remote access for a ASA 5510???

[eiregobragh]

Guys,
on site at the moment and trying to set up remote access for my newly installed 5510 ASA. Problem is I can't ping my outside public IP address from the internet eventhough I've allowed ICMP.

My goal is to have remote access to the ASA via the internet so I don't have to come back to the data centre.

Any tips? Am I missing something basic?

Thanks a MILLION

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

can you post your current config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

Here you go:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(4)
!
hostname ASA001
domain-name celerity.com
enable password V0RU7zDAC6ofTFw3 encrypted
passwd V0RU7zDAC6ofTFw3 encrypted
names
!
interface Ethernet0/0
nameif failover
security-level 0
ip address 10.1.1.1 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.200 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 84.51.225.9 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner exec Celerity Cisco ASA 5510
banner login Celerity Cisco ASA 5510
banner motd Celerity Cisco ASA 5510
banner asdm Celerity Cisco ASA 5510
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name celerity.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu failover 1500
mtu outside 1500
no failover
failover lan unit primary
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
!
router rip
passive-interface inside
passive-interface outside
passive-interface management
version 2
!
route outside 0.0.0.0 0.0.0.0 84.51.225.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 management
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.255 management
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.3-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username paulkil password bltvC6XEsTM4t.Hn encrypted privilege 15
username tommonks password 4jeyc0Y7wDv6nia2 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a7d87492994abf1b8ebfdbd6e6263541
: end

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

what kind of remote access are you looking for; ipsec, ssl, or simply passthrough of RDP/VNC to a host on the inside??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

I just want to be able to telnet, ssh, https to the Device so I can configure it remotely.

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

just so you know, this is a security risk

add the following:

ASA(config)# ssh <management_ip> 255.255.255.255 outside
ASA(config)# http <management_ip> 255.255.255.255 outside

i would disable any and all telnet access to the device

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

Thanks so much.

Just to be clear;

ssh <management_ip> 255.255.255.255 outside

where <management_ip> is the IP address of the management interface???

I'm off site now so I'll try again tomorrow.

Thanks again

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

sorry, I meant to include more direction. the IP(s) that you allow to connect for SSH/HTTPS should be defined here. lock this down as much as possible.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

Hi,
for some reason it started working via HTTPS and ASDM without me changing anything. Weird!!!

Thanks for your help though



Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

yep, the http 0.0.0.0 0.0.0.0 outside line enables anyone to access your device from the outside...HUGE security risk, HUGE

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

Thanks for the heads up, I'll take that out ASAP.

is "https 0.0.0.0 0.0.0.0 outside" better?

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie

 

[unclerico]

actually, http is https in this sense (kinda confusing). if you know the source ip's that you will be remotely accessing the device from, i would put those in. for example, if i know i will be managing this device from home and my ip is 12.12.12.1 i would put http 12.12.12.1 255.255.255.255 outside. obviously remove the http 0.0.0.0 0.0.0.0 outside statement. this will make it more secure.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[eiregobragh]

OK thanks very much. Unfortunately my ISP assigns IP addresses via DHCP so it changes every so often. Though what you say makes total sense.

Thanks,

Paul Kilcoyne B. Eng.
Innealtóir/ Engineer

http://www.pknetworks.ie