cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
5
Helpful
11
Replies

Trouble configuring ASA 5505

CyberWolves_2
Level 1
Level 1

I run a very small web, email and dns hosting businessmen and had been running a PIX 506E for several years with no problems. Since it had finally reached end of life I bought an ASA 5505 with the security bundle. I'm not a firewall expert by a long shot and the commands in the 5505 are just different enough to be confusing to me. I have internet access for my internal network working fine but no matter what I try I can't get my DNS servers, web servers or email servers to be visible to the outside world. I've followed the getting started guide instructions, and even configuration guides on Cisco's website; but I'm still having trouble. Further, when I run the ASDM Packet Tracer to simulate inbound traffic coming into my services from the outside interface it reports that everything is working correctly and indicates the message should be successfully delivered to the inside host. But, in reality nothing is getting through that originates from the outside as I'm watching the syslog messages and the ASA is clearly denying traffic that should be permitted.

To make matters worse my 506E power supply died when I tried to fall back to using it so now I'm really stuck. I'm assuming I'm missing a command or something; but would appreciate any suggestions or advice on how to proceed.

Thanks!

11 Replies 11

Collin Clark
VIP Alumni
VIP Alumni

Are you clearing the ARP table on your upstream routers at the time of the swap? Also, can you post your config?

Thanks for the response! I don't have access to commands on my external router as it is owned/managed by my ISP. However, it is in my server room so I manually rebooted it in case that helps clear the ARP Table. Also, I should note that I am running 125 externally face (public IP) in case that is relevant. Attached is the running configuration on my ASA. Regarding the DMZ, I have abandoned trying to use it and have fallen back to using internal NAT addresses with the idea that this closely matches what I had running before with the PIX 506E and on the assumption that if I can get this working I should be able to replicate that configuration using the DMZ VLAN. Finally, based on Cisco's recommendation for posting to forums I have masked my internal and external IPs.

Thanks again for whatever assistance you can provide! - Wolf

If you want a 1:1 conversion, take a look at the conversion tool-

http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html

I'll take a look at your config too.

Unfortunately, the power supply gave out on the 506E when I went to bring it back online to do just that; so, that is not really an option at this point. I appreciate you looking at the config file!

I assumed you had a backup of the config. I checked your posted config and everything looks good. Can you check the logs when you test and see what's in there? Is inside to outside connectivity OK?

Inside to outside is working fine. I just tried an externally generated SSL (port 443) test against one of my public IP numbers that the ASA is configured to allow 443 traffic on and this is what I see in the syslog:

4 Aug 11 2009 06:58:08 106023 174.xxx.xxx.226 67.xxx.xxx.160 Deny tcp src outside:174.xxx.xxx.226/2815 dst inside:67.xxx.xxx.160/443 by access-group "outside_access_in" [0x0, 0x0]

I'm trying to have my logs sent to an FTP server so I can post them; but nothing has been sent from the 5505 to server yet.

The ACL is blocking it. I looked at your ACL's and some of them may be incorrect. The order of the ACL is crucial. Here's what I mean-

access-list outside_access_in extended permit tcp any object-group WEB_SERVERS eq 80

access-list outside_access_in extended permit tcp any 80 object-group WEB_SERVERS

See the difference? The first one allows any source IP and any source port to connect to the destination IP of WEB_SERVERS on the destination port of 80.

The second ACL allows any source IP, but they must have the source port of 80 to connect to destination IP of WEB_SERVERS on any destination port.

ACL should go [source IP] {destination IP] eq [port]. There are times when you want to restrict by source ports, but it's usually a specific application.

One thing I should point out is that the group "Mail" you saw in the config file is a TCP Service group to apply the permission for SMTP, POP3 and IMAP4 as a group of permitted ports and not a network-object. Still, I see what you are saying about the order in the syntax and I tried to implement your example. When I used the ASDM menus it seems that the syntax is going in backwards. For example, I enter the proper instructions to allow any source ip to access 67.xxx.xxx.160 and use tcp/25 (for smpt) the output generated by the ASDM is as follows:

access-list outside_access_in extended permit tcp any eq smtp host 67.xxx.xxx.160

This seems backward from your example as it is Source IP -- ports to be opened -- destination IP. I tried using the CLI to enter the syntax exactly as you show but it gives me an error indicating invalid host. I also tried to enter the command using IP numbers and actual ports such as

access-list outside_access_in extended permit tcp any 67.xxx.xxx.160 eq 80

but the "eq" is generating an error ERROR: % Invalid Hostname.

Clearly, I'm doing something wrong. I just don't know what. I really appreciate your continued attempts to help me resolve this!

Typo on my part :-)

access-list outside_access_in extended permit tcp any host 67.xxx.xxx.160 eq 80

You can also use subnets-

access-list outside_access_in extended permit tcp 67.xxx.xxx.160 255.255.255.255 eq 80

I don't use ASDM so I can't be much help there, sorry.

SUCCESS! That did the trick and I think I know understand the problem. It seems that I was attempting to enter the correct command settings in the correct sequence; however the ASDM would insert the commend line incorrectly (it would insert the command as Source IP, tcp (or udp) port to be allowed and then destination IP. When I put the command in manually using the CLI (following the format you specified) it went in correctly and I am now able to successfully access my mail and dns servers from the outside!

This problem was really confusing me and now that I know that I had the concepts right and I just need to do the commands manually I'm going to try and get the DMZ to work and see if I can create and use network objects so I can more efficiently managed my 125 IPs.

Most importantly, I really want to thank you for all your help! You have been amazing at logically working through the issues and guiding though each step to identify and finally resolve the problem. Thanks! - Wolf Tombe

did you ever get the DMZ part working I'm stock with some problems

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: