|
|
It is currently Tue Jun 04, 2024 8:38 pm
|
View unanswered posts | View active topics
This is a static archive the Twin Cities Carry forum, maintained as a public service by the current forum of record, The Minnesota Carry Forum.
All times are UTC - 6 hours
|
Page 1 of 1
|
[ 9 posts ] |
|
anyone good with Cisco stuff? need a little help..
Author |
Message |
catchall
|
Post subject: anyone good with Cisco stuff? need a little help.. Posted: Mon Sep 14, 2009 9:18 pm |
|
Joined: Wed Feb 04, 2009 7:30 pm Posts: 26 Location: Saint Louis Park, MN
|
Hi All.. I was wondering if there is anyone in the community that can help me here. My company just bought a Cisco ASA 5505 firewall for the office and I've been tasked with setting it up. My experience is limited. I'm fairly comfortable with the interface and the command syntax.
My goal here is to allow web traffic from the outside in and route it to our internal web server. I was sure all it would need was the 'access-list' 'access-group' and 'static (inside,outside)' configs I have made, but apparently there is more to it than that. When I use the Cisco ASDM and do a 'packet-trace' on that rule, it says the packet is dropped at the last 'implicit rule' of 'deny any any'.
Below is a 'show run', after a 'config factory-default', with sensitive info redacted and config changes that I have added or modified in bold. Once I see how this is supposed to be done, I think I'll be able to add the rest of the ACL rules that I need to make everything we have work. I just can't for the life of me see what I'm missing. If anyone can help, I would really appreciate it! Thanks!
: Saved : ASA Version 8.0(2) ! hostname ciscoasa enable password ***** names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.10 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 173.11.55.189 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ***** ftp mode passive access-list outside_access_in extended permit tcp any host 173.11.55.189 eq www no pager logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 static (inside,outside) tcp 173.11.55.189 www 10.0.0.185 www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.11.55.190 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh 10.0.0.0 255.255.255.0 inside ssh timeout 30 ssh version 2 console timeout 0
threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:***** : end
|
|
|
|
|
mrokern
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Mon Sep 14, 2009 9:52 pm |
|
Longtime Regular |
|
Joined: Tue Jan 15, 2008 9:40 pm Posts: 2264 Location: Eden Prairie
|
catchall wrote: Hi All.. I was wondering if there is anyone in the community that can help me here. My company just bought a Cisco ASA 5505 firewall for the office and I've been tasked with setting it up. My experience is limited. I'm fairly comfortable with the interface and the command syntax.
My goal here is to allow web traffic from the outside in and route it to our internal web server. I was sure all it would need was the 'access-list' 'access-group' and 'static (inside,outside)' configs I have made, but apparently there is more to it than that. When I use the Cisco ASDM and do a 'packet-trace' on that rule, it says the packet is dropped at the last 'implicit rule' of 'deny any any'.
Below is a 'show run', after a 'config factory-default', with sensitive info redacted and config changes that I have added or modified in bold. Once I see how this is supposed to be done, I think I'll be able to add the rest of the ACL rules that I need to make everything we have work. I just can't for the life of me see what I'm missing. If anyone can help, I would really appreciate it! Thanks!
: Saved : ASA Version 8.0(2) ! hostname ciscoasa enable password ***** names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.0.10 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 173.11.55.189 255.255.255.248 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd ***** ftp mode passive access-list outside_access_in extended permit tcp any host 173.11.55.189 eq www no pager logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 static (inside,outside) tcp 173.11.55.189 www 10.0.0.185 www netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 173.11.55.190 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet timeout 5 ssh 10.0.0.0 255.255.255.0 inside ssh timeout 30 ssh version 2 console timeout 0
threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:***** : end Decide not to go the web interface route? The ASA appliance web configs are actually pretty good as long as you don't need any weird subnetting or anything like that. I'll look through it, but ACLs aren't my strong point (I'm a routing / switching guy). We've got a couple of IT security specialists floating around here, though. -Mark
|
|
|
|
|
RobD
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Tue Sep 15, 2009 6:34 am |
|
Senior Member |
|
Joined: Sun Oct 05, 2008 7:41 pm Posts: 234 Location: Apple-Mount Farming-Ville
|
Do you have any VPNs or Virtual Lans that you will be using?
_________________ NRA Instructor (BP, PPITH, PPOTH, Shothell + Metallic Reloading, RSO) Certified Glock Armorer
MNbasecamp.com - Minnesota Outdoors Community
|
|
|
|
|
catchall
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Tue Sep 15, 2009 7:48 am |
|
Joined: Wed Feb 04, 2009 7:30 pm Posts: 26 Location: Saint Louis Park, MN
|
IncaKola wrote: Do you have any VPNs or Virtual Lans that you will be using? VPN: eventually, yes.. one step at a time tho. Virtual LANs: don't really have the need for it yet, but I imagine at some point we will. mrokern wrote: Decide not to go the web interface route? The ASA appliance web configs are actually pretty good as long as you don't need any weird subnetting or anything like that. I don't know about other cisco devices, but this ASA has the ASDM, which is a web deployed Java application. It is pretty good, I've used it, and it's helped me understand how to write these config changes in the CLI. But I tried making this config change with both ASDM and the CLI, to no avail. mrokern wrote: I'll look through it, but ACLs aren't my strong point (I'm a routing / switching guy). We've got a couple of IT security specialists floating around here, though.
-Mark Thanks! Any help would be much appreciated!
|
|
|
|
|
dismal
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Tue Sep 15, 2009 3:41 pm |
|
Senior Member |
|
Joined: Fri Aug 26, 2005 12:12 pm Posts: 330 Location: Rochester, MN
|
I'm much more familiar with regular IOS and have only looked at the ASA a bit, but the big clue is "the packet is dropped at the last 'implicit rule' of 'deny any any'." That means that the traffic is not matching your "outside_access_in" ACL, and is being denied by the "invisible" implicit rule at the end of the ACL.
I'm not sure about the ASA ACL syntax, but it looks like it should be good to me. You might want to try opening it up (ie permit tcp any any) and log it, that might give you some more info about what is going on.
|
|
|
|
|
mrokern
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Tue Sep 15, 2009 9:31 pm |
|
Longtime Regular |
|
Joined: Tue Jan 15, 2008 9:40 pm Posts: 2264 Location: Eden Prairie
|
dismal wrote: I'm much more familiar with regular IOS and have only looked at the ASA a bit, but the big clue is "the packet is dropped at the last 'implicit rule' of 'deny any any'." That means that the traffic is not matching your "outside_access_in" ACL, and is being denied by the "invisible" implicit rule at the end of the ACL.
I'm not sure about the ASA ACL syntax, but it looks like it should be good to me. You might want to try opening it up (ie permit tcp any any) and log it, that might give you some more info about what is going on. That's actually a really good idea. Throw it open, do a trace, then start trying to knock it back. -Mark
|
|
|
|
|
elonm
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Wed Sep 16, 2009 8:25 pm |
|
Joined: Thu Mar 29, 2007 7:46 pm Posts: 19
|
I would highly recommend that you put the web server in a DMZ off of the 5505, assuming it is a dedicated web server. If it is not a dedicated web server, I recommend that you do not allow access from the Internet. It is NEVER a good idea to allow access from the Internet directly to servers on your internal network. Too many vulnerabilities in IIS or web applications.
Having said that, you will need to add a static NAT for the web server that maps to the outside interface of the FW. If you add an inbound NAT using the outside interface, you will not be able to support VPN connections on that interface. I would recommend you call your ISP and see if you can get a block of 5 or so routable IP addresses. You can then use the addresses not assigned to the outside interface as NAT addresses for your web server.
I think the problem is that you should not define the IP address of your outside interface in the NAT statement. Try this:
global (outside) 1 interface nat (inside) 1 10.0.0.0 255.255.255.0 static (inside,outside) tcp interface www 10.0.0.185 www netmask 255.255.255.255
I would recommend you turn on IP spoof protection
ip verify reverse-path interface inside ip verify reverse-path interface outside
You may also want to consider locking down the HTTP and SSH management IP addresses. Your current config allows anyone on the internal network to connect to the management (inside) interface to manage the FW.
If you have no other choice but to allow outside traffic to an internal server, you should consider making sure all local admin or power user accounts on the server have 15 character passwords. If you do not want to hassle with long passwords, do a search on Microsoft's site for how to disable caching of LM Hash values. LM Hash caching makes any password less than 15 characters trivial to crack.
Lastly, also consider updating the software version of your ASA to 8.0.4(32) or 8.2. There have been a number of fixes since the (2) release.
Good luck!
David
|
|
|
|
|
catchall
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Wed Sep 16, 2009 9:23 pm |
|
Joined: Wed Feb 04, 2009 7:30 pm Posts: 26 Location: Saint Louis Park, MN
|
Thanks for all the replies. I hate to say I found the problem on my own. Apparently, everything I did was correct, but the 'Base License' doesn't allow for what I'm trying to do. I guess it won't allow you to do port redirection for the IP of the external interface, but it will allow you redirect for the other external IPs in your subnet. Since I have a /29 block, that shouldn't be a problem. I just substituted another IP in all those commands and, 'voila', it worked.
Thanks also for all of the advice. I will be making the config progressively more restrictive. Since I was having trouble with just this piece, I pulled everything else out to eliminate possible conflicts.
|
|
|
|
|
Aquaholic
|
Post subject: Re: anyone good with Cisco stuff? need a little help.. Posted: Wed Sep 16, 2009 11:24 pm |
|
Longtime Regular |
|
Joined: Fri Aug 12, 2005 10:49 am Posts: 687 Location: South Minneapolis (Nokomis East)
|
Geeez... What a bunch of Geeks on this site!
_________________ I smoke. Thanks for holding your breath.
"Build a man a fire, he'll be warm for a night. Set a man on fire, he'll be warm for the rest of his life." ~ unknown
Never been tazered. (yet).
|
|
|
|
|
|
Page 1 of 1
|
[ 9 posts ] |
|
This is a static archive the Twin Cities Carry forum, maintained as a public service by the current forum of record, The Minnesota Carry Forum.
All times are UTC - 6 hours
Users browsing this forum: No registered users and 77 guests |
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum
|
|
|