01-22-2011 11:21 AM - edited 03-04-2019 11:10 AM
Well, I'm just having a complete blast doing this. We are pulled the plug on our PIX 501 as its not letting us use all 100Mbit that our cable provider is now piping to us. I read the conversion guide but it made no mention of the 501's. Only the 515's or newer.
The ASA 5505 is putting up a little bit of a fight (This what I get for failing my CCNA??)
After refusing to configure the LAN ip address to something other than what it was shipped with, I broke down and connected to the management console and forced an IP address on the LAN side. Now I reset my default config and everyone can get on the internet.
Life's good... Until the ISP cuts you off because you forgot to set your static IP. Oh, and by the way, they dont support Cisco gear.
When I attempt to assign the IP to the outside interface, it accepts without a hitch, but everything grinds to a halt. I cannot have this, as I have off-site users that operate with dedicated ports using Remote Desktop. I've attempted to set the IP via both ASDM and management console. I've tried setting a static route, but that doesnt give me any love either.
Im running ASA Version 8.2(1) and ASDM Version 6.2(1)
Once I get the static IP set and working properly, I can tackle moving the port configs.
If someone can tell me what I'm doing wrong, it would be greatly appreciated.
-Joe
01-22-2011 12:48 PM
Okay, this is very odd.
I manually issued the command "route outside 0.0.0.0 0.0.0.0 70.x.x.97" to the router via the console and it now works with a static IP address. But yet, when I attempt to do this with the ASDM via CLI or the Visual interface, it doesnt work.
Is something getting lost in translation or am I pulling a noobish mistake?
01-23-2011 08:06 PM
Hi Joseph,
You need to post the ASA config,
as well as "show version" command result.
01-24-2011 11:01 AM
I've done my best to not molest the config too much for diagnostic
purposes. IP and serial numbers are obviously masked for safety
reasons.
Since I did the initial config via management port, settings are
staying what I've set them at and communications is flowing properly.
I may have inadvertently panicked durring initial configuration,
thinking I had broken something, somewhere.
--
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5505
enable password W3HbHchof2CuwrYs encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.144 fantasticfour
name 192.168.0.5 msabackupdc
name 192.168.0.14 phoenix
name 192.168.0.34 KonikaMinolta750
name 192.168.0.30 KonikaMinoltaC550
name 192.168.0.133 cadaver
name 192.168.0.11 postal5
name 192.168.0.182 extreme
name 192.168.0.183 piggy
name 192.168.0.147 sugar
name 192.168.0.161 great-stuff
name 192.168.0.231 pinktoe
name 192.168.0.103 rainyday
name 192.168.0.187 runnerup
name 192.168.0.108 kramer
name 192.168.0.129 hagrid
name 192.168.0.139 butterball
name 192.168.0.148 curley
name 192.168.0.138 saturn
name 192.168.0.128 pizzahut
name 192.168.0.115 seasnake
name 192.168.0.106 badger
name 192.168.0.197 knibbler
name 192.168.0.127 chinook
name 192.168.0.145 tinytim
name 192.168.0.223 msa-223
name 192.168.0.239 max
name 192.168.0.140 mrbig
name 192.168.0.126 cobolt
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 70.derp.derp.109 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit udp host phoenix any eq domain
access-list inside_access_in extended permit udp host msabackupdc any eq domain
access-list inside_access_in extended permit udp host msabackupdc any eq time
access-list inside_access_in extended permit udp host phoenix any eq time
access-list inside_access_in extended permit udp host cadaver any
access-list inside_access_in remark Rouse 3, First Floor Copier
access-list inside_access_in extended permit tcp host KonikaMinolta750
any eq 465
access-list inside_access_in remark Rouse 3, Second Floor Copier
access-list inside_access_in extended permit tcp host
KonikaMinoltaC550 any eq 465
access-list inside_access_in extended permit tcp host postal5 any eq 465
access-list inside_access_in extended permit tcp host postal5 any eq 587
access-list outside_access_in extended permit tcp any any eq 3182
access-list outside_access_in extended permit tcp any any eq 3118
access-list outside_access_in extended permit tcp any any eq 3245
access-list outside_access_in extended permit tcp any any eq 3129
access-list outside_access_in extended permit tcp any any eq 3261
access-list outside_access_in extended permit tcp any any eq 3958
access-list outside_access_in extended permit tcp any any eq 3188
access-list outside_access_in extended permit tcp any any eq 3999
access-list outside_access_in extended permit tcp any any eq 3259
access-list outside_access_in extended permit tcp any any eq 3146
access-list outside_access_in extended permit tcp any any eq 3233
access-list outside_access_in extended permit tcp any any eq 3241
access-list outside_access_in extended permit tcp any any eq 3121
access-list outside_access_in extended permit tcp any any eq 3122
access-list outside_access_in extended permit tcp any any eq 3184
access-list outside_access_in extended permit tcp any any eq 3120
access-list outside_access_in extended permit tcp any any eq 3204
access-list outside_access_in extended permit tcp any any eq 3234
access-list outside_access_in extended permit tcp any any eq 3243
access-list outside_access_in extended permit tcp any any eq 3244
access-list outside_access_in extended permit tcp any any eq 3189
access-list outside_access_in extended permit tcp any any eq 3237
access-list outside_access_in extended permit tcp any any eq 3135
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3182 piggy 3182 netmask 255.255.255.255
static (inside,outside) tcp interface 3118 sugar 3118 netmask 255.255.255.255
static (inside,outside) tcp interface 3129 great-stuff 3129 netmask
255.255.255.255
static (inside,outside) tcp interface 3261 pinktoe 3261 netmask 255.255.255.255
static (inside,outside) tcp interface 3958 rainyday 3958 netmask
255.255.255.255
static (inside,outside) tcp interface 3188 runnerup 3188 netmask
255.255.255.255
static (inside,outside) tcp interface 3245 extreme 3245 netmask 255.255.255.255
static (inside,outside) tcp interface 3999 kramer 3999 netmask 255.255.255.255
static (inside,outside) tcp interface 3259 hagrid 3259 netmask 255.255.255.255
static (inside,outside) tcp interface 3146 butterball 3146 netmask
255.255.255.255
static (inside,outside) tcp interface 3233 curley 3233 netmask 255.255.255.255
static (inside,outside) tcp interface 3241 fantasticfour 3241 netmask
255.255.255.255
static (inside,outside) tcp interface 3121 saturn 3121 netmask 255.255.255.255
static (inside,outside) tcp interface 3122 pizzahut 3122 netmask
255.255.255.255
static (inside,outside) tcp interface 3184 seasnake 3184 netmask
255.255.255.255
static (inside,outside) tcp interface 3120 badger 3120 netmask 255.255.255.255
static (inside,outside) tcp interface 3204 knibbler 3204 netmask
255.255.255.255
static (inside,outside) tcp interface 3234 chinook 3234 netmask 255.255.255.255
static (inside,outside) tcp interface 3243 tinytim 3243 netmask 255.255.255.255
static (inside,outside) tcp interface 3244 msa-223 3244 netmask 255.255.255.255
static (inside,outside) tcp interface 3189 max 3189 netmask 255.255.255.255
static (inside,outside) tcp interface 3237 mrbig 3237 netmask 255.255.255.255
static (inside,outside) tcp interface 3135 cobolt 3135 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.durr.hurr.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address msabackupdc-192.168.0.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate
400 average-rate 200
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c789da792dc37673a7b2cec00d2c76e4
: end
no asdm history enable
--
Result of the command: "show version"
Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)
Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"
Config file at boot was "startup-config"
ASA5505 up 2 days 2 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision
0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Int: Internal-Data0/0 : address is c471.fe36.85d9, irq 11
1: Ext: Ethernet0/0 : address is c471.fe36.85d1, irq 255
2: Ext: Ethernet0/1 : address is c471.fe36.85d2, irq 255
3: Ext: Ethernet0/2 : address is c471.fe36.85d3, irq 255
4: Ext: Ethernet0/3 : address is c471.fe36.85d4, irq 255
5: Ext: Ethernet0/4 : address is c471.fe36.85d5, irq 255
6: Ext: Ethernet0/5 : address is c471.fe36.85d6, irq 255
7: Ext: Ethernet0/6 : address is c471.fe36.85d7, irq 255
8: Ext: Ethernet0/7 : address is c471.fe36.85d8, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 10
Dual ISPs : Disabled
VLAN Trunk Ports : 0
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number:
Running Activation Key: 0x1c01ea67 0xa8f805d1 0x68e119dc 0xacbcc8bc
0xcc37198b
Configuration register is 0x1
Configuration last modified by enable_15 at 19:06:34.039 EST Sat Jan 22 2011
On Sun, Jan 23, 2011 at 11:06 PM, rassoul.ghaznavi <
01-24-2011 01:31 PM
Hi Joseph
Not to be rude or anything like that but IF you are doing what I think you are doing then you are truly skating on thin ice.
IF you are letting people in to their desktops via remote desktop using this configuration I must strongly advice you to rethink.
The ASA has some excellent VPN features, both using SSL and using "normal" IPSEC tunnels to help you with securing the access to your network.
you can use these features to help you secure your network and users so that not anyone can start hacking your windows boxes.
(ipsec is the "better" solution in my personal view)
Let the firewall do what it does best and do not turn it into a swiss cheese.
if you need help setting it up let us know and I or someone else here will help you setup a config that works for your environment.
One of the best things with the asa I think is that aslong as you have not saved you can always reload and return to where you started your test configuration if you screw it up somewhere.
Or it could be that i am seeing things and am totaly wrong.
let us know if we can be of service.
Good luck
Hope this helps
01-24-2011 03:51 PM
As of yet, we've had no issue. , but your idea is very sound
hobbe. I would love to set up a vpn client to do this, rather than expose
each workstation. The workstation passwords here have quite obnoxious
password requirements, along with some decent hardening. Passwords that are
locked require admin intervention.
VPN's disconnect users from their home networks, so they cannot print
documents at their local pc. Ive been meaning to switch to things like thin
clients for the workers.
Locked doors keep honest people out. We have nothing to hide if they do get
in. Nothing more than useless autocad drawings and soil samples. Users let
me know right away when stuff breaks.
My biggest problem is Malware and rootkits that are sneaking in via infected
emails that postini dont catch.
On Mon, Jan 24, 2011 at 4:31 PM, hobbe <
01-25-2011 12:04 AM
IF the reason that you are not using vpn is that the users can not print on their local lan, that is a configurable option, you can allow split tunneling so the users can access the local lan or even the Internet.
True that locks keeps out honest people.
But it is also true that the low hanging fruit gets picked first.
Good luck
HTH
01-23-2011 10:56 PM
Joseph,
as much as I like most of what Cisco makes ASDM can be somewhat confusing. I recommend that you use CLI to do the basic configuration and use ASDM for maintenance of your CLI based configuration. It's been a while since I've had an ASA to work on "live" but if I recall ASDM does not directly apply all settings immediately.
When I was first presented with an ASA I spent a few days in the same type of situation you are in. While it is very similar to the PIX, the ASA with its enhanced features can be confusing. Even using CLI was a whole different experience, almost a combination of a PIX and a Router. Don't give up on the ASA or loose faith in your skils, it just takes a while to get the "feel" of it.
01-24-2011 11:27 AM
The 5505 is a much faster than the 501 and I like it a lot, but just the simplicity of the 501 kept me using it. I now have to update my documentation as the commands I've been using are now different.
PDM command is no longer supported. That one I learned before changing over.
ACCESS-LIST syntax is different. What does "extended" refer to? It was automattically added when I pasted it to the CLI in the ASDM.
---Before---
name 192.168.0.
pdm location
access-list outside_access_in permit tcp any any eq
static (inside,outside) tcp interface
---Now---
name 192.168.0.
access-list outside_access_in extended permit tcp any any eq
static (inside,outside) tcp interface
01-24-2011 11:36 AM
Hi,
extended vs standard:
extended can work at L4,src and dst IP as well as src and dst ports can be configured
standard: dst ip only, L3 only
Regards.
Alain.
01-24-2011 11:46 AM
Oh, how useful! Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide