Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Basic config- Myths Lies but no Videotapes

Okay two issues. I should have reported partial success.

Issue 1. Cisco Lies. ACLs are NOT performed before NAT. Or more accurately they dont mention UNNAT.

I have a port translation in nat for one set of external clients that can use port 80 at corporate but not the desired port of 5080 at the private server behind the asa 5505 (single public wanip). So I ACL ruled port 80 for them but not 5080 (no requirement right as NAT is done after ACL). WRONG EFFFING WRONG. I had no success with that server for them until this morning when I added,,,,,,,,,,,, you guessed it port 5080 to the ACL rule. Checking packet tracer an unnat process takes place before acl switching the ports the bugger.

SO the moral is the router is frigging with NAT before the ACL Rule.

IN any case I know have all servers seemingly firing on all cylinders. This is based strictly on rudimentary logging in a number of users but not much functionality. So it remains to be seen.

Issue 2. ONe particulare service port is a pain to switch from source to destination or vice versa UNLIKE all my other service ports. I do not know why and here is the error message received.

object service TFS
[ERROR] service tcp destination eq 8080
Object is used in IPv6 access-list outside_access_in. Can't change IP to IPv4.
ERROR: object (TFS) updation failed due to internal error

Now I checked in ACLS and everywhere else. I have no IPV6 anywhere. So WTF over. I was able to change the name of the service object then change the port number, which let me create a new service object which I then had to insert into the ACL rules and then could delete the now old one. Any geniuses out there that explain that one?

Issue 3. (just checking to see if anyone noticed I said 2 above LOL) The whole discussion for static nat, and service port definition. They would NOT work when I chose source and they WORK when I select destination. (they also did not work when I had both source and destination selected in service ports). So on one hand there are the xperts saying oh lads, you have to put in source, it seems backwards but please do.... and on the other hand you have two facts, one my setup works with them in destination and EVERY DEFAULT service object uses destination.

Conclusioin, too many docs, videos, blogs, discussions, forums. and only a vague sense of unease is my reward.

My runtimeconfig.......

: Saved
:
ASA Version 8.4(3)
!
hostname AgileDevelopment
enable password SrnWJ82Q9IsDq97j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
interface Vlan1
no forward interface Vlan12
nameif main-lan
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address ab.abc.def.230 255.255.255.248
!
interface Vlan12
nameif admin-dmz
security-level 100
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
clock timezone AST -2
clock summer-time ADT recurring
same-security-traffic permit inter-interface
object network obj_any_main-lan
subnet 0.0.0.0 0.0.0.0
description Applied by router ---> SNAT for main lan
object network TrustedInternetUsers
subnet ab.abc.def.0 255.255.255.0
object network Corporate-user
host 111.111.111.11
description Corpor Ojbect for access to TFS, OM
object network 3-remote-h
subnet 22.222.22.22 255.255.0.0
object network 3-remote-w
subnet 33.333.33.33 255.255.255.0
object network 1-remote
host 44.4.444.44
object network 2-remote
host 55.555.55.55
object network ISP-GatewayIP
host ab.abc.def.225
object network VS-pcIP
host 192.168.24.34
object network obj_any-admin-dmz
subnet 0.0.0.0 0.0.0.0
description Used to apply SNAT for DMZ (internet access)
object service input-port
service tcp destination eq www
object service OM1
service tcp destination eq 5080
object service OM2
service tcp destination eq 8088
object service OM3
service tcp destination eq https
object service RDP
service tcp destination eq 3389
object service RouterAdmin
service tcp destination eq 3334
object network NAT4OM3
host 192.168.24.34
object network NAT4OM1
host 192.168.24.34
object network NAT4OM2
host 192.168.24.34
object network NAT4RDP
host 192.168.24.34
object network NAT4TFS
host 192.168.24.34
object network NAT4WWW2OM1
host 192.168.24.34
object service TFS
service tcp destination eq 8080
object-group network Router-Admin
description Remote access to adjust router settings
network-object object TrustedInternetUsers
network-object object 2-remote
object-group network TFS-usergroup
description group Access TFS, Open Meetings and RDP
network-object object TrustedInternetUsers
network-object object 3-remote-h
network-object object 3-remote-w
network-object object 1-remote
network-object object 2-remote
object-group service OMServiceGroup
service-object object OM1
service-object object OM2
service-object object OM3
object-group service CorporateServiceGroup
service-object object OM2
service-object object OM3
service-object object input-port
service-object object OM1
access-list outside_access_in remark Access to VS-TFS
access-list outside_access_in extended permit object TFS object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object TFS object Corporate-user object VS-pcIP
access-list outside_access_in extended permit object RDP object-group TFS-usergroup object VS-pcIP
access-list outside_access_in remark Access to Open Meetings
access-list outside_access_in extended permit object-group OMServiceGroup object-group TFS-usergroup object VS-pcIP
access-list outside_access_in extended permit object-group CorporateServiceGroup object Corporate-user object VS-pcIP
pager lines 24
logging enable
logging list EventsListGeneral level informational class auth
logging list EventsListGeneral level informational class config
logging list EventsListGeneral level informational class vpn
logging list EventsListGeneral level informational class webvpn
logging list EventsListGeneral level informational class ssl
logging console informational
logging monitor informational
logging asdm informational
mtu main-lan 1500
mtu outside 1500
mtu admin-dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any_main-lan
nat (main-lan,outside) dynamic interface
object network obj_any-admin-dmz
nat (admin-dmz,outside) dynamic interface
object network NAT4OM3
nat (main-lan,outside) static interface service tcp https https
object network NAT4OM1
nat (main-lan,outside) static interface service tcp 5080 5080
object network NAT4OM2
nat (main-lan,outside) static interface service tcp 8088 8088
object network NAT4RDP
nat (main-lan,outside) static interface service tcp 3389 3389
object network NAT4TFS
nat (main-lan,outside) static interface service tcp 8080 8080
object network NAT4WWW2OM1
nat (main-lan,outside) static interface service tcp 5080 www
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ab.abc.def.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable 3334
http server session-timeout 60
http 192.168.2.0 255.255.255.0 admin-dmz
http 192.168.24.0 255.255.255.0 main-lan
http ab.abc.def.0 255.255.255.0 outside
http 44.4.444.44 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.24.0 255.255.255.0 main-lan
ssh ab.abc.def.0 255.255.255.0 outside
ssh 44.4.444.44 255.255.255.255 outside
ssh 192.168.2.0 255.255.255.0 admin-dmz
ssh timeout 10
ssh version 2
console timeout 0

dhcpd address 192.168.24.5-192.168.24.10 main-lan
dhcpd dns 22.222.22.22 22.222.22.23 interface main-lan
dhcpd enable main-lan
!
dhcpd dns 22.222.22.22 22.222.22.23 interface outside
!
dhcpd address 192.168.2.5-192.168.2.10 admin-dmz
dhcpd dns 22.222.22.22 22.222.22.23 interface admin-dmz
dhcpd enable admin-dmz
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 209.87.233.53 source outside
webvpn
username user5 password Xl5915GPBhncsPAQ encrypted
username user3- password mAVJxjP/lM8yc59F encrypted
username user4- password w7V/UFyrOwnQknqm encrypted
username user2- password .NJvJ7zi.ROsatP7 encrypted
username user1- password OZCdJRBWiCmcaFZ. encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d6d2f1e97de98c22132fe4b368a9afc4
: end
no asdm history enable

475
Views
0
Helpful
0
Replies
CreatePlease login to create content