Comments on: How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/ IP Networks Training and Tutorials Tue, 07 Feb 2012 15:03:08 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: raghunair http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2511 raghunair Tue, 10 Jan 2012 05:00:29 +0000 http://www.networkstraining.com/?p=463#comment-2511 hii...its working .. thanx hii…its working .. thanx

]]> By: Blog Admin http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2486 Blog Admin Fri, 16 Dec 2011 14:36:38 +0000 http://www.networkstraining.com/?p=463#comment-2486 Martin, It seems that the PC firewall maybe is blocking your pings. If the PC is windows, enable remote desktop access on the PC and try to connect with RDP from the VPN client to the PC. If you manage to connect, then VPN works fine. Pinging is not always the best way to test connectivity Martin,

It seems that the PC firewall maybe is blocking your pings. If the PC is windows, enable remote desktop access on the PC and try to connect with RDP from the VPN client to the PC. If you manage to connect, then VPN works fine. Pinging is not always the best way to test connectivity

]]> By: Mas http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2483 Mas Fri, 16 Dec 2011 12:09:29 +0000 http://www.networkstraining.com/?p=463#comment-2483 Hi, I have purchased you ebook and have been using it to learn Cisco ASA. I have a ASA5505 and have setup a remote vpn worker. My problem is that the PC running VPN client connects OK and can ping to the ASA inside interface but not to the PC on the inside interface. The PC on the inside interface can ping the VPN client :-( ping VPN Client - ASA Inside I/f 192.168.44.160 Yes ping VPN Client to PC on inside 192.168.44.82 NO ping PC on inside to VPN Client 192.168.50.1 Yes My config is below. Please are you able to tell me what I have done wrong? ASA Config : Saved : Written by cisco at 10:08:15.679 UTC Fri Dec 16 2011 ! ASA Version 8.4(2) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 switchport access vlan 2 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.44.160 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.1.100 255.255.255.0 ! ftp mode passive object network internal_lan subnet 192.168.44.0 255.255.255.0 object network support-vpn-subnet subnet 192.168.50.0 255.255.255.0 description IP address assigned to Support VPN User access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended deny ip any any access-list global_access extended permit ip any any access-list global_access extended permit icmp any any echo access-list global_access extended permit icmp any any echo-reply pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool pool-support-vpn 192.168.50.0-192.168.50.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 nat (inside,outside) source static any any destination static support-vpn-subnet support-vpn-subnet no-proxy-arp route-lookup ! object network internal_lan nat (inside,outside) dynamic interface access-group outside_access_in in interface outside access-group global_access global route outside 0.0.0.0 0.0.0.0 192.168.1.98 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL aaa authentication telnet console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.44.0 255.255.255.0 inside http 192.168.1.96 255.255.255.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication crack encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication rsa-sig encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 40 authentication crack encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 50 authentication rsa-sig encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 60 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto ikev1 policy 70 authentication crack encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 80 authentication rsa-sig encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 90 authentication pre-share encryption aes hash sha group 2 lifetime 86400 crypto ikev1 policy 100 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 110 authentication rsa-sig encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 120 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ikev1 policy 130 authentication crack encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 140 authentication rsa-sig encryption des hash sha group 2 lifetime 86400 crypto ikev1 policy 150 authentication pre-share encryption des hash sha group 2 lifetime 86400 telnet 192.168.44.0 255.255.255.0 inside telnet timeout 5 ssh 192.168.1.96 255.255.255.0 outside ssh timeout 5 console timeout 0 management-access inside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy tg-vpn-support internal group-policy tg-vpn-support attributes wins-server value 192.168.44.1 dns-server value 192.168.44.1 vpn-tunnel-protocol ikev1 default-domain value bhls.com username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 tunnel-group tg-vpn-support type remote-access tunnel-group tg-vpn-support general-attributes address-pool pool-support-vpn default-group-policy tg-vpn-support tunnel-group tg-vpn-support ipsec-attributes ikev1 pre-shared-key 1qazxsw2 ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:488a018c60162a057b66a31071a38917 : end Hi,
I have purchased you ebook and have been using it to learn Cisco ASA. I have a ASA5505 and have setup a remote vpn worker. My problem is that the PC running VPN client connects OK and can ping to the ASA inside interface but not to the PC on the inside interface. The PC on the inside interface can ping the VPN client :-(

ping VPN Client – ASA Inside I/f 192.168.44.160 Yes
ping VPN Client to PC on inside 192.168.44.82 NO
ping PC on inside to VPN Client 192.168.50.1 Yes

My config is below. Please are you able to tell me what I have done wrong?

ASA Config

: Saved
: Written by cisco at 10:08:15.679 UTC Fri Dec 16 2011
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.44.160 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
ftp mode passive
object network internal_lan
subnet 192.168.44.0 255.255.255.0
object network support-vpn-subnet
subnet 192.168.50.0 255.255.255.0
description IP address assigned to Support VPN User
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any echo
access-list global_access extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool-support-vpn 192.168.50.0-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static support-vpn-subnet support-vpn-subnet no-proxy-arp route-lookup
!
object network internal_lan
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.1.98 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.44.0 255.255.255.0 inside
http 192.168.1.96 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.44.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.96 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tg-vpn-support internal
group-policy tg-vpn-support attributes
wins-server value 192.168.44.1
dns-server value 192.168.44.1
vpn-tunnel-protocol ikev1
default-domain value bhls.com
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group tg-vpn-support type remote-access
tunnel-group tg-vpn-support general-attributes
address-pool pool-support-vpn
default-group-policy tg-vpn-support
tunnel-group tg-vpn-support ipsec-attributes
ikev1 pre-shared-key 1qazxsw2
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:488a018c60162a057b66a31071a38917
: end

]]> By: Blog Admin http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2366 Blog Admin Fri, 07 Oct 2011 19:35:21 +0000 http://www.networkstraining.com/?p=463#comment-2366 This is called "port redirection" with Cisco ASA. Try Googling this and you will find several examples. This is called “port redirection” with Cisco ASA. Try Googling this and you will find several examples.

]]> By: MDgeek http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2358 MDgeek Fri, 30 Sep 2011 12:47:31 +0000 http://www.networkstraining.com/?p=463#comment-2358 Please one quick question. How can i configure a Port-forwarding for Remote Desktop connection (RDP - port 3389) and http connection to Security camera? Both will have to translate standard tcp port from outside to custom tcp port inside-LAN. We already have both services working fine off of the broadband router and will like to maintain that when the ASA5510 is deployed. Thanks always Please one quick question. How can i configure a Port-forwarding for Remote Desktop connection (RDP – port 3389) and http connection to Security camera?
Both will have to translate standard tcp port from outside to custom tcp port inside-LAN.
We already have both services working fine off of the broadband router and will like to maintain that when the ASA5510 is deployed.

Thanks always

]]> By: MDgeek http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2357 MDgeek Fri, 30 Sep 2011 11:18:26 +0000 http://www.networkstraining.com/?p=463#comment-2357 Thanks a million! http server was already enabled (used with the default ip), however, the 192.168.11.0 was not associated to the management interface. It now works with my set subnet. Also, i now understand the interface separation thing with the mgmt port. Thanks again. Thanks a million!
http server was already enabled (used with the default ip), however, the 192.168.11.0 was not associated to the management interface.

It now works with my set subnet. Also, i now understand the interface separation thing with the mgmt port.
Thanks again.

]]> By: Blog Admin http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2347 Blog Admin Wed, 28 Sep 2011 05:04:06 +0000 http://www.networkstraining.com/?p=463#comment-2347 @MDGeek, 1st Problem: Have you also changed the subnet range allowed to use http? e.g: <strong>http server enabled http 192.168.11.0 255.255.255.0 management</strong> 2nd Problem: The ASA management port is a different layer3 interface, so it MUST be on a separate layer3 subnet from the rest of the interfaces. So, yes, you must assign a different subnet for the management (which is better for security reasons as well) @MDGeek,

1st Problem: Have you also changed the subnet range allowed to use http?

e.g:

http server enabled
http 192.168.11.0 255.255.255.0 management

2nd Problem: The ASA management port is a different layer3 interface, so it MUST be on a separate layer3 subnet from the rest of the interfaces. So, yes, you must assign a different subnet for the management (which is better for security reasons as well)

]]> By: MDGeek http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2346 MDGeek Wed, 28 Sep 2011 04:50:03 +0000 http://www.networkstraining.com/?p=463#comment-2346 Hi; Thank you so much for your continued efforts in responding to many ASA related questions. I actually bought your eBook about a year ago but has just started using it to configure our ASA5510. Now I ran into two separate problems with the Mgmt port IP assignment. First, Whenever I change the IP address from the default to anything else (from: 192.168.1.1 to 192.168.11.100), the ASDM will no longer connect to the unit using the newly changed IP. Even though I also changed my PC's IP to correspond to the Mgmt's. But once I change it back to the default, everything works again. Note that I am able to gain access thru the console to undo whatever changes I have made. Also, must the ASA Management port be separated from the rest of the LAN? 2nd; I will like to have the Management port reside on the same subnet as the rest of my secure hosts. So far the ASA5510 is insisting that the two Cannot coexist on the same subnet. Example: 192.168.2.1=ASA-Mgmt-port ; 192.168.2.5-50=LAN-hosts; 192.168.1.1=outside-port-ISP-router. Am I missing something here? Please advise. Thanx Hi;
Thank you so much for your continued efforts in responding to many ASA related questions.
I actually bought your eBook about a year ago but has just started using it to configure our ASA5510.
Now I ran into two separate problems with the Mgmt port IP assignment.
First, Whenever I change the IP address from the default to anything else (from: 192.168.1.1 to 192.168.11.100), the ASDM will no longer connect to the unit using the newly changed IP. Even though I also changed my PC’s IP to correspond to the Mgmt’s.
But once I change it back to the default, everything works again. Note that I am able to gain access thru the console to undo whatever changes I have made.
Also, must the ASA Management port be separated from the rest of the LAN?
2nd; I will like to have the Management port reside on the same subnet as the rest of my secure hosts. So far the ASA5510 is insisting that the two Cannot coexist on the same subnet.
Example: 192.168.2.1=ASA-Mgmt-port ; 192.168.2.5-50=LAN-hosts; 192.168.1.1=outside-port-ISP-router.
Am I missing something here? Please advise. Thanx

]]> By: April http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2274 April Thu, 11 Aug 2011 09:52:52 +0000 http://www.networkstraining.com/?p=463#comment-2274 Hi, Can anyone please help what went wrong in this config, webserver is accessible from outside but not from inside using FDQn, i can only access the webserver from inside using internal ip address but not with the public address. I tried with my old non cisco firewall and it works fine. Please help. thanks... User Access Verification Password: Type help or '?' for a list of available commands. TID> en Password: ****** TID# sh run : Saved : ASA Version 8.3(1) ! hostname TID enable password hNoJA51JsYfVzHT6 encrypted passwd hNoJA51JsYfVzHT6 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.x 255.255.255.0 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.1.200 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 no ip address management-only ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 object network remote host 192.168.1.199 object network https host 192.168.1.199 object network http host 192.168.1.199 object network smtp host 192.168.1.199 object network pop3 host 192.168.1.199 object network imap host 192.168.1.199 object network 81 host 192.168.1.197 object network 82 host 192.168.1.197 access-list internet_access_in extended permit icmp any any access-list lan_access_in extended permit icmp any any access-list 100 extended permit icmp any any echo-reply access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any access-list External_access_in extended permit icmp any any echo-reply access-list External_access_in extended permit icmp any interface outside time-exceeded access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0 access-list External_access_in extended permit tcp any interface outside eq https access-list External_access_in extended permit tcp any interface outside eq www access-list External_access_in extended permit tcp any interface outside eq imap4 access-list External_access_in extended permit tcp any interface outside eq smtp access-list External_access_in extended permit tcp any interface outside eq pop3 access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199 eq 3389 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any outside icmp permit any inside icmp permit any management asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 ! object network obj_any nat (inside,outside) dynamic interface object network remote nat (inside,outside) static interface service tcp 3389 3389 object network https nat (inside,outside) static interface service tcp https https object network http nat (inside,outside) static interface service tcp www www object network smtp nat (inside,outside) static interface service tcp smtp smtp object network pop3 nat (inside,outside) static interface service tcp pop3 pop3 object network imap nat (inside,outside) static interface service tcp imap4 imap4 object network 81 nat (inside,outside) static interface service tcp 81 81 object network 82 nat (inside,outside) static interface service tcp 82 82 access-group External_access_in in interface outside access-group Internal_access_in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.1.200 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 management http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet 0.0.0.0 0.0.0.0 outside telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 203.162.0.181 ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:80467bad3c53ad2084876331274a7779 : end Hi,

Can anyone please help what went wrong in this config, webserver is accessible from outside but not from inside using FDQn, i can only access the webserver from inside using internal ip address but not with the public address. I tried with my old non cisco firewall and it works fine. Please help. thanks…

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
TID> en
Password: ******
TID# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname TID
enable password hNoJA51JsYfVzHT6 encrypted
passwd hNoJA51JsYfVzHT6 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network remote
host 192.168.1.199
object network https
host 192.168.1.199
object network http
host 192.168.1.199
object network smtp
host 192.168.1.199
object network pop3
host 192.168.1.199
object network imap
host 192.168.1.199
object network 81
host 192.168.1.197
object network 82
host 192.168.1.197

access-list internet_access_in extended permit icmp any any
access-list lan_access_in extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit icmp any interface outside time-exceeded
access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list External_access_in extended permit tcp any interface outside eq https
access-list External_access_in extended permit tcp any interface outside eq www
access-list External_access_in extended permit tcp any interface outside eq imap4
access-list External_access_in extended permit tcp any interface outside eq smtp
access-list External_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199 eq 3389

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400

!
object network obj_any
nat (inside,outside) dynamic interface

object network remote
nat (inside,outside) static interface service tcp 3389 3389
object network https
nat (inside,outside) static interface service tcp https https
object network http
nat (inside,outside) static interface service tcp www www
object network smtp
nat (inside,outside) static interface service tcp smtp smtp
object network pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network imap
nat (inside,outside) static interface service tcp imap4 imap4
object network 81
nat (inside,outside) static interface service tcp 81 81
object network 82
nat (inside,outside) static interface service tcp 82 82
access-group External_access_in in interface outside
access-group Internal_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 203.162.0.181
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80467bad3c53ad2084876331274a7779
: end

]]> By: Tamadite http://www.networkstraining.com/how-to-configure-a-cisco-asa-5510-firewall-basic-configuration-tutorial/comment-page-1/#comment-2210 Tamadite Tue, 14 Jun 2011 20:22:18 +0000 http://www.networkstraining.com/?p=463#comment-2210 Well, somehow I get it to work. Don't ask me why because I have read in many places that it is not possible. What I tried is DNS doctoring. With the solution given on comment #66 I can reach the web server in the DMZ from inside using the URL only, not via real IP (web server IP in the DMZ). Now with the solution I give below I can reach the web server in the DMZ from inside using both, the URL and the real web server IP in the DMZ. object network web_dmz_inside host 172.16.1.2 nat (dmz,outside) static interface dns The strangest thing is that I am using PAT and for what I have read it should not work either. I thought about modifying the local host file on my inside clients but as last resource. Now, unless I am doing something really stupid, I will keep it like this. Please advice. Well, somehow I get it to work. Don’t ask me why because I have read in many places that it is not possible. What I tried is DNS doctoring. With the solution given on comment #66 I can reach the web server in the DMZ from inside using the URL only, not via real IP (web server IP in the DMZ). Now with the solution I give below I can reach the web server in the DMZ from inside using both, the URL and the real web server IP in the DMZ.

object network web_dmz_inside
host 172.16.1.2
nat (dmz,outside) static interface dns

The strangest thing is that I am using PAT and for what I have read it should not work either.

I thought about modifying the local host file on my inside clients but as last resource. Now, unless I am doing something really stupid, I will keep it like this.

Please advice.

]]>