From Cisco 873 to ASA 5505 (Firewall)

Answered Question
Aug 23rd, 2010
User Badges:

Hi,


We have an old Cisco 873 for ADSL but we need the firewall configuration of this to be put into an ASA 5505 7.2(4). Can someone please check the configuration below if correct? If there is needed to change please help.


Cisco 873:





/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Current configuration : 5442 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ABXC

!

boot-start-marker

boot-end-marker

!

logging count

logging userinfo

logging buffered 51200 warnings

no logging console

enable secret 5 XXXXXXX.

!

no aaa new-model

!

resource policy

!

clock timezone EST 10

ip subnet-zero

ip cef

!

!

ip inspect name firewall cuseeme

ip inspect name firewall ftp

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall sqlnet

ip inspect name firewall streamworks

ip inspect name firewall tcp

ip inspect name firewall tftp

ip inspect name firewall udp

ip inspect name firewall vdolive

ip inspect name firewall smtp

ip domain name nph.com.au

ip name-server 202.xx.xx.68

!

!

crypto pki trustpoint TP-self-signed-1043400621

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1043400621

revocation-check none

rsakeypair TP-self-signed-1043400621

!

!

crypto pki certificate chain TP-self-signed-1043400621

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303433 34303036 3231301E 170D3032 30333031 30303036

  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30343334

  30303632 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B74E BE67168A 4EC408C6 F9251228 EB9FE03D 47711E81 B378A366 86D025BE

  3BA155D0 00F3B41B 0C46BC21 8720BBEA 208F7882 201B5699 38472B7C 798A24BF

  ED9CBBE5 7AD31DDA 36B9E538 8F6C9BA1 F5B6B507 AC47234E 8362A372 94F1110A

  D58428F7 54BF6CAA 49591A32 488E2F51 351D458D 4561DE1A 6B6C056E 58994880

  F7F50203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 1441C472 992A94B4 3A4A9ECF 1A386453 C00BD4F4

  41301D06 03551D0E 04160414 41C47299 2A94B43A 4A9ECF1A 386453C0 0BD4F441

  300D0609 2A864886 F70D0101 04050003 81810094 B3197EB1 054E82DD 4F8F033F

  33BD0B01 511D9449 109BA2E9 4B013D9A 22D7AF49 2A402F69 D862FD37 28687895

  343B1FB3 B161AB63 3836C168 25275896 11E2B828 585B7187 A53AE424 CA12F341

  F58B90DB 53F2C018 5480C7D8 AD3E41AB C9C5D5CC 1F700C17 ED7B097B 85512E43

  D9878792 A66ABF71 FE6C95F1 6F1C5AE1 F433EE

  quit

username root password 7 xxxxxxxxxxxxxxxxx

username admin password 7 yyyyyyyyyyyyyyyy

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 18

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group clients

key abc$abc$

dns 10.0.0.7

wins 10.0.0.7

domain ABXC.com.au

pool clients

acl 199

!

!

crypto ipsec transform-set strong1 esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set strong1

!

!

crypto map axis isakmp authorization list groupauthor

crypto map axis client configuration address respond

crypto map axis 20 ipsec-isakmp dynamic dynmap

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 1/34

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 10.0.0.254 255.0.0.0

ip nat inside

ip virtual-reassembly

!

interface Dialer1

description Internet Network

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer persistent

no cdp enable

ppp authentication chap callin

ppp chap hostname 000000000000000000

ppp chap password 7 11111111111111111

!

ip local pool clients 192.168.10.1 192.168.10.254

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 10.0.0.241 3391 interface Dialer1 3391

ip nat inside source static tcp 10.0.0.241 25 interface Dialer1 25

ip nat inside source static tcp 10.0.0.7 80 interface Dialer1 80

ip nat inside source static tcp 10.0.0.241 443 interface Dialer1 443

ip nat inside source static tcp 10.0.0.240 1723 interface Dialer1 1723

ip nat inside source static tcp 10.0.0.243 5190 interface Dialer1 5190

ip nat inside source static tcp 10.0.0.7 110 interface Dialer1 110

ip nat inside source static tcp 10.0.0.7 3389 interface Dialer1 3390

ip nat inside source static tcp 10.0.0.8 3389 interface Dialer1 3389

ip nat inside source route-map dialer-route-map interface Dialer1 overload

!

logging origin-id hostname

logging 10.0.0.7

access-list 108 deny   ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255

access-list 108 permit ip 10.0.0.0 0.255.255.255 any

access-list 199 permit ip 10.0.0.0 0.255.255.255 192.168.10.0 0.0.0.255

dialer-list 1 protocol ip permit

snmp-server community NPH RO

no cdp run

route-map dialer-route-map permit 1

match ip address 108

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 202.xx.xx.2

end

-----------------------------------------------------------------------------------------------

Cisco ASA 5505:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd xxxx encrypted

names

name 10.0.0.8 psvr03

name 10.0.0.7 psvr02

name 10.0.0.240 vsvr02

name 10.0.0.241 vsvr01

name 10.0.0.243 vwks02

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.242 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 125.xx.xx.238 255.0.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any interface outside eq 3391

access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq pptp

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list inbound extended permit tcp any host 125.xx.xx.238 eq 3391

access-list inbound extended permit tcp any host 125.xx.xx.238 eq smtp

access-list inbound extended permit tcp any host 125.xx.xx.238 eq http

access-list inbound extended permit tcp any host 125.xx.xx.238 eq https

access-list inbound extended permit tcp any host 125.xx.xx.238 eq pptp

access-list inbound extended permit tcp any host 125.xx.xx.238 eq pop3

access-list inbound extended permit tcp any host 125.xx.xx.238 eq 3389

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3391 vsvr01 3391 netmask 255.255.255.255

static (inside,outside) tcp interface smtp vsvr01 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https vsvr01 https netmask 255.255.255.255

static (inside,outside) tcp interface www psvr02 www netmask 255.255.255.255

static (inside,outside) tcp interface pptp vsvr02 pptp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 psvr02 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface 3389 psvr02 3389 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 125.xx.xx.237 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http Axis 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:

: end

asdm image disk0:/asdm-524.bin

asdm location 10.0.0.0 255.0.0.0 inside

no asdm history enable



Thanks and Regards

Michael

Correct Answer by Nagaraja Thanthry about 6 years 7 months ago

Hello,


Everything else looks good except that the access-list is not applied to any

interface. Also, the policy NAT is missing.


access-group outside_access_in in interface outside


access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0


nat (inside) 0 access-list nonat


Other than above three lines, everything else looks good.


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Nagaraja Thanthry Mon, 08/23/2010 - 19:32
User Badges:
  • Cisco Employee,

Hello,


Everything else looks good except that the access-list is not applied to any

interface. Also, the policy NAT is missing.


access-group outside_access_in in interface outside


access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0


nat (inside) 0 access-list nonat


Other than above three lines, everything else looks good.


Hope this helps.


Regards,


NT

jaidan2003 Mon, 08/23/2010 - 22:36
User Badges:

Hi NT,


Thanks for a quick reply.


I have added the 3 lines you have told me. But I when I go to test still it would not let me get-in from outside to inside. I test the Packet Tracker in ASDM from outside to inside. It show and cut-off at "access list" look-up (implicit rule) which is blank.


Any idea why is this so?


Regards

Michael

Nagaraja Thanthry Tue, 08/24/2010 - 08:08
User Badges:
  • Cisco Employee,

Hello,


Can you please post your latest configuration again (with the changes you

have made)?


Regards,


NT

jaidan2003 Tue, 08/24/2010 - 13:55
User Badges:

Hi NT,


Sorry I have found the typo error I made and do the changes correctly. It is all working now.


Thanks for a big help


Regards

Michael

Actions

This Discussion