Hi All.. I was wondering if there is anyone in the community that can help me here. My company just bought a Cisco ASA 5505 firewall for the office and I've been tasked with setting it up. My experience is limited. I'm fairly comfortable with the interface and the command syntax.

My goal here is to allow web traffic from the outside in and route it to our internal web server. I was sure all it would need was the 'access-list' 'access-group' and 'static (inside,outside)' configs I have made, but apparently there is more to it than that. When I use the Cisco ASDM and do a 'packet-trace' on that rule, it says the packet is dropped at the last 'implicit rule' of 'deny any any'.

Below is a 'show run', after a 'config factory-default', with sensitive info redacted and config changes that I have added or modified in bold. Once I see how this is supposed to be done, I think I'll be able to add the rest of the ACL rules that I need to make everything we have work. I just can't for the life of me see what I'm missing. If anyone can help, I would really appreciate it! Thanks!

: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password *****
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.11.55.189 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd *****
ftp mode passive
access-list outside_access_in extended permit tcp any host 173.11.55.189 eq www
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp 173.11.55.189 www 10.0.0.185 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 173.11.55.190 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh 10.0.0.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:*****
: end

Decide not to go the web interface route? The ASA appliance web configs are actually pretty good as long as you don't need any weird subnetting or anything like that.

I'll look through it, but ACLs aren't my strong point (I'm a routing / switching guy). We've got a couple of IT security specialists floating around here, though.

-Mark

Do you have any VPNs or Virtual Lans that you will be using?

VPN: eventually, yes.. one step at a time tho.
Virtual LANs: don't really have the need for it yet, but I imagine at some point we will.



I don't know about other cisco devices, but this ASA has the ASDM, which is a web deployed Java application. It is pretty good, I've used it, and it's helped me understand how to write these config changes in the CLI. But I tried making this config change with both ASDM and the CLI, to no avail.



Thanks! Any help would be much appreciated!

I'm much more familiar with regular IOS and have only looked at the ASA a bit, but the big clue is "the packet is dropped at the last 'implicit rule' of 'deny any any'." That means that the traffic is not matching your "outside_access_in" ACL, and is being denied by the "invisible" implicit rule at the end of the ACL.

I'm not sure about the ASA ACL syntax, but it looks like it should be good to me. You might want to try opening it up (ie permit tcp any any) and log it, that might give you some more info about what is going on.

That's actually a really good idea. Throw it open, do a trace, then start trying to knock it back.

-Mark

I would highly recommend that you put the web server in a DMZ off of the 5505, assuming it is a dedicated web server. If it is not a dedicated web server, I recommend that you do not allow access from the Internet. It is NEVER a good idea to allow access from the Internet directly to servers on your internal network. Too many vulnerabilities in IIS or web applications.

Having said that, you will need to add a static NAT for the web server that maps to the outside interface of the FW. If you add an inbound NAT using the outside interface, you will not be able to support VPN connections on that interface. I would recommend you call your ISP and see if you can get a block of 5 or so routable IP addresses. You can then use the addresses not assigned to the outside interface as NAT addresses for your web server.

I think the problem is that you should not define the IP address of your outside interface in the NAT statement. Try this:

global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface www 10.0.0.185 www netmask 255.255.255.255

I would recommend you turn on IP spoof protection

ip verify reverse-path interface inside
ip verify reverse-path interface outside

You may also want to consider locking down the HTTP and SSH management IP addresses. Your current config allows anyone on the internal network to connect to the management (inside) interface to manage the FW.

If you have no other choice but to allow outside traffic to an internal server, you should consider making sure all local admin or power user accounts on the server have 15 character passwords. If you do not want to hassle with long passwords, do a search on Microsoft's site for how to disable caching of LM Hash values. LM Hash caching makes any password less than 15 characters trivial to crack.

Lastly, also consider updating the software version of your ASA to 8.0.4(32) or 8.2. There have been a number of fixes since the (2) release.

Good luck!

David

Thanks for all the replies. I hate to say I found the problem on my own. Apparently, everything I did was correct, but the 'Base License' doesn't allow for what I'm trying to do. I guess it won't allow you to do port redirection for the IP of the external interface, but it will allow you redirect for the other external IPs in your subnet. Since I have a /29 block, that shouldn't be a problem. I just substituted another IP in all those commands and, 'voila', it worked.

Thanks also for all of the advice. I will be making the config progressively more restrictive. Since I was having trouble with just this piece, I pulled everything else out to eliminate possible conflicts.

Geeez... What a bunch of Geeks on this site!