- Posts: 7
- Thank you received: 0
Asa 5505 firewall conf
16 years 5 months ago #26297
by Tomic
Asa 5505 firewall conf was created by Tomic
Hi all
I just recived a ASA firewall and there are something wrong with the conf i made, it drops at acl when i packet tracers. can someone please help me
i need to get port 80 open that all. the rest i thing i can
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ****************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 80.160.163.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ********************** encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list inside_access_in extended permit tcp any eq www any eq www
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_out extended permit icmp any any echo
access-list inside_access_out extended permit tcp any eq www any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cbe5623e8849c549e9e2d806ac4a4c7a
: end
I just recived a ASA firewall and there are something wrong with the conf i made, it drops at acl when i packet tracers. can someone please help me
i need to get port 80 open that all. the rest i thing i can
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ****************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 80.160.163.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ********************** encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list inside_access_in extended permit tcp any eq www any eq www
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_out extended permit icmp any any echo
access-list inside_access_out extended permit tcp any eq www any eq www
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cbe5623e8849c549e9e2d806ac4a4c7a
: end
16 years 5 months ago #26304
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Asa 5505 firewall conf
Tomic,
Try replacing your ACL's with the following and let us know of the outcome:
[code:1]access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit udp 192.168.0.0 255.255.255.0 any eq domain [/code:1]
Cheers,
Try replacing your ACL's with the following and let us know of the outcome:
[code:1]access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq https
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit udp 192.168.0.0 255.255.255.0 any eq domain [/code:1]
Cheers,
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
16 years 5 months ago #26307
by Tomic
Replied by Tomic on topic allmost :)
I get this error now, i changes route from
route outside 0.0.0.0 0.0.0.0 192.168.1.0 1
to
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
6 May 26 2008 23:45:22 302021 192.168.1.10 80.160.163.2 Teardown ICMP connection for faddr 192.168.1.10/1 gaddr 80.160.163.2/0 laddr 80.160.163.2/0
so i still need a acl to the last part
route outside 0.0.0.0 0.0.0.0 192.168.1.0 1
to
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
6 May 26 2008 23:45:22 302021 192.168.1.10 80.160.163.2 Teardown ICMP connection for faddr 192.168.1.10/1 gaddr 80.160.163.2/0 laddr 80.160.163.2/0
so i still need a acl to the last part
16 years 5 months ago #26322
by Elohim
Replied by Elohim on topic Re: allmost :)
please post the current config.
I get this error now, i changes route from
route outside 0.0.0.0 0.0.0.0 192.168.1.0 1
to
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
6 May 26 2008 23:45:22 302021 192.168.1.10 80.160.163.2 Teardown ICMP connection for faddr 192.168.1.10/1 gaddr 80.160.163.2/0 laddr 80.160.163.2/0
so i still need a acl to the last part
16 years 5 months ago #26333
by Tomic
Replied by Tomic on topic running-config
: Saved
:
ASA Version 7.2(3)
!
hostname firewall
domain-name antinet
enable password ********** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 80.160.163.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ************ encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name antinet
same-security-traffic permit inter-interface
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 192.168.1.1 2
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.9 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1576ff18fa83bce27aed57035e43b1dd
: end
:
ASA Version 7.2(3)
!
hostname firewall
domain-name antinet
enable password ********** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 80.160.163.2 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ************ encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name antinet
same-security-traffic permit inter-interface
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 0.0.0.0 0.0.0.0 192.168.1.1 2
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.9 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1576ff18fa83bce27aed57035e43b1dd
: end
16 years 5 months ago #26341
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Asa 5505 firewall conf
Couple of things.
First;
[code:1]route inside 0.0.0.0 0.0.0.0 192.168.1.1 2
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1 [/code:1]
You cannot have two default routes setup, the ASA Will not know which one to you. You will keep the default gateway set to the outside interface and define additional routes if you have other subnets internal.
Remove the route inside line.
Second,
I have had a very quick look through the config and cannot see anywhere where you are assign the access list ? You need to assign the access list to an interface using the access-group command.
I am guessing that the access-list is for outgoing traffic, you would need something like;
[code:1]access-group inside_access_in in interface inside[/code:1]
First;
[code:1]route inside 0.0.0.0 0.0.0.0 192.168.1.1 2
route outside 0.0.0.0 0.0.0.0 80.160.163.2 1 [/code:1]
You cannot have two default routes setup, the ASA Will not know which one to you. You will keep the default gateway set to the outside interface and define additional routes if you have other subnets internal.
Remove the route inside line.
Second,
I have had a very quick look through the config and cannot see anywhere where you are assign the access list ? You need to assign the access list to an interface using the access-group command.
I am guessing that the access-list is for outgoing traffic, you would need something like;
[code:1]access-group inside_access_in in interface inside[/code:1]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.133 seconds