Friday, January 23rd, 2009 at
2:23 pm
Question:
Hello,
I want to enable access to server on ip address: 192.168.100.30 on port 22 located in inside interface from internet (outside)
We have ASA 5520 Cisco Adaptive Security Appliance Software Version 8.0(2)
My config (only relevant lines):
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
!
interface GigabitEthernet0/1
nameif DMZ
security-level 50
ip address 172.146.147.1 255.255.255.248 standby 172.146.147.2
!
interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.200.3 255.255.255.0 standby 192.168.200.2
.
.
access-list Inside_access_in extended permit ip 192.168.100.30 any
access-list Inside_access_in extended deny ip any any
.
.
access-list Outside_access_in extended permit tcp any host 172.146.147.15 eq ssh
access-list Outside_access_in extended deny ip any any
.
.
global (Outside) 1 172.146.147.11 netmask 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 10.1.33.0 255.255.255.0
nat (Inside) 1 10.1.34.0 255.255.255.0
nat (Inside) 1 10.1.35.0 255.255.255.0
nat (Inside) 1 10.1.36.0 255.255.255.0
nat (Inside) 1 10.1.39.0 255.255.255.0
nat (Inside) 1 10.1.41.0 255.255.255.0
nat (Inside) 1 10.1.42.0 255.255.255.0
nat (Inside) 1 10.1.44.0 255.255.255.0
nat (Inside) 1 10.1.99.0 255.255.255.0
nat (Inside) 1 10.40.2.0 255.255.255.0
nat (Inside) 1 10.40.24.0 255.255.255.0
nat (Inside) 1 192.168.100.0 255.255.255.0
nat (Inside) 1 192.168.250.0 255.255.255.0
nat (Inside) 1 192.168.96.0 255.255.248.0
static (Inside,Outside) tcp 172.146.147.15 ssh 192.168.100.30 ssh netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group DMZ_access_in in interface DMZ
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 172.146.147.14 1
route Inside 10.0.0.0 255.0.0.0 192.168.200.1 1
route Outside 172.16.101.72 255.255.255.252 195.146.147.14 1
route Inside 192.168.0.0 255.255.0.0 192.168.200.1 1
.
.
When i type telnet 172.146.147.15 22 from public internet i cant open port 22….so i dont know – is something missing or wrong?
Thanks.
Solution:
below is your outside interface config
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 172.146.147.13 255.255.255.248 standby 172.146.147.12
you are using 255.255.255.248 as the subnet which makes 172.146.147.15 as your broadcast address. That being said, you won’t be able to access it. You need to use a different address in that range. the available addresses are 172.146.147.9 to 172.146.147.14.
regards,
Thursday, January 8th, 2009 at
5:08 am
With the older Cisco PIX firewall appliances, there was no way for traffic to enter a specific interface and then exit back from the same interface again. With the new Cisco ASA models, this is also not supported by default, but you can enable this functionality with the same-security-traffic permit intra-interface command.
The schematic above shows a possible scenario where this functionality can be used. All internal hosts in network 10.0.0.0/24 have the ASA as default gateway (10.0.0.254) in order to access the Internet. However, there is another internal network range (Branch Office: 192.168.10.0/24) which is accessible via a cisco router at 10.0.0.253. In order for the internal hosts to access this subnet, a static route must be configured on the ASA together with the “permit intra-interface” command, as shown below:
ciscoasa(config)# route inside 192.168.10.0 255.255.255.0 10.0.0.253 1
ciscoasa(config)# same-security-traffic permit intra-interface
All traffic from internal hosts destined to subnet 192.168.10.0 will be redirected by the ASA firewall through the Cisco router. The feature above is supported in versions 7.2(1) and later.
Friday, January 2nd, 2009 at
7:34 am
QUESTION:
I am configuring a Cisco ASA5505 with DMZ. I have local lan 192.168.103/24 and DMZ 10.103.1.0/24. I am able to connect from LAN to DMZ using 10.103.1.0/24 address but not the other way around. I can add either a static or dymanic NAT for this.
I’m not sure how to configure the NAT to allow DMZ host to connect to 192.168.103.0/24. I will control access through ACL rather than trying to “hide” them via NAT.
ANSWER:
If you just want to connect from DMZ to real addresses on the inside:
static (inside,dmz) 192.168.103.0 192.168.103.0 netmask 255.255.255.0
and then as you say allow traffic with an acl on the dmz interface.
Friday, January 2nd, 2009 at
7:21 am
PROBLEM:
Network topology. Remote brach office with ASA firewall and VPN client on the remote LAN. Central Site with ASA firewall terminating the remote branch VPN client. I can not connect from inside my branch network to central network using VPN client. Earlier i had in my office FreeBSD and did not have this problem (I could connect to Central ASA using VPN client), when i changed FreeBSD to ASA this problem occur. VPN client is connected, tunnel is created but nothing more.
I get an error message :Syslog ID 305006 – regular translation creation failed for protocol 50 src inside:10.0.0.22 dst outside:6.168.y.x
SOLUTION:
On remote branch office ASA use:
ciscoasa(config)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect ipsec-pass-thru
ciscoasa(config-pmap-c)#exit
On Central Office ASA use:
PIX/ASA 7.1 and earlier: pix(config)#isakmp nat-traversal 20
PIX/ASA 7.2(1) and later: securityappliance(config)#crypto isakmp nat-traversal 20
Tuesday, December 23rd, 2008 at
5:57 am
By default, the global policy used on a Cisco ASA firewall enables FTP inspection for all traffic passing through the appliance. Before discussing the usage of ftp inspection, let’s see how ftp works:
In Active FTP (which is the default mode), we need two ports for communication. Port 21 is used for Command and Control traffic and Port 20 is used for Data transfer. The FTP client connects from a random source port bigger than 1023 (N>1023) to the command port of the FTP server (port 21). Then the client starts listening to port N+1 and notifies the server that it will accept data to this port (N+1). The server then connects back to the specified data port of the client from its local data source port 20.
[ad#embedded-square]
Now, the above behavior works fine if there is no firewall between the FTP client and server. However, if there is a stateful firewall between the two ftp nodes, we have a problem. Specifically, when the FTP server will start its Data connection back to the client (in order to start sending traffic), the firewall will block this data communication because it will start from a different source port (20 instead of 21). The purpose therefore of the inspect ftp command on the Cisco ASA is to listen for the initial Command FTP traffic (on port 21) and dynamically open a secondary Data connection between FTP server and client (from port 20). This will allow FTP communication to work. If you disable FTP inspection with the no inspect ftp command, outbound users can start connections only in passive mode, and all inbound FTP is disabled.
The inspect ftp command is found under the global policy map:
policy-map global_policy
class inspection_default
inspect ftp
