Our network guy was terminated and I've been tasked with configuring a new ASA as soon as possible. I have very limited experience but with some help I'm sure I can get it up.
I have a Cisco ASA 5510 with version 7.0 running. The device currently only has a port opened for an ftp server. I need to configure it so that I can access the Internet from inside as well as allow remote access VPN into the network with active directory user authentication. I've downloaded Cisco's CLI configuration guide but there's just so much in there that it confuses the heck out of me. I think most of the stuff doesn't pertain to what I need. I'm scheduled for some Cisco training in two weeks but in the meantime I'm really hoping one of you nice folks could help me out. It would be sincerely appreciated.
Here's my current config:
ASA Version 7.0(7)
!
hostname myciscoasa
domain-name MY-DOMAIN
enable password 4IV.065LOTN9aGJT encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.xxx.xx.xxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.48.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd M9cxT1S8fTjV5618 encrypted
ftp mode passive
access-list 101 extended permit ip 192.168.48.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 extended permit tcp any host 209.xxx.xx.xxx eq 22
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool myvpnpool 10.100.10.1-10.100.10.254
no failover
icmp deny any outside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 1 10.100.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xx.xxx 192.168.48.252 netmask 255.255.255.255
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy MY-DOMAIN internal
group-policy MY-DOMAIN attributes
wins-server value 192.168.48.2
dns-server value 192.168.48.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
default-domain value MY-DOMAIN
secure-unit-authentication disable
nem enable
webvpn
username asauser password zg.0S79DBanhNdv3 encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 43200
tunnel-group myvpngroup type ipsec-ra
tunnel-group myvpngroup general-attributes
address-pool myvpnpool
tunnel-group myvpngroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.48.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
Cryptochecksum:6f5fecc6174760c62cb1ab6a6626be3e
I have a Cisco ASA 5510 with version 7.0 running. The device currently only has a port opened for an ftp server. I need to configure it so that I can access the Internet from inside as well as allow remote access VPN into the network with active directory user authentication. I've downloaded Cisco's CLI configuration guide but there's just so much in there that it confuses the heck out of me. I think most of the stuff doesn't pertain to what I need. I'm scheduled for some Cisco training in two weeks but in the meantime I'm really hoping one of you nice folks could help me out. It would be sincerely appreciated.
Here's my current config:
ASA Version 7.0(7)
!
hostname myciscoasa
domain-name MY-DOMAIN
enable password 4IV.065LOTN9aGJT encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 209.xxx.xx.xxx 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.48.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd M9cxT1S8fTjV5618 encrypted
ftp mode passive
access-list 101 extended permit ip 192.168.48.0 255.255.255.0 10.100.10.0 255.255.255.0
access-list 102 extended permit tcp any host 209.xxx.xx.xxx eq 22
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
ip local pool myvpnpool 10.100.10.1-10.100.10.254
no failover
icmp deny any outside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 1 10.100.10.0 255.255.255.0
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 209.xxx.xx.xxx 192.168.48.252 netmask 255.255.255.255
access-group 102 in interface outside
route outside 0.0.0.0 0.0.0.0 209.xxx.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy MY-DOMAIN internal
group-policy MY-DOMAIN attributes
wins-server value 192.168.48.2
dns-server value 192.168.48.2
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
default-domain value MY-DOMAIN
secure-unit-authentication disable
nem enable
webvpn
username asauser password zg.0S79DBanhNdv3 encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 43200
tunnel-group myvpngroup type ipsec-ra
tunnel-group myvpngroup general-attributes
address-pool myvpnpool
tunnel-group myvpngroup ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.48.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
Cryptochecksum:6f5fecc6174760c62cb1ab6a6626be3e
![[americanflag]](/data/assets/smilies/americanflag.gif "[americanflag] [americanflag]")
Go Army!