- Posts: 1
- Thank you received: 0
Help configuring ASA 5505
16 years 1 month ago #26978
by maakus
Help configuring ASA 5505 was created by maakus
Hello all,
I came across this site while researching configuration options for my ASA 5505. This is very new to me, so I am thinking I need a lot of assistance....My configuration is listed below. These are the things I would like the firewall to do....
a) Allow defined users to browse the web
b) these users that are allowed cannot download from p2p networks
c) open a few ports for access to apps like sql
d) create a vpn for secure access for selected users for a) the entire network and b) not the entire network
e) Allow some external users access to their devices we host
f) Create a VLAN to allow some users on the network to use the net, but not access other parts of the network
There are a few other things, but these are probably the major things now...
TIA
: Saved
:
ASA Version 7.2(3)
!
hostname xxxxxxxx
domain-name domaineg.com
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.xxx.xxx.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (ISP ASSIGNED IP)
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
banner login xxxxxxx
banner asdm xxxxxxxxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxx.domaineg.com
object-group service FileSharing tcp
description File Sharing
port-object range 1214 1214
port-object range 4444 4444
port-object range 5050 5050
port-object range 5555 5555
port-object range 6600 6600
port-object range 6666 6666
port-object range 6699 6699
port-object range 6881 6889
port-object range 6881 6999
port-object range 7777 7777
port-object range 8875 8875
port-object range 8888 8888
port-object range 6346 6347
access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (inside ip)
access-list inside_access_out extended permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.0 xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx (external network that needs access)
no pager
logging asdm informational
logging from-address xxx@xxx.com
logging recipient-address xxx@xxx.com level errors
mtu inside 1500
mtu outside 1500
ip local pool xxx xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask xxx.xxx.xxx.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.0
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (ISP gateway)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server xxxx protocol radius
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http xxx.xxx.xxx.xxx xxx.xxx.xxx.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Enter valid user name
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy xxxxxxxx internal
group-policy xxxxxxxx attributes
dns-server value xxx.xxx.xxx.xxx
vpn-tunnel-protocol IPSec
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxxxxx encrypted
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy xxxxxxxx
tunnel-group xxxxxxxx type ipsec-ra
tunnel-group xxxxxxxx general-attributes
address-pool xxxxx
default-group-policy xxxxxxxx
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:80666238398a6ac51f2d67798dd91f59
: end
I came across this site while researching configuration options for my ASA 5505. This is very new to me, so I am thinking I need a lot of assistance....My configuration is listed below. These are the things I would like the firewall to do....
a) Allow defined users to browse the web
b) these users that are allowed cannot download from p2p networks
c) open a few ports for access to apps like sql
d) create a vpn for secure access for selected users for a) the entire network and b) not the entire network
e) Allow some external users access to their devices we host
f) Create a VLAN to allow some users on the network to use the net, but not access other parts of the network
There are a few other things, but these are probably the major things now...
TIA
: Saved
:
ASA Version 7.2(3)
!
hostname xxxxxxxx
domain-name domaineg.com
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.xxx.xxx.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (ISP ASSIGNED IP)
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
banner login xxxxxxx
banner asdm xxxxxxxxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxx.domaineg.com
object-group service FileSharing tcp
description File Sharing
port-object range 1214 1214
port-object range 4444 4444
port-object range 5050 5050
port-object range 5555 5555
port-object range 6600 6600
port-object range 6666 6666
port-object range 6699 6699
port-object range 6881 6889
port-object range 6881 6999
port-object range 7777 7777
port-object range 8875 8875
port-object range 8888 8888
port-object range 6346 6347
access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (inside ip)
access-list inside_access_out extended permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.0 xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx (external network that needs access)
no pager
logging asdm informational
logging from-address xxx@xxx.com
logging recipient-address xxx@xxx.com level errors
mtu inside 1500
mtu outside 1500
ip local pool xxx xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask xxx.xxx.xxx.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.0
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (ISP gateway)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server xxxx protocol radius
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http xxx.xxx.xxx.xxx xxx.xxx.xxx.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Enter valid user name
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy xxxxxxxx internal
group-policy xxxxxxxx attributes
dns-server value xxx.xxx.xxx.xxx
vpn-tunnel-protocol IPSec
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxxxxx encrypted
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy xxxxxxxx
tunnel-group xxxxxxxx type ipsec-ra
tunnel-group xxxxxxxx general-attributes
address-pool xxxxx
default-group-policy xxxxxxxx
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:80666238398a6ac51f2d67798dd91f59
: end
16 years 1 month ago #27048
by Elohim
Replied by Elohim on topic Re: Help configuring ASA 5505
All of your requirements can be met with the exception of B. I think deep packet inspection may be tooooooooooooooo much for this box.
Hello all,
I came across this site while researching configuration options for my ASA 5505. This is very new to me, so I am thinking I need a lot of assistance....My configuration is listed below. These are the things I would like the firewall to do....
a) Allow defined users to browse the web
b) these users that are allowed cannot download from p2p networks
c) open a few ports for access to apps like sql
d) create a vpn for secure access for selected users for a) the entire network and b) not the entire network
e) Allow some external users access to their devices we host
f) Create a VLAN to allow some users on the network to use the net, but not access other parts of the network
There are a few other things, but these are probably the major things now...
TIA
: Saved
:
ASA Version 7.2(3)
!
hostname xxxxxxxx
domain-name domaineg.com
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address xxx.xxx.xxx.xxx 255.xxx.xxx.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (ISP ASSIGNED IP)
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx encrypted
banner login xxxxxxx
banner asdm xxxxxxxxx
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxx.domaineg.com
object-group service FileSharing tcp
description File Sharing
port-object range 1214 1214
port-object range 4444 4444
port-object range 5050 5050
port-object range 5555 5555
port-object range 6600 6600
port-object range 6666 6666
port-object range 6699 6699
port-object range 6881 6889
port-object range 6881 6999
port-object range 7777 7777
port-object range 8875 8875
port-object range 8888 8888
port-object range 6346 6347
access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx (inside ip)
access-list inside_access_out extended permit ip xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.0 xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx (external network that needs access)
no pager
logging asdm informational
logging from-address xxx@xxx.com
logging recipient-address xxx@xxx.com level errors
mtu inside 1500
mtu outside 1500
ip local pool xxx xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask xxx.xxx.xxx.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 xxx.xxx.xxx.xxx xxx.xxx.xxx.0
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1 (ISP gateway)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server xxxx protocol radius
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable
http xxx.xxx.xxx.xxx xxx.xxx.xxx.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Enter valid user name
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
telnet timeout 5
ssh xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx inside
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy xxxxxxxx internal
group-policy xxxxxxxx attributes
dns-server value xxx.xxx.xxx.xxx
vpn-tunnel-protocol IPSec
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxx encrypted privilege 15
username xxxxx password xxxxxxx encrypted
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx password xxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy xxxxxxxx
tunnel-group xxxxxxxx type ipsec-ra
tunnel-group xxxxxxxx general-attributes
address-pool xxxxx
default-group-policy xxxxxxxx
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:80666238398a6ac51f2d67798dd91f59
: end
Time to create page: 0.117 seconds