cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
529
Views
8
Helpful
8
Replies

Need some help getting started with ASA 5510: Help needed!

thecoffeeguy
Level 1
Level 1

Well, have very very limited experience with ASA and PIX. My new job here as an ASA appliance and I am going to be taking over the duties for it. Which is fine and great and I look forward to it. I am just a little "raw" and need some help.

I will be back here a lot :) , and will post my configs as I look for suggestions and help.

In the meantime, I have been asked to setup a VPN connection, using PPTP from the vendors location (public IP addresses have been given) to servers within our network.

I went out and grabbed some ASA books (Hucaby Handbook) and will be going over it.

In the meantime, does anyone have suggestions on how to get started?

In a nutshell, I need a crash course to get up to speed.

Thanks for the help.

Jason

8 Replies 8

thecoffeeguy
Level 1
Level 1

Ok...have some more information. Have been reading up on some documentation A LOT. Just need some feedback here.

I have a list of 7 public IP address from the originating PPTP connections from our vendor. I will have the public IP address that will be mapped to our internal Authentication server internally.

for now, lets say public IP address is: 20.10.5.2 (remember, I have 6 more)

Say our internal Authentication server is:

172.15.5.1 inside, public outside is: 32.16.8.4

For simplicity.

When setting up the ACL's, would it be something like this?

access-list inbound_pptp_traffic permit gre host 20.x.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.x.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.x.x.4 172.15.5.1 255.255.0.0

access-group inbound_pptp_traffic in interface outside

Is that right so far?

if it is right, do I need to setup 7 individual rules for each public IP address to get to the internal server?

Thanks.

Let me edit this again:

20.10.5.2 -- remote host making connection

32.16.8.4 -- public IP statically assigned to internal authentication server

access-list inbound_pptp_traffic permit gre host 20.10.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.10.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.16.8.4 172.15.5.1 255.255.255.255

access-group inbound_pptp_traffic in interface outside

That look right?

do I need to setup a rule to make sure the return traffic would get through?

Thanks.

can anyone tell me if I am on the right track? :)

hii,

Are u setting up a tunnel between the two locations.

if not,then it's absolutely right.

for inbound connections over normal internet traffic,we need to have a static statement for the mapping n translation purpose and an access-list on the outside interface which is permitting the traffic.

if it's vpn tunnel ( not a vpn passthrough ),then you might need to setup a lot of vpn configuration for setting up both,phase 1 and phase 2 sets on both the ends.

if it's just a passthrough and firewall is not acting as a terminating point of the tunnel,then you are on the right track.

Thanks for the feedback. Yes, it is not a tunnel between two locations. Just remote connections.

I setup network-objects so I did not have to put in 14 rules.

Thanks for the help!

TCG

Hi,

1) as you can have only 1 access-group (ACL) for an interface maybe it's better to use a generic name like "outside_in"

2) the ASA is a stateful fw

Yep...made sure my ACL name is the same to match what already exists.

Appreciate it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: