New to ASA 5510

Unanswered Question
Apr 24th, 2010
User Badges:

Hello all,


I currently took over a System Administrator position and now have the job of configuring an ASA5510. However, i am not CCNA/P certified and have never had the "joy" of configuring one. I need to open up port 1723 to allow external access to the main PDC inside. Can anyone help?


Also, by looking at this config, there is a TON of stuff going on... if anyone would be able to analyze it and see how jacked up this config is, i would appreciate it.


Thanks,

Lawrence

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
SPERTWCISCO Sat, 04/24/2010 - 08:19
User Badges:

Is a lot easy to help you if you can post your running-config

militant187 Sat, 04/24/2010 - 08:27
User Badges:

Here it is:


asdm image disk0:/asdm-508.bin
asdm location 192.168.2.2 255.255.255.255 Inside
asdm location 192.168.1.2 255.255.255.255 Inside
asdm location 192.168.1.2 255.255.255.255 Outside
asdm location 192.168.1.8 255.255.255.255 Inside
asdm location 67.xx.xx.62 255.255.255.255 Inside
asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name DOMAIN.NAME
enable password XXXXXX encrypted
passwd XXXXXX encrypted
names
dns-guard
!
interface Ethernet0/0
description This is port E0/0.
nameif Outside
security-level 0
ip address 67.xx.xx.62 255.255.255.0
!
interface Ethernet0/1
description This is port E0/1.
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description This port is used for direct management only....
nameif management
security-level 100
ip address 192.168.4.1 255.255.255.0
management-only
!
banner login XXX Cisco systems device.
banner login XXX Cisco systems device.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object-group service ADP tcp-udp
port-object range 714 714
object-group service SMTP tcp
description Exchange
port-object range 100 5000
object-group service SSH tcp
description SSH
port-object range ssh ssh
access-list Outside_access_in remark Exchange server settings.
access-list Outside_access_in remark Exchange server settings.
access-list Outside_access_in extended permit tcp any range 137 138 interface Outside range 137 138
access-list Outside_access_in remark Exchange server settings.
access-list Outside_access_in extended permit tcp any eq smtp interface Outside eq smtp
access-list Outside_access_in extended permit tcp any any eq smtp
access-list Outside_access_in extended permit udp any range 135 139 host 67.xx.xx.62 range 135 139
access-list Outside_access_in extended permit tcp any any eq www
access-list Outside_access_in extended permit tcp any range 3389 3390 any range 3389 3390
access-list Outside_access_in extended permit tcp any any
access-list Outside_access_in extended permit udp any any
access-list Outside_access_in extended permit udp any any eq isakmp
access-list Outside_access_in extended permit udp any any eq 4500
access-list Outside_access_in extended permit gre any any
access-list Outside_access_in extended permit udp any any eq 1701
access-list Outside_access_in extended permit tcp any any eq pptp
access-list Outside_access_in extended permit tcp any any eq 3389
access-list Outside_access_in extended permit tcp any any eq 691
access-list Outside_access_in extended permit tcp any any eq 593
access-list Outside_access_in extended permit udp any any eq 593
access-list Outside_access_in extended permit tcp any eq 445 host 67.xx.xx.62 eq 445
access-list Outside_access_in extended permit tcp any range 445 445 interface Outside range 445 445
access-list Outside_access_in extended permit udp any eq netbios-ns any eq netbios-ns
access-list Outside_access_in extended permit tcp interface Outside range 100 5000 interface Outside range 100 5000
access-list Outside_access_in extended permit tcp any range 691 691 any range 691 691
access-list Outside_access_in extended permit tcp any eq 3268 interface Outside eq 3268
access-list Outside_access_in extended permit tcp any object-group SMTP any object-group SMTP
access-list Outside_access_in extended permit tcp host 192.168.1.2 host 192.168.1.8
access-list Outside_access_in remark ssh for remote access
access-list Outside_access_in extended permit tcp any object-group SSH any object-group SSH
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit udp any any eq isakmp
access-list Inside_access_in extended permit udp any any eq 4500
access-list Inside_access_in extended permit gre any any
access-list Inside_access_in extended permit udp any any eq 1701
access-list Inside_access_in extended permit tcp any any eq pptp
access-list Inside_access_in extended permit tcp any range 691 691 any range 691 691
access-list Inside_access_in extended permit tcp host 127.0.0.1 eq 33330 host 192.168.1.2 eq 33330
access-list Inside_access_out remark Exchange server settings.
access-list Inside_access_out extended permit tcp any host 192.168.1.2
access-list Inside_access_out extended permit udp any range 135 139 host 192.168.1.2 range 135 139
access-list Inside_access_out extended permit tcp any range 445 445 host 192.168.1.2 range 445 445
access-list Inside_access_out extended permit gre any any
access-list Inside_access_out extended permit udp any any eq 1701
access-list Inside_access_out extended permit tcp any any eq pptp
access-list Outside_pnat_inbound extended permit tcp interface Outside object-group SMTP host 192.168.1.2 object-group SMTP
access-list Outside_pnat_inbound_V1 extended permit ip interface Outside host 192.168.1.2
access-list FDLE_access_in extended permit tcp any host 67.xx.xx.62 eq pptp
access-list FDLE_access_in extended permit tcp any host 192.168.1.2 eq pptp
access-list outside_access_in extended permit tcp any host 67.xx.xx.62 eq pptp
pager lines 24
logging enable
logging timestamp
logging console notifications
logging asdm informational
logging mail alerts
logging debug-trace
logging flash-bufferwrap
logging flash-maximum-allocation 4096
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip audit attack action alarm drop
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Inside) 11 192.168.1.2
nat (Outside) 11 access-list Outside_pnat_inbound_V1 outside
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
static (Inside,Outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface 135 192.168.1.2 135 netmask 255.255.255.255
static (Inside,Outside) udp interface netbios-ns 192.168.1.2 netbios-ns netmask 255.255.255.255
static (Inside,Outside) tcp interface 138 192.168.1.2 138 netmask 255.255.255.255
static (Inside,Outside) tcp interface 445 192.168.1.2 445 netmask 255.255.255.255
static (Inside,Outside) tcp interface 1025 192.168.1.2 1025 netmask 255.255.255.255
static (Inside,Outside) tcp interface 1260 192.168.1.2 1260 netmask 255.255.255.255
static (Inside,Outside) tcp interface netbios-ssn 192.168.1.2 netbios-ssn netmask 255.255.255.255
static (Inside,Outside) tcp interface ldap 192.168.1.2 ldap netmask 255.255.255.255
static (Inside,Outside) tcp interface 3268 192.168.1.2 3268 netmask 255.255.255.255
static (Inside,Outside) tcp interface 88 192.168.1.2 88 netmask 255.255.255.255
static (Inside,Outside) tcp interface domain 192.168.1.2 domain netmask 255.255.255.255
static (Inside,Outside) tcp interface 1026 192.168.1.2 1026 netmask 255.255.255.255
static (Inside,Outside) tcp interface 137 192.168.1.2 137 netmask 255.255.255.255
static (Inside,Outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255
static (Inside,Outside) tcp interface 136 192.168.1.2 136 netmask 255.255.255.255
static (Inside,Outside) tcp interface 1164 192.168.1.2 1164 netmask 255.255.255.255
static (Inside,Outside) tcp interface 1226 192.168.1.2 1226 netmask 255.255.255.255
static (Inside,Outside) udp interface 6001 192.168.1.2 6001 netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 6001 192.168.1.2 6001 netmask 255.255.255.255
static (Inside,Outside) tcp interface 6004 192.168.1.2 6004 netmask 255.255.255.255
static (Inside,Outside) tcp interface 6002 192.168.1.2 6002 netmask 255.255.255.255  norandomseq
static (Inside,Outside) tcp interface 691 192.168.1.2 691 netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 135 192.168.1.2 135 netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 smtp 192.168.1.2 smtp netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 www 192.168.1.2 www netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 domain 192.168.1.2 domain netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 ssh 192.168.1.2 ssh netmask 255.255.255.255
static (Inside,Outside) tcp interface ssh 192.168.1.2 ssh netmask 255.255.255.255
static (Outside,Inside) tcp interface 445 192.168.1.2 445 netmask 255.255.255.255
static (Outside,Inside) tcp 67.xx.xx.62 pptp 192.168.1.2 pptp netmask 255.255.255.255
static (Outside,Inside) 192.168.1.2  access-list Outside_pnat_inbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 67.210.42.1 1
route Inside 192.168.1.7 255.255.255.255 192.168.1.1 1
route Inside 192.168.1.8 255.255.255.255 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username lmorici password l5Zb3tiVOfj4/UWC encrypted privilege 15
username ciscotac password OayPdaoMg8USh9nT encrypted privilege 15
username blobb password YsAfB847i2KwDk3V encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 67.xx.xx.62 255.255.255.255 Outside
http 67.210.42.0 255.255.255.0 Outside
http 192.168.1.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
http 192.168.4.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 67.210.42.0 255.255.255.0 Outside
telnet 192.168.2.0 255.255.255.0 Inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 203.167.75.41 255.255.255.255 Outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.4.2-192.168.4.10 management
dhcpd dns 192.168.1.2 204.255.24.254
dhcpd wins 192.168.1.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain DOMAIN.ORG
dhcpd enable management
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
description PPTp
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
class global-class
  inspect pptp
!
service-policy global_policy global
smtp-server 192.168.1.2
Cryptochecksum:XXXXXXXXXXXXXXXXXXX
: end





Let me remind you, the persons job i took over hardly knew how to configure a static ip for a printer... i believe she had a consultant configure this. Thanks for the help.

Federico Coto F... Sat, 04/24/2010 - 09:07
User Badges:
  • Green, 3000 points or more

Hi,


To allow incoming UDP port 1723 to an internal PC, you should do two things:


1. Create a static NAT for the inside PC (this could be a 1-to-1 static NAT or just static PAT)

static (in,out) NAT_IP INSIDE_PC

static (in,out) udp NAT_IP 1723 INSIDE_PC 1723


2. Allow UDP 1723 on the incoming ACL on the outside interface.

access-list Outside_access_in  permit udp any host NAT_IP eq 1723


Hope to help.


Federico.

militant187 Sat, 04/24/2010 - 10:15
User Badges:

Once i added those rules, i lost connection to Exchange, and still can't connect to the VPN. How do i remove whe i just

typed?

Federico Coto F... Sat, 04/24/2010 - 10:18
User Badges:
  • Green, 3000 points or more

If for example you entered these rules:


static (in,out) NAT_IP INSIDE_PC
static (in,out) udp NAT_IP 1723 INSIDE_PC 1723
access-list Outside_access_in  permit udp any host NAT_IP eq 1723

To remove them, you simply do:


no static (in,out) NAT_IP INSIDE_PC
no static (in,out) udp NAT_IP 1723 INSIDE_PC 1723
no access-list Outside_access_in  permit udp any host NAT_IP eq 1723


Now, to help you with the exact commands, let us know the IP address of the inside device and the NAT IP that should be assigned to it.


Federico.

militant187 Sat, 04/24/2010 - 10:40
User Badges:

Thanks for all of the help... Exchange is now able to be accessed =)


The NAT IP is 192.168.1.1


The server in whic RRAS is running is 192.168.1.2..... this server is the PDC / Exchange and RRAS server, so a lot is going on.

skint Sat, 04/24/2010 - 10:26
User Badges:

Hi,


Since you are using all those PAT rules to begin with and you're most likely terminating your PPTP connection to the same server, you might want to try:


static (inside,Outside) tcp interface 1723 192.168.1.2 1723


You'll still need the entry in your outside ACL as well.


Also, I would look at removing the amount of exposure that server has, looks like you have NETBIOS, LDAP, and Kerberos all exposed to the Internet.


-skint

militant187 Sat, 04/24/2010 - 10:40
User Badges:

Hey Skint,


I have no idea what/how she configured... i did notice a ton of things open to the internet. I believe she was having issues with Exchange connectivity, so she opened up a ton of ports to allow traffic to flow.


Any recommendations would be awesome.

skint Sat, 04/24/2010 - 10:54
User Badges:

It looks like she attemtped to configure or configured RPC over HTTP (Outlook Anywhere) or it was a Front End Back End Exchange deployment.  The rules that are applied to the outside interface are typically applied on the DMZ interface for a Frontend exchange server to speak to the back end.  That being said, you probably only need HTTPS/SMTP/RDP enabled on the outside.  The rest are a little open for a Windows Server, you're really depending on your patch level to be up to date at all times.


Maybe try something like this.


access-list Outside-in permit tcp any interface eq smtp

access-list Outside-in permit tcp any interface eq https

access-list Outside-in permit tcp any interface eq 1723

access-list Outside-in permit tcp any interface eq 3389   --- only if you need RDP from the outside.

access-group Outside-in in interface Outside


If everything seems broken, you can always apply your old ACL by re-applying it to the outside interface:



access-group Outside_access_in in interface Outside


-skint

militant187 Sat, 04/24/2010 - 10:59
User Badges:

Currently RPC over HTTPS is not the way that end users connect to exchange.So if i remove all of the existing rules and apply the rules you listed, should i be able to access exchange? Or would i need to configure the server to use RPC over HTTPS first THEN apply those ACL rules?

militant187 Sat, 04/24/2010 - 11:16
User Badges:

OWA is currently NOT using SSL.... i am going to assume that this was configured improperly, or with disregard to security...

Actions

This Discussion