Skip to main content

ASA5505 Quick Question

More
16 years 2 months ago #27225 by xJJSilvax01
Hello firewall gods.

If i remove

what will happen if i remove global (outside) 1 interface

*no global (outside) 1 interface

ALSO: what would happen if i remove global (inside) 1 interface

THANKS!!!!!


Here is my show run






Result of the command: "show run"

: Saved
:
ASA Version 7.2(3)
!
hostname fw01
domain-name xxx.xxx
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address X.X.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.18 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp-udp
port-object range 3389 3389
object-group service ExtensionPorts tcp-udp
port-object range 239 239
port-object range 242 242
port-object range 228 228
port-object range 231 231
port-object range 233 233
port-object range 244 244
port-object range 248 248
port-object range 3389 3389
object-group service BCM tcp-udp
port-object range 1 65535
access-list inside_access_out extended permit udp any any eq domain
access-list inside_access_out extended permit gre any host X.X.40.1
access-list inside_access_out extended permit tcp any host X.X.40.1 eq pptp
access-list inside_access_out extended permit tcp any host X.X.0.4 eq 5222
access-list inside_access_out extended permit tcp any host X.X.0.4 eq ftp
access-list inside_access_out extended permit tcp any host X.X.0.2 eq www
access-list inside_access_out extended permit tcp any host X.X.0.3 eq www
access-list inside_access_out extended permit ip any host X.X.9.2
access-list inside_access_out extended permit ip any host X.X.0.13
access-list inside_access_out extended permit tcp any host X.X.0.4 object-group RDP
access-list inside_access_out extended permit tcp any host X.X.40.1 eq www
access-list inside_access_out extended permit tcp any X.X.20.0 255.255.255.0 object-group ExtensionPorts
access-list inside_access_out extended permit ip any host X.X.90.120
access-list inside_access_out extended permit icmp any any traceroute
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any host X.X.X.24 object-group RDP
access-list outside_access_in extended permit tcp any host X.X.X.29 object-group RDP
access-list outside_access_in extended permit gre any host X.X.X.28
access-list outside_access_in extended permit tcp any host X.X.X.28 eq pptp
access-list outside_access_in extended permit tcp any host X.X.X.28 eq www
access-list outside_access_in extended permit tcp any host X.X.X.24 eq 5222
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any host X.X.X.24 eq ftp
access-list outside_access_in extended permit tcp any host X.X.X.22 eq www
access-list outside_access_in extended permit ip any host X.X.X.26
access-list outside_access_in extended permit ip any host X.X.X.21
access-list outside_access_in extended permit tcp any host X.X.X.23 eq www
access-list outside_access_in extended permit ip any host X.X.X.25
pager lines 24
logging enable
logging buffer-size 4098
logging trap debugging
logging asdm notifications
logging mail emergencies
logging from-address xxx
logging recipient-address xxxx level notifications
logging host inside X.X.20.4 format emblem
logging debug-trace
logging ftp-bufferwrap
logging ftp-server X.X.20.4 / xxxx xxxxxx
logging permit-hostdown
logging rate-limit unlimited level 5
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp X.X.X.29 252 X.X.20.1 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 233 X.X.20.3 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 239 X.X.20.6 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 231 X.X.20.2 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 248 X.X.20.7 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 242 X.X.20.4 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 8059 X.X.0.4 8059 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 3389 X.X.0.4 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 ftp X.X.0.4 ftp netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 aol X.X.0.4 aol netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5223 X.X.0.4 5223 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5298 X.X.0.4 5298 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5297 X.X.0.4 5297 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5222 X.X.0.4 5222 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.23 www X.X.0.3 www netmask 255.255.255.255 dns
static (inside,outside) tcp X.X.X.23 3389 X.X.0.3 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.22 www X.X.0.2 www netmask 255.255.255.255 dns
static (inside,outside) X.X.X.26 X.X.0.13 netmask 255.255.255.255
static (inside,inside) X.X.X.26 X.X.0.13 netmask 255.255.255.255
static (inside,inside) X.X.X.28 X.X.40.1 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.28 X.X.40.1 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.21 X.X.9.2 netmask 255.255.255.255
static (inside,inside) X.X.X.21 X.X.9.2 netmask 255.255.255.255
static (inside,inside) X.X.X.22 X.X.0.2 netmask 255.255.255.255
static (inside,inside) X.X.X.24 X.X.0.4 netmask 255.255.255.255
static (inside,inside) X.X.X.23 X.X.0.3 netmask 255.255.255.255
static (inside,outside) X.X.X.25 X.X.90.120 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http X.X.0.2 255.255.255.255 inside
http X.X.0.3 255.255.255.255 inside
http X.X.20.4 255.255.255.255 inside
http X.X.0.4 255.255.255.255 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet X.X.20.4 255.255.255.255 inside
telnet X.X.0.3 255.255.255.255 inside
telnet X.X.0.4 255.255.255.255 inside
telnet X.X.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns X.X.0.2
dhcpd wins X.X.0.2
dhcpd domain xxx.xxx
dhcpd auto_config inside vpnclient-wins-override
dhcpd update dns both
!
dhcprelay server X.X.0.2 inside
dhcprelay enable outside
dhcprelay timeout 60

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside X.X.20.4 /
smtp-server X.X.9.2
prompt hostname context
Cryptochecksum:25d3f822a8ac5ede7d0afa8687d5a029
: end
More
16 years 2 months ago #27227 by Elohim
Replied by Elohim on topic Re: ASA5505 Quick Question
NAT failure.

Hello firewall gods.

If i remove

what will happen if i remove global (outside) 1 interface

*no global (outside) 1 interface

ALSO: what would happen if i remove global (inside) 1 interface

THANKS!!!!!


Here is my show run






Result of the command: "show run"

: Saved
:
ASA Version 7.2(3)
!
hostname fw01
domain-name xxx.xxx
enable password xxxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address X.X.0.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.18 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXX.XXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp-udp
port-object range 3389 3389
object-group service ExtensionPorts tcp-udp
port-object range 239 239
port-object range 242 242
port-object range 228 228
port-object range 231 231
port-object range 233 233
port-object range 244 244
port-object range 248 248
port-object range 3389 3389
object-group service BCM tcp-udp
port-object range 1 65535
access-list inside_access_out extended permit udp any any eq domain
access-list inside_access_out extended permit gre any host X.X.40.1
access-list inside_access_out extended permit tcp any host X.X.40.1 eq pptp
access-list inside_access_out extended permit tcp any host X.X.0.4 eq 5222
access-list inside_access_out extended permit tcp any host X.X.0.4 eq ftp
access-list inside_access_out extended permit tcp any host X.X.0.2 eq www
access-list inside_access_out extended permit tcp any host X.X.0.3 eq www
access-list inside_access_out extended permit ip any host X.X.9.2
access-list inside_access_out extended permit ip any host X.X.0.13
access-list inside_access_out extended permit tcp any host X.X.0.4 object-group RDP
access-list inside_access_out extended permit tcp any host X.X.40.1 eq www
access-list inside_access_out extended permit tcp any X.X.20.0 255.255.255.0 object-group ExtensionPorts
access-list inside_access_out extended permit ip any host X.X.90.120
access-list inside_access_out extended permit icmp any any traceroute
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any host X.X.X.24 object-group RDP
access-list outside_access_in extended permit tcp any host X.X.X.29 object-group RDP
access-list outside_access_in extended permit gre any host X.X.X.28
access-list outside_access_in extended permit tcp any host X.X.X.28 eq pptp
access-list outside_access_in extended permit tcp any host X.X.X.28 eq www
access-list outside_access_in extended permit tcp any host X.X.X.24 eq 5222
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any host X.X.X.24 eq ftp
access-list outside_access_in extended permit tcp any host X.X.X.22 eq www
access-list outside_access_in extended permit ip any host X.X.X.26
access-list outside_access_in extended permit ip any host X.X.X.21
access-list outside_access_in extended permit tcp any host X.X.X.23 eq www
access-list outside_access_in extended permit ip any host X.X.X.25
pager lines 24
logging enable
logging buffer-size 4098
logging trap debugging
logging asdm notifications
logging mail emergencies
logging from-address xxx
logging recipient-address xxxx level notifications
logging host inside X.X.20.4 format emblem
logging debug-trace
logging ftp-bufferwrap
logging ftp-server X.X.20.4 / xxxx xxxxxx
logging permit-hostdown
logging rate-limit unlimited level 5
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp X.X.X.29 252 X.X.20.1 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 233 X.X.20.3 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 239 X.X.20.6 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 231 X.X.20.2 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 248 X.X.20.7 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.29 242 X.X.20.4 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 8059 X.X.0.4 8059 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 3389 X.X.0.4 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 ftp X.X.0.4 ftp netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 aol X.X.0.4 aol netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5223 X.X.0.4 5223 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5298 X.X.0.4 5298 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5297 X.X.0.4 5297 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.24 5222 X.X.0.4 5222 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.23 www X.X.0.3 www netmask 255.255.255.255 dns
static (inside,outside) tcp X.X.X.23 3389 X.X.0.3 3389 netmask 255.255.255.255
static (inside,outside) tcp X.X.X.22 www X.X.0.2 www netmask 255.255.255.255 dns
static (inside,outside) X.X.X.26 X.X.0.13 netmask 255.255.255.255
static (inside,inside) X.X.X.26 X.X.0.13 netmask 255.255.255.255
static (inside,inside) X.X.X.28 X.X.40.1 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.28 X.X.40.1 netmask 255.255.255.255 dns
static (inside,outside) X.X.X.21 X.X.9.2 netmask 255.255.255.255
static (inside,inside) X.X.X.21 X.X.9.2 netmask 255.255.255.255
static (inside,inside) X.X.X.22 X.X.0.2 netmask 255.255.255.255
static (inside,inside) X.X.X.24 X.X.0.4 netmask 255.255.255.255
static (inside,inside) X.X.X.23 X.X.0.3 netmask 255.255.255.255
static (inside,outside) X.X.X.25 X.X.90.120 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http X.X.0.2 255.255.255.255 inside
http X.X.0.3 255.255.255.255 inside
http X.X.20.4 255.255.255.255 inside
http X.X.0.4 255.255.255.255 inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet X.X.20.4 255.255.255.255 inside
telnet X.X.0.3 255.255.255.255 inside
telnet X.X.0.4 255.255.255.255 inside
telnet X.X.0.2 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns X.X.0.2
dhcpd wins X.X.0.2
dhcpd domain xxx.xxx
dhcpd auto_config inside vpnclient-wins-override
dhcpd update dns both
!
dhcprelay server X.X.0.2 inside
dhcprelay enable outside
dhcprelay timeout 60

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside X.X.20.4 /
smtp-server X.X.9.2
prompt hostname context
Cryptochecksum:25d3f822a8ac5ede7d0afa8687d5a029
: end

More
16 years 2 months ago #27229 by xJJSilvax01
Hi thanks for the quick reply.

basically the reason i ask this is because.

if i have a user outside of the network go to on of our outside ip's via http. It connects put then i see at the bottom of the screen it is actually connecting to an inside ip.. any idea how to fix that so that it doesnt show the end user that its connecting to an inside ip?
More
16 years 2 months ago #27242 by Elohim
Replied by Elohim on topic Re: ASA5505 Quick Question
of course the outside user is going to be able to connect. You have all those static nat definitions. A static makes an inside host appear on the outside at that IP address. If you have ACLs which allow access to that IP address, then hosts on the outside would be able to hit your inside device at the outside IP based on the services allowed through the ACL.

Hi thanks for the quick reply.

basically the reason i ask this is because.

if i have a user outside of the network go to on of our outside ip's via http. It connects put then i see at the bottom of the screen it is actually connecting to an inside ip.. any idea how to fix that so that it doesnt show the end user that its connecting to an inside ip?

More
16 years 2 months ago #27248 by xJJSilvax01
ok cool thanks!
Time to create page: 0.127 seconds