ interface an address from this range so lets say 192.168.5.1

then you need to give your PC in the DMZ an address from that range ie.

PC address - 192.168.5.2

PC subnet mask - 255.255.255.0

PC Default gateway - 192.168.5.1

then to give access to this PC from the outside

static (DMZ,outside) tcp interface 25 192.168.5.2 25 netmask 255.255.255.255

static (DMZ,outside) tcp interface 80 192.168.5.2 80 netmask 255.255.255.255

then you need an access-list to allow this traffic from outside.

Jon

vbdotnetman Fri, 01/23/2009 - 11:57

Hi Jon,

I now have internet access to the dmz but I'm having a little trouble with the access list.

I'm using ASDM and create a rule that says:

Interface: outside

Source: any

Destination: 192.168.5.2

Service: tcp/smtp

It generates:

access-list outside_access_in extended permit tcp any host 192.168.5.2 eq smtp

But I cannot access my email server on the dmz?

Best Regards

Jon Marshall Fri, 01/23/2009 - 12:00

You can't use the private address as the destination because it is presented as the outside interface IP address of your ASA to the Internet. Try

access-list outside_access_in permit tcp any host eq smtp

Jon

kwillacey Fri, 01/23/2009 - 12:04

I wonder if you can get around that because his outside IP address might change from time to time because it's via DHCP, I mean besides having your ISP reserve that address for you or getting a static one form them.

Maybe something like

access-list outside_access_in permit tcp any host dhcp-assigned-outside eq smtp

LOL I'm just messing around but it would be cool if that was possible though.

***Glad to see you got the dmz up***

Jon Marshall Fri, 01/23/2009 - 12:11

I think you can and i was just about to update my previous post

access-list outside_access_in permit tcp any interface outside eq smtp

Jon

vbdotnetman Fri, 01/23/2009 - 12:17

jon,

I placed it into configuration as instructed , also did one for pop3, but still cannot retrieve my email from inside vlan pc?

Best Regards

kwillacey Fri, 01/23/2009 - 12:22

You live and you learn, I never had a need to so I would have no clue.

Can you post your current config

vbdotnetman Fri, 01/23/2009 - 14:36

Hi,

Below is a copy of the current configuration:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password ***** Taken out by me ***** encrypted

passwd ***** Taken out by me ***** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq smt

p

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq pop

3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

static (outside,dmz) tcp 192.168.8.10 smtp 98.122.121.101 smtp netmask 255.255.2

55.255

static (outside,dmz) tcp 192.168.8.10 pop3 98.122.121.101 pop3 netmask 255.255.2

55.255

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 98.122.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum: ***** Taken out by me *****

: end

Jon Marshall Fri, 01/23/2009 - 12:27

Okay, i'm a bit confused here. If you want to access from outside then you need to use the public IP address in your access-list.

If you want to access from inside to DMZ then use the 192.168.5.2 address. You will also need a static statement eg. lets say your inside network is 192.168.1.0/24

static (inside,DMZ) 192.168.1.0 192.168.1.0 255.255.255.0

Jon

vbdotnetman Fri, 01/23/2009 - 12:50

Jon,

the static statement you wrote has the same addresses in it?

Best Regards

Jon Marshall Fri, 01/23/2009 - 13:00

Yes i know. This is how you tell the ASA that the inside addresses will appear as the same IP addresses on the DMZ.

Jon

Jon Marshall Fri, 01/23/2009 - 13:22

With the greatest respect if you don't want to read the manuals you should perhaps take the advice of people who have :-)

It's a pix/asa idiosyncracy that is basically telling the device not to NAT. On other vendor firewalls you don't have to do this. On an pix/asa you do unless you want to disable nat-control.

Jon

vbdotnetman Fri, 01/23/2009 - 14:39

Jon,

I do appreciate what you are trying to do here but I think working in the blind is just going to frustrate you... So with deep appreciation below is a copy of my configuration as it stands right now...

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password ***** Taken out by me ***** encrypted

passwd ***** Taken out by me ***** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq smt

p

access-list outside_access_in extended permit tcp any host 98.122.121.101 eq pop

3

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

static (outside,dmz) tcp 192.168.8.10 smtp 98.122.121.101 smtp netmask 255.255.2

55.255

static (outside,dmz) tcp 192.168.8.10 pop3 98.122.121.101 pop3 netmask 255.255.2

55.255

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 98.122.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum: ***** Taken out by me *****

: end

Jon Marshall Fri, 01/23/2009 - 14:51

Okay, few things.

1) what is IP address 98.122.121.101 - is that the outside interface address ? If so change the static statements from

static (outside,dmz) tcp 192.168.8.10 www 98.122.121.101 www netmask 255.255.255

.255

to

static (dmz,outside) tcp interface www 192.168.8.10 www netmask 255.255.255.255

etc.. for all statics.

If it isn't the outside address then let me know.

2) remove this line

static (dmz,inside) interface 192.168.1.0 netmask 255.255.255.255

3) add in to your config

global (dmz) 1 interface

this is instead of the previous static statement i gave you.

4) Your default route on the ASA points to

98.122.112.1.

Again what is 98.122.121.101 ?

Can you do all this config on the command line - i don't use ASDM but it looks like it has put things the wrong way round - certainly in terms of the statics.

Jon

vbdotnetman Fri, 01/23/2009 - 16:13

If I hook my pc straight to the cable modem and do an ipdonfig /all this is what I get:

ip address 98.122.126.212

subnet mask 255.255.240.0

default gateway 98.122.112.1

I had placed a previous call to Cisco and was told to use 98.122.121.101 by their technician. It seems to work I can get from the inside network to the outside internet.

Hope this helps....

vbdotnetman Sat, 01/24/2009 - 16:58

O.K Jon,

I created the above configuration.

A few problems though:

I can access my web page from outside but not from inside vlan.

I can send E-Mail from outside and the dmz email server receives it but cannot send or receive E-Mail from the inside vlan.

I cannot Remote desktop from inside to the dmz server...

Below is the config:

ciscoasa> ena

Password:

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name my.domain.com

enable password :*** Commented Out *** encrypted

passwd :*** Commented Out *** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.8.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name my.domain.com

access-list outside_access_in extended permit tcp any host xx.yyy.121.101

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (dmz,outside) tcp interface www 192.168.8.2 www netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 192.168.8.2 smtp netmask 255.255.255.255

static (dmz,outside) tcp interface pop3 192.168.8.2 pop3 netmask 255.255.255.255

static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xx.yyy.112.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:*** Commented Out ***

: end

Correct Answer
Jon Marshall Sat, 01/24/2009 - 18:11

Well at least we are making some progress :-)

You have this statement -

static (dmz,inside) 192.168.8.2 xx.yyy.121.101 netmask 255.255.255.255

When you try to access from inside - what IP address are you using as the destination IP address ?

Jon

vbdotnetman Sat, 01/24/2009 - 18:35

It a good thing :)

I use www."domain name".com which is translated by DynDns.org to xx.yyy.121.101.

I also tried typing in 192.168.8.2 in the ie browser with same results....

What I think may be happening is I dont have the "interface" keyword on the static statement? Just guessing?

Jose

vbdotnetman Sun, 01/25/2009 - 05:02

Fixed it.. But when I try to send or receive e-mail from inside vpn I get:

6 Jan 25 2009 07:54:16 106015 75.180.132.77 98.122.121.101 Deny TCP (no connection) from 75.180.132.77/110 to xx.yyy.121.101/1805 flags RST ACK on interface outside.

75.180.132.77 is RoadRunner cable my isp provider.

Do I need a nat rule or access rule? Not sure..

Best Regards

Jose

vbdotnetman Fri, 01/23/2009 - 13:18

Jon,

I placed the static statement in my configuration. Can't send an email from inside and receive an email from dmz. Not sure what going on. Have followed your instructions.

Actions

This Discussion