Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Newbie need help ASA5505

This is is my first time trying to bring an ADA5505 into a network. I cannot get internet access - I also want to be able to RDP into the server from the from the outside.  I used the startup wizard in the ASDM software, but still cannot get internet access....I think it has to do with NAT/PAT, but not sure where to go from here to fix this......any help is greatly appreciated - here is the the running-config....we don't need DHCP as we use it on the server and any other suggestions would be appreciated for best practices

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Newbie need help ASA5505

Hi,

For Internet access you are lacking the default route from the ASA, add the default route with the correct gateway IP

route outside 0.0.0.0 0.0.0.0

If you are having problems with ICMP then add

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

For the NAT / Static PAT do the following changes

object network RDP

host 192.168.1.106

no nat (outside,inside) static 192.168.1.106 net-to-net service tcp 3389 3389

nat (inside,outside) static interface service tcp 3389 3389

Notice that the above changes are done under the "object". So first issue the command "object network RDP" to move into the correct configuration mode. Then you will enter the correct source "host" for the "nat" configuration. Finally you will remove the current "nat" command and enter the new "nat" command.

What the new "nat" command will do is do Static PAT (Port Forward) for the internal host 192.168.1.106 and use the public IP address of your "outside" interface because we have used the parameter "interface" in the configuration.

You will naturally also need an "access-list" to permit traffic from the external/public network. The thing to consider here is that do you know the public source IP address where the RDP Connections are coming from? Are you always connecting from the same public IP address? If you do know the source IP address then insert it to the below ACL

access-list OUTSIDE-IN remark Allow RDP connections

access-list OUTSIDE-IN permit tcp host object RDP eq 3389

If you dont know the public source IP address were you connect with RDP then you will have to use the "any" instead of the "host". Though that will naturally open up this port for any public/external user to try connection to your server.  In this case you would add the ACL

access-list OUTSIDE-IN permit tcp any object RDP eq 3389

With either of the above ACLs you will have to attach it to the ASA interface also with the command

access-group OUTSIDE-IN in interface outside

Naturally you also have the option to configure VPN Client on the ASA in which case you get secure access to the internal servers without opening any connections from the external/public network.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though

- Jouni

10 REPLIES
Super Bronze

Newbie need help ASA5505

Hi,

For Internet access you are lacking the default route from the ASA, add the default route with the correct gateway IP

route outside 0.0.0.0 0.0.0.0

If you are having problems with ICMP then add

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

For the NAT / Static PAT do the following changes

object network RDP

host 192.168.1.106

no nat (outside,inside) static 192.168.1.106 net-to-net service tcp 3389 3389

nat (inside,outside) static interface service tcp 3389 3389

Notice that the above changes are done under the "object". So first issue the command "object network RDP" to move into the correct configuration mode. Then you will enter the correct source "host" for the "nat" configuration. Finally you will remove the current "nat" command and enter the new "nat" command.

What the new "nat" command will do is do Static PAT (Port Forward) for the internal host 192.168.1.106 and use the public IP address of your "outside" interface because we have used the parameter "interface" in the configuration.

You will naturally also need an "access-list" to permit traffic from the external/public network. The thing to consider here is that do you know the public source IP address where the RDP Connections are coming from? Are you always connecting from the same public IP address? If you do know the source IP address then insert it to the below ACL

access-list OUTSIDE-IN remark Allow RDP connections

access-list OUTSIDE-IN permit tcp host object RDP eq 3389

If you dont know the public source IP address were you connect with RDP then you will have to use the "any" instead of the "host". Though that will naturally open up this port for any public/external user to try connection to your server.  In this case you would add the ACL

access-list OUTSIDE-IN permit tcp any object RDP eq 3389

With either of the above ACLs you will have to attach it to the ASA interface also with the command

access-group OUTSIDE-IN in interface outside

Naturally you also have the option to configure VPN Client on the ASA in which case you get secure access to the internal servers without opening any connections from the external/public network.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though

- Jouni

Community Member

Re: Newbie need help ASA5505

Thank you very much for your patience and help - please check my current work - a few questions:

1) with the outside default route - I see in the outside route it added the number 1 on the end - I think this means default admin distance of 1 hop?

2) I think the RDP needs some more work....do i need to remove this line:

nat (inside,outside) after-auto source dynamic any interface

3) I see under policy_map global_policy it added inspect icmp and inspect icmp error - so this is working? This is for pings out side of LAN?                  

      

.....also want to setup VPN, but will need help with that too

Super Bronze

Newbie need help ASA5505

Hi,

Did the connection to the Internet work after adding the default route? I didnt see anything else that should be a problem.

If you added the needed NAT and ACL Configurations then it should work unless there are some problems on the actual server.

You can try the "packet-tracer" command on the ASA to test its configurations

packet-tracer input outside tcp 12345 3389

Insert that matches the ACL rule you created and insert your public IP address configured on the ASA to the .

Post that output

You should not remove the other "nat" configuration as that is the Dynamic PAT translation for all the LAN users towards Internet.

The ICMP inspections are basically meant to automatically allow the ICMP Echo reply back to the host on the LAN if it sends ICMP to something on the Internet.

For VPN you would have to either use the old Cisco IPSec VPN Client or Cisco AnyConnect Client depending if you have the software for that on the ASA. The actual configuration is probably best done through the Wizard and if it doesnt work then we could look at the configuration again.

- Jouni

Silver

Newbie need help ASA5505

It could be related to that you need to define ipv4 on the ACL but please run the packet tracer it should tell us

Value our effort and rate the assistance!
Community Member

Re: Newbie need help ASA5505

OK - I dropped it in an everything seems to be working.....I have internet and I can RDP in from the outside.....but packet tracer is failing from the ASDM....it does pass when run from the command line .......I have attached current config

Super Bronze

Newbie need help ASA5505

Hi,

What did you add?

If the "packet-tracer" goes through from the CLI and not from the ASDM then you have probably given some wrong information on the ASDM Side in its GUI.

Main thing is that connection are working. Atleast I understood so from your reply?

- Jouni

Community Member

Re: Newbie need help ASA5505

yes - we are working - thanks....for the packet tracer in ADMN:

For interface - select outside

Source IP - my public IP address

Source port - 12345

Destination IP: 192.168.1.106

Destination port: 3389

Is this correct?

Super Bronze

Re: Newbie need help ASA5505

Hi,

No, it should be

  • Source IP: 1.1.1.1 (for example)
  • Destination IP: your public IP

Please remember to mark a reply as the correct answer if it answered your question and rate helpfull answers

Though naturally ask more if there is still something that needs looking into.

- Jouni

Community Member

Re: Newbie need help ASA5505

That was it - it worked correctly - thanks again.  I want to study some more before I attempt the VPN setup - I will open a new thread when I am ready to start - or fail

Super Bronze

Re: Newbie need help ASA5505

Hi,

Ok, lets look at the VPN setup if needed when you have had time to set it up.

- Jouni

281
Views
0
Helpful
10
Replies
CreatePlease to create content