Afternoon guys,

I have decided I want to learn Cisco so made the decision to pick up a used ASA 5505 from ebay and use it as my main firewall/router. I have it installed and working but have a few questions about configuration, as some of what i have done seems like a very inefficient way of setting things up.

My Basic config is this

O2 ADSL Modem in bridge only mode  192.168.1.254 > ASA 5505 Public Static IP >ASA Inside 192.168.1.1 > Rest of internal LAN.

I have spotted this blog post that details how to get to the modems WebUI through a Cisco router, But i am not sure how I would implement it in my network setup so would like advice on this.

http://en.tiagomarques.info/2011/05/access-your-modem-webui-behind-a-cisco-router-bridged-configuration/

O2 Modem IP: 192.168.1.254
 ASA inside IP: 192.168.1.1
Apple Airport: 192.168.1.2 (Wireless Bridge)
LAN : 192.168.1.0/24 (VLAN 1)

The other thing I would like to ask is about PAT, I have configured it to allow Ports 3074TCP/UDP and 88TCP inbound to my Xbox to allow Xbox live to work. But I would like to know if there is a better way to do this using object groups.

This is currenlty how I set it up,

object network xbox_udp_3074
host 192.168.1.5
nat (inside,outside) static interface service udp 3074 3074
exit
access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074
object network xbox_tcp_3074
host 192.168.1.5
nat (inside,outside) static interface service tcp 3074 3074
exit
access-list acl_outside extended permit udp any object xbox_tcp_3074 eq 3074
object network xbox_udp_88
host 192.168.1.5
nat (inside,outside) static interface service udp 88 88
exit
access-list acl_outside extended permit udp any object xbox_udp_88 eq 88

What I would like to know is there a better more efficient way of setting this up as I have 3 network objects with 3 NAT statements and 1 ACL.

Finally I have attempted to configure a Client VPN on the ASA and it works and connects but the problem is it only appears to let web traffic through. If i connect using the VPN built into my iPhone and try a ping using using Ping Lite app i dont get any responce's. but if you open safari and put in 192.168.1.4 I get the WebUI of my NAS device if i try to RDP to my home server the connection times out. If i drop the VPN and connect to Wifi i can ping and RDP from my phone ok so it must be a config problem.

Below is my full config I have masked the password and cryptochecksum

: Saved
: Written by enable_15 at 02:08:45.939 GMT Sat Apr 21 2012
!
ASA Version 8.4(3) 
!
hostname warrillow-asa1
domain-name warrillow.local
enable password (Masked) encrypted
passwd (Masked) encrypted
names
!
interface Ethernet0/0
 description physical connection to O2 Box IV
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 description to inside VLAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 description to outside interface (O2 Modem)
 nameif outside
 security-level 0
 ip address (Public Static IP) 255.255.254.0 
!
ftp mode passive
clock timezone gmt 0
clock summer-time GMT recurring
dns server-group DefaultDNS
 domain-name warrillow.local
object network obj_any
 subnet 192.168.1.0 255.255.255.0
object service playOn
 service tcp destination eq 57331 
object service service_xbox_udp_88
 service tcp destination eq 88 
object network HomeServer_tcp_57331
 host 192.168.1.250
object network xbox_udp_3074
 host 192.168.1.5
object network xbox_tcp_3074
 host 192.168.1.5
object network xbox_udp_88
 host 192.168.1.5
object-group icmp-type DefaultICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group service xbox_live tcp-udp
 port-object eq 3074
 port-object eq 88
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list acl_outside extended permit icmp any any object-group DefaultICMP 
access-list acl_outside extended permit tcp any object HomeServer_tcp_57331 eq 57331 
access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074 
access-list acl_outside extended permit tcp any object xbox_tcp_3074 eq 3074 
access-list acl_outside extended permit udp any object xbox_udp_88 eq 88 
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.0.0.2-10.0.0.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
object network HomeServer_tcp_57331
 nat (inside,outside) static interface service tcp 57331 57331 
object network xbox_udp_3074
 nat (inside,outside) static interface service udp 3074 3074 
object network xbox_tcp_3074
 nat (inside,outside) static interface service tcp 3074 3074 
object network xbox_udp_88
 nat (inside,outside) static interface service udp 88 88 
access-group acl_outside in interface outside
route outside 0.0.0.0 0.0.0.0 (Public Static IP) 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac 
crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des
crypto map warrillow 65535 ipsec-isakmp dynamic dynmap
crypto map warrillow interface outside
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 11
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 30
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy Warrillow internal
group-policy Warrillow attributes
 wins-server none
 dns-server value 192.168.1.250
 vpn-idle-timeout 120
 vpn-tunnel-protocol ikev1 
 default-domain value warrillow.local
username mattw password (Masked) encrypted privilege 15
tunnel-group Warrillow-VPN type remote-access
tunnel-group Warrillow-VPN general-attributes
 address-pool vpnpool
 default-group-policy Warrillow
tunnel-group Warrillow-VPN ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
 class class-default
  user-statistics accounting
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable

EDIT: to remove public IP from config posted