- Posts: 4
- Thank you received: 0
New installation Cisco ASA 5505
16 years 9 months ago #24322
by Targ
New installation Cisco ASA 5505 was created by Targ
Hi I'm trying to configure a Cisco ASA 5505 and having some problem with the http traffic to an inside server.
My hardware configuration:
Internet with static IP -> Cisco ASA 5505 -> Server
I want the server to act as web server.
I can access the Internet from the server but no port 80 traffic can reach the server.
My interfaces are:
outside ethernet0/0 enabled security level 0 <static ip> vlan1
inside ethernet0/1-7 enable security level 100 192.168.1.1 vlan2
NAT:
No Type Source Destination interface address
inside:
1 dynamic inside/network any outside outside
outside:
1 static <static ip>http any inside 192.168.1.250
Security Policy:
No Enabled Source Destination Service Action
inside:
1 any any less secure ip permit
2 any any ip deny
outside:
1 Y any inside-network http permit
2 Y any any icmp permit
3 any any ip deny
I am using ASDM to configure...
My hardware configuration:
Internet with static IP -> Cisco ASA 5505 -> Server
I want the server to act as web server.
I can access the Internet from the server but no port 80 traffic can reach the server.
My interfaces are:
outside ethernet0/0 enabled security level 0 <static ip> vlan1
inside ethernet0/1-7 enable security level 100 192.168.1.1 vlan2
NAT:
No Type Source Destination interface address
inside:
1 dynamic inside/network any outside outside
outside:
1 static <static ip>http any inside 192.168.1.250
Security Policy:
No Enabled Source Destination Service Action
inside:
1 any any less secure ip permit
2 any any ip deny
outside:
1 Y any inside-network http permit
2 Y any any icmp permit
3 any any ip deny
I am using ASDM to configure...
- skepticals
- Offline
- Elite Member
-
Less
More
- Posts: 783
- Thank you received: 0
16 years 9 months ago #24333
by skepticals
Replied by skepticals on topic Re: New installation Cisco ASA 5505
You want traffic from the Internet to be able to access the internal web server?
Do you have an ACL that allows port 80 to the IP of the internal server?
You could also post your config if you want.
Do you have an ACL that allows port 80 to the IP of the internal server?
You could also post your config if you want.
16 years 8 months ago #24513
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: New installation Cisco ASA 5505
Targ,
I'm with skepticals here, it would be a great help if you could post your ASA configuration so we can see exactly where the problem is - just hide/replace any real IP addresses with fake ones.
On another note, if you've got an internal web server which the Internet will have access to, why don't you set it up in a DMZ zone, rather than giving direct access to your internal network ?
It's a major security risk the way you have it setup cause if one bug or exploit is discovered by an outsider, they'll most probably be able to obtain full access to your internal network!!
I'm with skepticals here, it would be a great help if you could post your ASA configuration so we can see exactly where the problem is - just hide/replace any real IP addresses with fake ones.
On another note, if you've got an internal web server which the Internet will have access to, why don't you set it up in a DMZ zone, rather than giving direct access to your internal network ?
It's a major security risk the way you have it setup cause if one bug or exploit is discovered by an outsider, they'll most probably be able to obtain full access to your internal network!!
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
16 years 8 months ago #24639
by Targ
Replied by Targ on topic Re: New installation Cisco ASA 5505
Hi, I'm sorry for the late response. I gave up and enjoyed the holidays instead. Now I’ll try to start all over again…
Basically I have started over so many times so I don’t know if I do have a configuration but this is one of my most current versions:
ASA Version 7.2(2)
!
hostname XXXXX
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address <IP from my ISP> 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host <IP from my ISP>
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.25 www <IP from my ISP> www netmask 255.255.255.255
static (inside,outside) tcp <IP from my ISP> www 192.168.1.25 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 <GW from my ISP>
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
The reason I don't have a DMZ zone is because I just have the web server on the internal network. Is it a good idea to use a DMZ zone anyway?
Basically I have started over so many times so I don’t know if I do have a configuration but this is one of my most current versions:
ASA Version 7.2(2)
!
hostname XXXXX
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address <IP from my ISP> 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host <IP from my ISP>
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (outside,inside) tcp 192.168.1.25 www <IP from my ISP> www netmask 255.255.255.255
static (inside,outside) tcp <IP from my ISP> www 192.168.1.25 www netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 <GW from my ISP>
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
The reason I don't have a DMZ zone is because I just have the web server on the internal network. Is it a good idea to use a DMZ zone anyway?
16 years 8 months ago #24640
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: New installation Cisco ASA 5505
A couple of notes;
1. Don't you have to map VLAN 1 to Interface 0/0 ? Never configured the ASA but thats just my first observation.
2. You don't need both the Static commands. One will work as the static is bidirection.
1. Don't you have to map VLAN 1 to Interface 0/0 ? Never configured the ASA but thats just my first observation.
2. You don't need both the Static commands. One will work as the static is bidirection.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 8 months ago #24658
by Targ
Replied by Targ on topic Status update
Hi again
Due to the fact that I cannot play around with my live configuration I’ve decided to build a test configuration first and when everything works change the configurations.
The idea is that traffic from the Internet to be able to access the internal web server.
The final configuration shall still be:
Internet with static IP -> Cisco ASA 5505 -> Web Server
My current test configuration:
Internet with static IP -> Netgear router WGT624 -> Cisco ASA 5505 -> Test Web Server (10.0.0.10)
Internet with static IP -> Netgear router WGT624 -> Cisco ASA 5505 -> Test PC (192.168.0.2)
My interfaces are:
outside ethernet0/0 enabled security level 0 192.168.1.7 vlan1
inside ethernet0/1-6 enabled security level 100 192.168.0.254 vlan2
DMZ ehternet0/7 enabled security level 50 10.0.0.254 vlan3
My Cisco ASA 5505 configuration:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
description Outside Network (Internet)
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan2
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface Vlan3
description Web Server
no forward interface Vlan2
nameif DMZ
security-level 50
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark HTML (Port 80)
access-list outside_access_in extended permit tcp any object-group Htmltraffic interface DMZ object-group Htmltraffic
access-list inside_access_out extended permit ip interface inside any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,inside) 10.0.0.10 192.168.1.7 netmask 255.255.255.255
static (DMZ,outside) 192.168.1.7 10.0.0.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 <GW from my ISP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 DMZ
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.254
dhcpd lease 6000
dhcpd ping_timeout 750
!
dhcpd address 192.168.0.2-192.168.0.30 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
The status right now is:
My test PC (win XP) is connected to the internal network with the IP number 192.168.0.2. It can ping itself (192.168.0.2) and 192.168.0.254 but nothing else. It cannot browse the internet.
My test Server (win XP) is connected to the DMZ with the IP number 10.0.0.10. It can ping itself (10.0.0.10) and 10.0.0.254 but nothing else. It cannot browse the internet.
This means that I probably have something wrong with my NAT and/or Security Policy.
Is it ok to do a test configuration like this and just change the ip number of the outside interface when I want to switch configurations?
Best Regards
/ Targ
Due to the fact that I cannot play around with my live configuration I’ve decided to build a test configuration first and when everything works change the configurations.
The idea is that traffic from the Internet to be able to access the internal web server.
The final configuration shall still be:
Internet with static IP -> Cisco ASA 5505 -> Web Server
My current test configuration:
Internet with static IP -> Netgear router WGT624 -> Cisco ASA 5505 -> Test Web Server (10.0.0.10)
Internet with static IP -> Netgear router WGT624 -> Cisco ASA 5505 -> Test PC (192.168.0.2)
My interfaces are:
outside ethernet0/0 enabled security level 0 192.168.1.7 vlan1
inside ethernet0/1-6 enabled security level 100 192.168.0.254 vlan2
DMZ ehternet0/7 enabled security level 50 10.0.0.254 vlan3
My Cisco ASA 5505 configuration:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
description Outside Network (Internet)
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan2
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface Vlan3
description Web Server
no forward interface Vlan2
nameif DMZ
security-level 50
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark HTML (Port 80)
access-list outside_access_in extended permit tcp any object-group Htmltraffic interface DMZ object-group Htmltraffic
access-list inside_access_out extended permit ip interface inside any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (DMZ,inside) 10.0.0.10 192.168.1.7 netmask 255.255.255.255
static (DMZ,outside) 192.168.1.7 10.0.0.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 <GW from my ISP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 DMZ
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.254
dhcpd lease 6000
dhcpd ping_timeout 750
!
dhcpd address 192.168.0.2-192.168.0.30 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
The status right now is:
My test PC (win XP) is connected to the internal network with the IP number 192.168.0.2. It can ping itself (192.168.0.2) and 192.168.0.254 but nothing else. It cannot browse the internet.
My test Server (win XP) is connected to the DMZ with the IP number 10.0.0.10. It can ping itself (10.0.0.10) and 10.0.0.254 but nothing else. It cannot browse the internet.
This means that I probably have something wrong with my NAT and/or Security Policy.
Is it ok to do a test configuration like this and just change the ip number of the outside interface when I want to switch configurations?
Best Regards
/ Targ
Time to create page: 0.226 seconds