- Posts: 1390
- Thank you received: 0
New installation Cisco ASA 5505
16 years 8 months ago #24659
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: New installation Cisco ASA 5505
As per my previous post, you don't need to double up on the static for each direction, one will surfice.
Also, you are not mapping VLAN1 to an interface ?
In the next config you also have not specified any NAT statement just some static ones.
Also, you are not mapping VLAN1 to an interface ?
In the next config you also have not specified any NAT statement just some static ones.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 8 months ago #24660
by Targ
Replied by Targ on topic Re: New installation Cisco ASA 5505
Hi I’ve made some minor changes to the configuration according to this guide:
www.cisco.com/en/US/docs/security/asa/as...ick/guide/dmz_b.html
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
description Outside Network (Internet)
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan2
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface Vlan3
description Web Server
no forward interface Vlan2
nameif DMZ
security-level 50
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 192.168.1.7 eq www
access-list inside_access_out extended permit ip interface inside any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 10.0.0.1-10.0.0.250 netmask 255.0.0.0
nat (inside) 1 192.168.0.0 255.255.255.0
static (DMZ,outside) 192.168.1.7 10.0.0.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 DMZ
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.254
dhcpd lease 6000
dhcpd ping_timeout 750
!
dhcpd address 192.168.0.2-192.168.0.30 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
> Also, you are not mapping VLAN1 to an interface ?
This is strange because in ASDM I can read in configuration -> Interfaces -> Interfaces that outside have switchport Ethernet 0/0 with security level 0 IP address 192.168.1.7 and VLAN1. I’ve tried to set following CLI command with no errors:
Config t
Interface ethernet0/0
switchport access vlan 1
write
> As per my previous post, you don't need to double up on the static for each direction, one will surfice.
I have deleted one of them now.
> In the next config you also have not specified any NAT statement just some static ones.
I have a dynamic NAT now according to the guide.
I have change gateway from my ISP to my router 192.168.1.1. Is this correct?
Best Regards
/ Targ
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password fg7usdfsBsgff encrypted
names
!
interface Vlan1
description Outside Network (Internet)
nameif outside
security-level 0
ip address dhcp setroute
ospf cost 10
!
interface Vlan2
description Internal Network
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
!
interface Vlan3
description Web Server
no forward interface Vlan2
nameif DMZ
security-level 50
ip address 10.0.0.254 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 2sdadbNIdI.2asdU encrypted
boot config disk0:/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in remark Ping
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp 0.0.0.0 255.255.255.0 host 192.168.1.7 eq www
access-list inside_access_out extended permit ip interface inside any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (DMZ) 1 10.0.0.1-10.0.0.250 netmask 255.0.0.0
nat (inside) 1 192.168.0.0 255.255.255.0
static (DMZ,outside) 192.168.1.7 10.0.0.10 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.255.255.0 DMZ
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.254
dhcpd lease 6000
dhcpd ping_timeout 750
!
dhcpd address 192.168.0.2-192.168.0.30 inside
dhcpd enable inside
!
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
prompt hostname context
Cryptochecksum:aca065847af0527a918d592502426aea
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
> Also, you are not mapping VLAN1 to an interface ?
This is strange because in ASDM I can read in configuration -> Interfaces -> Interfaces that outside have switchport Ethernet 0/0 with security level 0 IP address 192.168.1.7 and VLAN1. I’ve tried to set following CLI command with no errors:
Config t
Interface ethernet0/0
switchport access vlan 1
write
> As per my previous post, you don't need to double up on the static for each direction, one will surfice.
I have deleted one of them now.
> In the next config you also have not specified any NAT statement just some static ones.
I have a dynamic NAT now according to the guide.
I have change gateway from my ISP to my router 192.168.1.1. Is this correct?
Best Regards
/ Targ
16 years 8 months ago #24794
by sp1k3tou
Replied by sp1k3tou on topic Re: New installation Cisco ASA 5505
If you don't have any other vlan defined under an interface it will automatically be vlan 1.
I don't see a default route statement in your configuration. How will the ASA know how to send the computers outside your network?
I don't see a default route statement in your configuration. How will the ASA know how to send the computers outside your network?
16 years 8 months ago #24795
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: New installation Cisco ASA 5505
There is a route statement for a default route, but its set to point to an inside address through the outside interface;
The line under interface vlan1 that says;
[code:1]ip address dhcp setroute[/code:1]
is not only getting your IP Address from the ISP, but will set the Default Route also.
I have never actually configured the ASA 5505 (but done quite a bit with the Pix) so i would try removing your route statement
[code:1]route outside 0.0.0.0 0.0.0.0 192.168.1.1[/code:1]
and seeing how that goes.
Cheers
The line under interface vlan1 that says;
[code:1]ip address dhcp setroute[/code:1]
is not only getting your IP Address from the ISP, but will set the Default Route also.
I have never actually configured the ASA 5505 (but done quite a bit with the Pix) so i would try removing your route statement
[code:1]route outside 0.0.0.0 0.0.0.0 192.168.1.1[/code:1]
and seeing how that goes.
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 8 months ago #24797
by Smurf
I didn't know that, suppose it makes sense, similar to a switch.
Thanks for sharing
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: New installation Cisco ASA 5505
If you don't have any other vlan defined under an interface it will automatically be vlan 1.
I didn't know that, suppose it makes sense, similar to a switch.
Thanks for sharing
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 8 months ago #24798
by sp1k3tou
Replied by sp1k3tou on topic Re: New installation Cisco ASA 5505
I never used that command yet. I tried to look it up on the cisco site but didn't find anything telling me what it did.
Thanks for explaining it.
Thanks for explaining it.
[code:1]ip address dhcp setroute[/code:1]
Cheers
Time to create page: 0.132 seconds