adding asa 5510 2

[coj0nes]

I'm trying to setup an ASA 5510 on our exisiting network as the first step to establish an EasyVPN, NEM site to site type setup. This is kind of a lab exercise, I have my CCNA test coming up and I want to try to learn by doing so any help would be great (you may think this is beyond my level, but that's fine I'm still trying to learn it)

I figured the first step would be to configure the ASA as a firewall/ router and then install the VPN after that. (our system used to use a server 2003 RRAS box to NAT, so I figured it would be best to use the ASA for that instead.
This is my first firewall install so I researched it a bit and read a bunch of the white papers and setup guides, but I can't figure out where i went wrong.

I know some of this may sound mundane but I want to show you my assumptions first, in case I missed a no brianer (it is late here)

Background/Assumptions:

Since I'm using the DSL modem in bridge mode (I think this makes the most sense) the outside interface on the ASA should be my Public IP, and is connected directly to the DSL modem.

Inside address is a local IP on the LAN and is connected to a switch port.

Configured NAT as I read in several examples.

Set my PC's Nic to take the ASA as the gateway, and that didn't work, so I set the PC to use the ASA as the gateway and the DNS server and that got me some webpages but then stopped working.

here's my running config, let me know what you think, like i siad it's getting late and I've tried the CLI and ADSM each a few times, what am I missing?

Thanks!
- John


centurion(config)# show running-config
: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name example.com
enable password xxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.20.123.456 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.123.456 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif Management
security-level 0
ip address 192.168.123.456 255.255.255.0
management-only
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.
255.255.0
access-list ezvpn1 extended permit ip 192.168.0.0 255.255.255.0 192.168
255.255.0
access-list Outside_access_in extended permit tcp any any inactive
access-list inside_access_in extended permit tcp any any inactive
pager lines 24
mtu inside 1500
mtu Outside 1500
mtu Management 1500
mtu dmz 1500
no failover
icmp permit any inside
icmp permit any echo-reply Outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) 70.20.123.0 192.168.0.0 netmask 255.25
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 70.20.123.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.123.456 255.255.255.255 inside
http 192.168.0.123 456.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end

 

[Supergrrover]

you are missing the corresponding global to your nat and your static is not right.

take this out
static (inside,Outside) 70.20.123.0 192.168.0.0 netmask
and put in
global (outside) interface

give that a try






Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[coj0nes]

I took out the static and that didn't seem to help. I noticed I already had a global (outside) 1 interface. I'm fairly certian that's what you were talking about adding correct? or am I still missign something fundemental?

Thanks for the help so far.
John

Latest running config:
centurion(config)# show running-config
: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name example.com
enable password xxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 70.20.123.456 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.123.456 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif Management
security-level 0
ip address 192.168.123.456 255.255.255.0
management-only
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.
255.255.0
access-list ezvpn1 extended permit ip 192.168.0.0 255.255.255.0 192.168
255.255.0
access-list Outside_access_in extended permit tcp any any inactive
access-list inside_access_in extended permit tcp any any inactive
pager lines 24
mtu inside 1500
mtu Outside 1500
mtu Management 1500
mtu dmz 1500
no failover
icmp permit any inside
icmp permit any echo-reply Outside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 70.20.123.205 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.123.456 255.255.255.255 inside
http 192.168.0.123 456.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
: end

 

[Supergrrover]

Your inside ACL is blocking dns. Go ahead and take it off. All traffic is allowed by default so there is no need for
access-group inside_access_in in interface inside



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[coj0nes]

Ok, That helped, in fact now dns translation is working. It's nice to see some favorable entries in the syslog.

alright, now i'm having problems forwarding

http://www traffic

to the

http://www server.

I'll post the config, but the problem according to syslogs is: tcp access denied by acl from foriegn.IP.addr.ess/someport to outside 70.20.123.456/80.

So the problem is still ACL, I tried adding the security permission via ASDM, and then tried tweaking it via CLI and came up with this running config:
<see below>

why is the asa (acl specifically) blocking access to the outside interface.

Thanks agian for helping me learn this I truly appreciate it, I think this is the first time in awhile I've been humbled by microcircuitry. Let me know if you think I should make this a new post.

-John


centurion(config)# show running-config
: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name 4windsconcrete.com
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.20.123.456 255.0.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.123.456 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns name-server 71.242.0.12
dns name-server 71.252.0.12
access-list outside_access_in remark Web Traffic
access-list outside_access_in extended permit tcp any eq

http://www host

192.168.123.7 eq www
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 192.168.123.456 / user ****
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.123.7 192.168.123.7 netmask 255.255.255.255
access-group

http://www in

interface outside
route outside 0.0.0.0 0.0.0.0 70.20.123.456 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.123.0 255.255.255.0 management
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum: xxxxxxxxxxxxxx
: end

 

[Supergrrover]

Your ACL and static are off.

access-list outside_access_in extended permit tcp any eq

http://www host

192.168.123.7 eq www
should be
access-list outside_access_in extended permit tcp any interface outside eq www

and this
static (inside,outside) 192.168.123.7 192.168.123.7 netmask 255.255.255.255
should be
static (inside,outside) 70.20.123.456 192.168.123.7 netmask 255.255.255.255



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[coj0nes]

Brent,
OK those posted changes made complete sense. I tried them and I'm still getting ACL denied in the logging:

71003: TCP access denied by ACL from 123.456.123.456/3677 to outside 70.20.123.456/80

I'll post the running config agian, Thanks a ton for you help, I can't seem to understand were these ACL rules are comming from. There are only 4 acl parametes in my config two of them are remarks, and one is a "let anything into the webserver line". This gets bang head on the desk frustrating fast. Haha


: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name 4windsconcrete.com
enable password eefm3o4r.fTcffIq encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.20.195.205 255.0.0.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.13 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns name-server 71.242.0.12
dns name-server 71.252.0.12
object-group service TruckTracking udp
description Command Alkon Truck Tracking
port-object range 2100 2100
access-list outside_access_in remark Web Traffic
access-list outside_access_in remark Command Alkon Truck tracking
access-list outside_access_in extended permit udp any object-group TruckTracking host 192.168.0.6 object-group TruckTracking
access-list outside_access_in extended permit tcp any interface outside eq www
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 192.168.0.7 / root ****
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 192.168.0.6 192.168.0.6 netmask 255.255.255.255
static (inside,outside) 70.20.195.205 192.168.0.7 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.20.195.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 management
http 131.122.117.138 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a9b99969d9dd8921fc7e9934b1ad63ef
: end

 

[brianinms]

access-list outside_access_in extended permit udp any object-group TruckTracking host 192.168.0.6 object-group TruckTracking
access-list outside_access_in extended permit tcp any interface outside eq www
static (inside,outside) 192.168.0.6 192.168.0.6 netmask 255.255.255.255
static (inside,outside) 70.20.195.205 192.168.0.7 netmask 255.255.255.255

Is this in a production environment, or a lab environment?

You can't static 192.168.0.6 to itself and expect it to be reachable on the internet.

 

[Supergrrover]

You have to remove this static
static (inside,outside) 192.168.0.6 192.168.0.6 netmask 255.255.255.255

Make sure you are using the proper IPs and the web server is on and reachable.

You can try changing the ACL to use the IP instead of the interface
access-list outside_access_in extended permit tcp any host [EXTERNAL_IP] eq www


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[coj0nes]

Brian/ Brent:

I took that static (that pointed to itself) out of there after posting the other day, that was one of those hey let's try this and see if it helps. It obviously didn't. I tried removing it and that didn't help either I'm still getting the ACL denied message in syslog.

Brent:

I've have been using the correct IP, (yup just double checked agian) and the server is live I can hit it from inside using the static IP. The ASA also can ping it's address.

I tried specifing the ACL with IP and it seemed to have no change

I tried someother things with tha ACL and I noticed on the running config that there was a line:
access-group outside_access_in in interface outside

The only other option there was allowing a per user override and I'm not sure what that is, but I don't think it's what i need.

access-group outside_access_in in interface outside

I tried removing that and obviously it removed all the ACL lines that refrenced the "outside_access_in" group so that didn't help. Is the above access-group line correct? I think it is but maybe worth looking at.

At this point would it be easier to move the webserver to a DMZ network and configure it that way? I didn't want to at first, becuase I thought it would be easier to configure in the simpilest way first. I guess in the end it really doesn't matter I still need to figure out how to port forward through the firewall.

Thanks agian for looking, you guys are really good at helping out here.
-John

 

[coj0nes]

Also in searching around I learned about conduit commands. These are for earlier versions of the pix firmware right? not what I'm looking for here i think, but I wanted to ask.

-John

 

[Supergrrover]

No conduits - not as good as ACLs and they aren't avail. after 6.3.
Repost your current config.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[david902]

VPN/PIX are not within the test objectives for the CCNA certification, you are filling you brain with clutter at this point, there are way too many other important topics to remember without overfilling your brain.

go the the Cisco CCNA prep center

HTTP://www.Cisco.com/certifications

and review the test objectives.

Router NAT is within the range of objectives, firewall NAT will get you started on a basic understanding, NAT between routers it a bit different.

sorry to be so harsh, it is a tough test. focus on, study, and know the required material and you will do fine.

 

[coj0nes]

David,

Thanks for your input and I don't think you were too harsh, I realize now that VPN/Pix was probobly a little deep to start. Randomly I found out today that the test center I was signed up for to test on Aug 2nd ended their relationship with Cisco as of 1 Aug. So I guess I have some time now since I can't find another center any where close.

I realize the test is hard, but honestly even beating my head agianst the wall here I feel like I have learned a ton. (maybe not the most effective way to learn - but I'm doubling and stablizing a production enviroment as well)

First off let me say:

**************
my fault

I didn't help you help me when i forgot to tell you I am only using 1 static outside IP and I'm attempting to use PAT and port forwarding via the ASA to direct traffic where I need it.

I'm not sure if that changes the approach. I think it does change the problem a little and here's the most develop config I've got.
<see below>

I got rid of the ACL denial, then breifly experienced a SYN flag denial, now I've cleared that and I'm getting a denied request by access-group "outside_access_in".

Any thoughts?

-John

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name 4windsconcrete.com
enable password xxxxxxxxxxxx encrypted
names
name 192.168.123.7 florence description Webserver
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.20.123.xxx 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.123.13 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd xxxxxxxxxxxxx encrypted
!
time-range Always
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns name-server 71.242.0.12
dns name-server 71.252.0.12
object-group service TruckTracking udp
description Command Alkon Truck Tracking
port-object range 2100 2100
access-list outside_access_in extended permit tcp any eq

http://www host

70.20.123.yyy eq www
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server florence / user ****
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface

http://www florence

http://www netmask

255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 70.20.123.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.xxx.xxx 255.255.255.0 management
http 70.xxx.xxx.xxx 255.255.0.0 outside
http 131.122.xxx.0 255.255.255.0 outside
http 192.168.xxx.xxx 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.168.xxx.xxx source inside prefer
Cryptochecksum:
: end

 

[Supergrrover]

Change your ACL.

Delete the old one and use this
access-list outside_access_in extended permit tcp any interface outside eq www

Actually having a project/goal is the best for learning. I got most of my knowledge from having to figure stuff out for a live environment. Necessity is the mother of invention - and learning.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[david902]

sorry to intermangle thoughts here.

CCNA focus, the current exam expires on 11/1/2007.
you have something like 100 days to pass the test
or it's back to ground zero, with additional topics on Wireless, Security, IPv6....

 

[coj0nes]

David - Thanks for the heads Up, I'll have to knock it out by then, I guess if I don't it wouldn't hurt to learn all those new things, since wireless and IPv6 is where networking will end up eventually. I guess the down side is I'll have to re invest in the $40 a pop text books. Gotta spend money to make money I guess...

Alright so back to the ASA. I messed around with it and I got port redirection to work for things like PC-anywhere and the big brother gps tracking we have passed on UDP ports.

What threw me off with the webserver was before using NAT/RRAS on a server 2k3 box the linux server was fine, and was visible on the LAN and on the public network.

Once I added the ASA no web traffic in (even with the advice you gave me, which did exactly what it was supposed to) still no outside ability. Inside, still visible.

So I kicked the logging up to debugging and noticed that once the traffic was passed through the firewall, the TCP connection was reset due to an SYN timeout. After doing some searching i think this just might be a linux inteaction issue.

I guess the only reason I'm posting now is to ask if you've seen that issue before and know of the fix. It's just strange that there was no timeout without the ASA, and I can't find a setting anywhere to fix it.

Fyi the tcp connection is closed after 30 seconds. I know the SYN timeout on linux is usually defualted at 30s, so that's why i think that's the issue.

Let me know what you think, and thanks so much for helping out. I can't tell you how much I learned through all that. Maybe next week I'll get some sleep. I guess back to studying for the content for the CCNA, until I get bored of the and set the VPN up that is.

-John

Running-Config (and thankfully also the start-up config)

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(6)
!
hostname centurion
domain-name 4windsconcrete.com
enable password encrypted
names
name 192.168.123.7 florence description Wedserver
name 192.168.123.6 signal description Truck Tracking Server
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 70.20.xxx.yyy 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.123.13 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
!
passwd xxxxxx encrypted
!
time-range Always
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns name-server 71.242.0.12
dns name-server 71.252.0.12
object-group service TruckTracking udp
description Command Alkon Truck Tracking
port-object range xxxxx xxxxx
object-group service PC-Anywheretcp tcp
port-object range pcanywhere-data pcanywhere-data
access-list 101 extended permit udp any eq pcanywhere-status interface outside eq pcanywhere-status
access-list 101 extended permit tcp any eq pcanywhere-data host interface outside eq pcanywhere-data
access-list 101 extended permit tcp any eq

http://www interface

outside eq www
access-list 101 extended permit udp any interface outside
access-list inside_nat0_outbound extended permit ip host 192.168.123.5 any
pager lines 24
logging enable
logging asdm debugging
logging from-address centurion@4windsconcrete.com
logging recipient-address username@usna.edu level errors
logging ftp-bufferwrap
logging ftp-server florence /root/ciscolog root ****
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface

http://www florence

http://www netmask

255.255.255.255
static (inside,outside) tcp interface pcanywhere-data rome pcanywhere-data netmask 255.255.255.255
static (inside,outside) udp interface pcanywhere-status rome pcanywhere-status netmask 255.255.255.255
static (inside,outside) udp interface xxxxx signal xxxxx netmask 255.255.255.255
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 70.20.195.1 1
route inside signal 255.255.255.255 192.168.123.13 1
route inside rome 255.255.255.255 192.168.123.13 1
route inside florence 255.255.255.255 192.168.123.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.123.0 255.255.255.0 management
http 70.22.0.0 255.255.0.0 outside
http 131.122.123.0 255.255.255.0 outside
http 192.168.123.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server rome source inside prefer
smtp-server florence
Cryptochecksum:42cc67764f764d78d617516171751137
: end

 

[Supergrrover]

Sounds like you figured it out. Just a question - how did yuo make these ACLs. The format looks off and I am not sure how the ASA accepted it.
Generally it is of the form
access-list [name] permit [tcp/udp] [source] [destination] eq [port#]

I have never seen the format you have entered
access-list 101 extended permit udp any eq pcanywhere-status interface outside eq pcanywhere-status
It looks more like the format of the static.

Just curious.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[coj0nes]

Brent,

Since I was accessing the ASA from remote ( had someone on sight allow a single specific IP on the outside for management) I accessed with ASDM web (java) interface. I used the embedded CLI tool and made my ACLs that way. Once i would exit out of the CLI the ASDM would do it's refresh thing and then my ACLs were different.

Same thing would happen when I used the ASDM gui page to define ACLs. I guess the ASDM is just formating the commands the way it thinks should be right. Thanks a ton for the help you provided. Once I straighten out my webserver I'll be extremely happy.

Thanks again I owe you a beer

 

[Supergrrover]

Try to use the CLI via SSH. The ASDM is pretty and all, but I am never sure what it is doing so I don't trust it.

Well if you are ever in LA. Good luck on your CCNA.


Brent
Systems Engineer / Consultant
CCNP, CCSP