so we have an inside network (172) and an outside network (11) and we want to install a 5510 in between.
basically, I would want to be able to
#1) ssh into the 5510 from the outside network.
#2) I want outside users to be able to use RDC remote desktop connection from the outside to a couple of devices on the inside.
#3) couple of devices on the inside should be able to print to a networked printer on the outside network.
with these requirements, i set out to configure the 5510.
however, I cannot get anything to work.
no ssh, no telnet, no pings, and certainly no RDP.
my guess is that problems abound with the way my acl's are set.
i'm attaching my sh run.
I took off the ssh from the configs and try to atleast get telnet working, but I was unsuccessful.
anyone have any suggestions, I would be so very thankful and appreciative!
also, 22.214.171.124 is the outside router(gateway).
126.96.36.199 is the IP of 5510 (outside)
172.16.4.231 is the IP of 5510 (inside)
some of the inside devices have IP's starting with 172.16.4.1 and I have static NAT configured so some of the inside devices can access the web and maybe print?
First off do you really need to limit access from your inside network to your outside network? Second for your internet users you should probably not do static NAT unless you only have 1 or 2 machines using the internet. You will also need to add the command "no nat-control", without this command anything that isnt getting NAT'd will not be allowed to pass the firewall. If you dont want to add it you need to NAT every address to itself for them to pass. That could be your biggest problem.
Please rate if this helps!
yes, I only have about 5 inside machines that need to access the web and an outside server to dump data. so NAT'ing the 5 devices should be ok.
my biggest concern is my ability to ssh into the firewall and for all outside users to be able to RDC into the inside machines. how do I set those two things up?
Good point about "no nat-control", thefindjack. Remember that "no nat-control" is the default, though.
NAT control used to be the default in older versions, though, so "nat-control" can show up in the configuration if the device was upgraded from an older version of the software.
You can't even ping the outside address of the ASA? You should, based on the configuration.
With regards to SSH access to the ASA, you need to explicitly permit SSH access. You do this with the "ssh" command, as in:
ssh 188.8.131.52 255.255.255.0 outside
You also need to set the telnet password (which is also used for SSH if no AAA config.) via the command "password". You will then SSH in using the username "pix" and that password. You can also use "aaa authentication ssh console
The statics for your Windows machines (which you'll access via RDP) look fine.
A potential problem I see is the ACL applied to the inside interface - it's too restrictive. If that is what you need that is okay, of course, but I recommend that you set the logging level to debug ("logging console debug" if you are at the console) and try to connect - you'll see the debugging messages indicating what traffic has been denied.
For the inside host to get out you need to configure NAT if your printers on the outside can't talk to the RFC 1918 address you are currently using on the inside. You can start with a simple NAT configuration. For example:
nat (inside) 1 0 0
global (outside) 1 interface
This will allow your internal hosts to go out using PAT and the outside interface of the ASA.
Hope this helps.
i consoled into the firewall and tried to ping my 184.108.40.206 gateway router from the 5510's outside interface, i was not able to ping.
Then, I proceeded to ping one of the inside machines using the 5510 inside interface IP, again, I was not able to ping.
regarding ssh, yes, I had it configured as
ssh 220.127.116.11 255.255.255.0 outside
but this did not work.
i double and triple checked my connections at the back of the 5510.
also, tried all the above via asdm but did not work.
I do remember inserting the no nat control command and then taking it off.....
Also, how can I make my acl's the least restrictive so I can atleast get the ssh/telnet working since the 5510 is in another bldg on my campus
i'm just at a loss of ideas...
Does "sh int" on the ASA show the interfaces as up/up? And what about "sh int" on the switch the ASA is connected to? If the ASA is directly connected to a router or cable modem, are you using a crossover cable?
You can enable a packet capture and see what is going on. For example:
capture mycapture interface outside
Then try to ping and then run "show capture mycapture" to see what the ASA is seeing.
Nothing will work if you don't have basic IP connectivity first, so you need to fix that before you can move on to configuring SSH, NAT, etc.
ok. this is way too embarassing.
I had the cables plugged incorrectly into the 5510.
i don't know what to say...
now, ssh from outside works fine.
inside the 5510, all devices can ping the 5510.
how to enable asdm from outside?
when I try to launch the asdm, it gives me an error saying the device manager cannot be launched from the IP address 18.104.22.168 (this is the 5510's outside interface IP).
ok. I finally got the asdm to work on the outside interface also.
but, i'm still stuck with the core problem of RDC.
i'm able to get to the logon screen of the inside devices but cannot successfully RDC in.
my access list 110 is applied to the ingress of interface outside.
maybe I need an access list on the interface inside also? ingress or egress?
this is my sh run
ASA Version 8.0(3)
enable password xxx
ip address 11.x.x.100 255.255.255.0
description XYZ Network
ip address 172.16.4.231 255.255.252.0
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa803-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 110 extended permit tcp any host 22.214.171.124 eq 3389
access-list 110 extended permit tcp any host 126.96.36.199 eq 3389
pager lines 24
logging asdm informational
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
static (inside,outside) 188.8.131.52 172.16.4.53 netmask 255.255.255.255
static (inside,outside) 184.108.40.206 172.16.4.1 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 220.127.116.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 18.104.22.168 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 management
no crypto isakmp nat-traversal
telnet timeout 30
ssh 22.214.171.124 255.255.255.0 outside
ssh 172.16.4.0 255.255.252.0 inside
ssh timeout 15
You don't need an ACL applied to the inside interface unless you want to prevent some inside host from going out. This is because traffic from a high security interface (interface inside has a security level of 100) going to a low security interface (interface outside has a security level of 0) is permitted by default. The opposite (from low to high) is not permitted by default, which is why you need an ACL applied to the outside interface.
Anyway, back to the problem at hand - if you get the Windows logon screen things should work just fine. I can't see anything at layer 3 or 4 (on the ASA) that would prevent things from working.
When you say "cannot successfully RDC in", does the RDC window suddenly disappear, or you get some error message there? Can you RDC in successfully from 172.16.4.53 to 172.16.4.1, for example? Any errors in the Windows event log?
yeah, the rdp is still an issue.
when I try a RDC from an outside device, I get a screen to enter my credentials. This screen DOES NOT mean that there is a valid IP transport present to the inside machine. I verified this with another machine that was switched off and I still got the credential screen.
anyways, once I enter the credentials (i verified that I had the correct username/passwd), the RDC is still blocked.
I fired up my asdm and enabled logging.
I see one error as shown below
6 Nov 15 2007 11:38:45 302014 126.96.36.199 172.16.4.1 Teardown TCP connection 261 for outside:188.8.131.52/1692 to inside:172.16.4.1/3389 duration 0:00:30 bytes 0 SYN Timeout
Also, yes, i can successfully RDC from 172.16.4.53 to 172.16.4.1
You need to enable the HTTPS server and configure HTTP access:
http server enable
http 0.0.0.0 0.0.0.0 inside
http 184.108.40.206 255.255.0 outside
This enables the HTTPS server and then provides access from anywhere on the inside, and only from 220.127.116.11/24 on the outside.
Then you need to specify the ASDM image, like:
asdm image flash:/asdm-523.bin
(based on the config. you provided you already have this, so you're good to go there.)