Cisco Firewall :: ASA 5505 Configuration For Home Network
Sep 4, 2012
I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. The Cisco 1841 is running sub-interfaces for my VLAN's.
I now need to configure an ASA 5505 for a small server farm. It's fairly straightforward:isp -> asa5505 -> internal servers,'m using static addresses -- no DHCP involved.VPN works; I can get into the internal network.pinging from the ASA to an external address works,However, I cannot get from a laptop connected to an internal port out to the internet, either using ping or typing an address in the browser.
I want to configure an ASA 5505 in transparent mode (7.x). Somehow, I got it to work.. but i need some kind of step by step description. I just want to connect it with outside on a route .. inside in my LAN. Its working now with one ASA. But in the Web Interface the Interfaces inside and outside are down.. but its working.
I am new to using the ASA 5505 appliance. I have successfully configured it so far, but the one piece that eludes me and I can't find an example of configuring SIP with internal (DMZ security level 50)) VoIP phones to an external call manager (external, security level 0) without using NAT. I have an internal V LAN to an internal B2 router (and management) on eth0/7, an external V LAN (/30 to an external B1 border router) and five different DMZ V LAN on ports eth0/1-eth0/5.
On the external router, the internal interface going to ASA5505 are separate sub-interfaces for each V LAN in the DMZ and one /30 V LAN to connect between the router and ASA. I am using vrf forwarding on the DMZ sub interfaces with IPSEC/GRE tunnels to keep the routing tables separate. I cannot have the different DMZ V LAN's communicate with each other (that's why I am using vrf).
Everything works, all my tunnels are up, I can ping to the external sites from the DMZ V LAN's and pass data, but I am stymied by setting up VoIP. When I used the wizard (big mistake) it setup up all sorts of certificates and NAT (since I really didn't know what I was doing at this point).
Any hints on configuring VoIP from phones in the DMZ V LAN's to an external call manager?
I would include the current config, but I have to hand transcribe it since we don't allow usb connectivity. I might be able to provide it a little later. i am using ASDM 6.4 and ASA IOS 8..4
I am setting up an ASA 5505 for a customer. I am not sure how to config the firewall when it is connected to a dsl modem. I tried to do a ordinary config just like the ones thats connected to a ordinary router.
I'm having problems configuring an asa 8.2(1) with a backup isp. I followed the asdm instructions in this document: [URL]
I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.
When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log: portmap translation creation failed for udp src inside: 192.168.13.23 dst backup:220.127.116.11_type 8, code0)
I though this type of error is related to a NAT problem, not sure where to look though.
I'm working on QoS policing configuration on an ASA 5505.The ASA is situated behind a cable modem which provides an SLA of 3.2Mbps out.I've configured a QOS policy to place VoIP and other essential traffic (RDP/Citrix/PCoIP) into a priority queue, whilst policing default class to 3.2Mbps to police out to the cable modem.I can see on the outside interface graphs that this is rating the output traffic down to 3.2Mbps as expected, but noticing at certain points of high output traffic drops down to 1.6Mbps. I can't see anything obvious in syslog or any other areas to look, so looking for any pointers as to why the speed is suddenly dropping down. Likewise if I rate the output to 2Mbps, it will suddenly drop down to 1Mbps at high output rates.the ASA is running on 8.0(5) and I enclose a copy of the sample QoS config below and attached a sanitized run config, as well as screenshot taken of the outside interface Bit Rates plus service-policy.
I need add following to our firewall configuration ( we are changing watchguard firewall to cisco and it was necessary to be configured this way )
1) I need to create 1-1 NAT for our voip system and video conferencing unit and to do it as bellow
VOIP-SIP : from 18.104.22.168 to 22.214.171.124 on port tcp/udp 5060 VC-SIP : from any_external to 126.96.36.199 on port tcp/udp 5060 VC-Video : from any_external to 188.8.131.52 on port tcp/udp 60000 to 64999 VOIP-RTP : from 184.108.40.206 to 220.127.116.11 on port tcp/udp 10000 - 20000
2) I need to eneble to pass PPTP traffic from outside to inside and vice versa
current config: Result of the command: "show running-config" : Saved:ASA Version 8.2(2) !hostname ciscoasa
We got an AT&T Microcell a couple of weeks ago, hooked it up to our CISCO PIX 506 firewall and it worked "out of the box". We then upgraded to a CISCO ASA 5505 when the Pix died last week. Got the ASA 5505 up and running pretty much "out of the box", only having to setup our IP addresses (inside & outside). The 5505 is NOT configured as DHCP since I have an existing server in house that assigns IP addresses and I don't want to mess around with changing everything. However the Microcell wasn't working on the new 5505. Found in the Microcell manual that the following had to be "open":
From the 5505 Config Guide, I found that I needed to ENABLE NAT-T, so I did this with the following commands: crypto isakmp enable outside crypto isakmp nat-traversal 3600
Using the "Packet Tracer" in ASDM, I found that ALL 4 types of packets were allowed going from the ATT Microcell (192.168.10.52 on my INSIDE network) to the OUTSIDE interface (66.xxx.xx.xx). However, all 4 types of packets FAILED when the Packet Trace was reversed (Source = 66.xxx.xx.xx, Destination 192.168.10.52).
The Packet Trace pointed to the "implicit rule" to DENY IP traffic. So, using the ASDM, I setup Access Lists for the above 4 ports/protocols, both on the INSIDE & OUTSIDE interface, both INCOMING & OUTGOING. Still, no success and the Packet Trace in ASDM still pointed to the IMPLICIT DENY rule on either the INSIDE or OUTSIDE interface, depending on which Interface I was initiating the Packet Trace. I tried setting the Access Rules for "Any" IP Address (not just the public IP or the Microcell IP) on both the Source/Destination for all 4 ports. What is even more confounding is that when setting up these access lists to PERMIT traffic, my internal network Internet traffic stopped for ALL workstations on my network. Phone started ringing no more than a minute after I applied any PERMIT rule. By deleting the rule just installed, traffic started flowing again.
My number one questin is why don't the access lists work and why does settin up a "permit rule" kill my internet traffic?
I'm not a network expert and sprinkle holy water on our network every morning. I cringe when I have to make changes (like putting in a new firewall) because I don't know all the inner workings, parameters and setups done over the years by predecessors. I need to get the ATT Microcell up and running and figure the experience will be beneficial as our next step is to setup a VPN.
I have IOS 8.0(4) and the base 50 User License...will this config work? I have two networks; my home network, and my lab. I want to split my Internet connection between them, but keep the networks separate for the most part. Will my license allow this config since I can't do DMZ?
I have a problem with my home network/internet - I have a working wireless network that I have used for some time now and it works just fine. the problem is that internet restrictions where I live require me to register each unit to the building network before I can gain access to the internet. My caretaker told me today that normally, I only should register my primary computer and the wireless router to be able to use the internet freely. However when a new laptop appears( I have a guest), I can easily connect it to my own wireless, but it can't use the internet, as if it needed to be registered again. I ran out of registration codes and I really would like to have freedom i connection opportunities. The caretaker said that the system gives every registered unit a "fake" IP, so after giving it to mu router, all other units connected through that router should have unlimited access. Is my network configured in a wrong way? I don't know how to ask this in a more simple way... I just want to be able to connect a friends laptop to the net with just my local password, which isn't happening.
the first unit is currently working, and i now wish to configure the second unit as standby. im configuring through the ASDM GUI. Started the HA Wizard, choose Active/Standby configuration and enter the IP of the peer device. checks come back all ok. On the LAN link configuration page (step 3of6) Interface is pre selected as VLAN99, I give it a logical name as iface_fail, and enter 10.0.0.1 as primary address and 10.0.0.2 as standby, subnet as 255.255.255.248, and select port Ethernet0/5
Note that if i click on the buttons next to the IP fields, i get IP addresses of remote hosts!.
For a customer I have to move the ASA 5505 firewall to a new internet connection. I have modified the config in a notepad textfile and want to put it on flash or so, so that it will be loaded at next reboot.
I'm working on setting up a backup link for our ASA 5505 and I've followed these directions: [URL]
The backup ISP gives us a dynamic address, however, when I enable the backup ISP's interface on the ASA, my vpn tunnels drop. As soon as I disable the backup interface, the tunnels come back up. I'm attempting to configure this across one of these tunnels, so obviously this is an issue, as is the fact that other people need the tunnels as well. I'm not sure what I did to make this happen, but I've been over the config many times and can't see anything different from the instructions in the link above.
I thought it might be trying to route traffic across the backup interface, but my primary interface is tracked and has SLA running on it, so I would assume it wouldn't roll over onto the backup interface.
I've got some ASA5505 which run as EzVPN clients in NEM, connecting to a ASA5510 as head-end. The ASAs are configured with a CSM and AUS. But whenever they are getting a new configuration through the AUS they stop trying to establish an EzVPN connection to the head-end. After a "reload" they run with the new configuration and establish the tunnel as expected.
My ASA 5505 base license allows for three VLANs, the third one can only initiate traffic to one other VLAN (as specified by no forward interface vlan <number> on the third VLAN). This doesn't mean it can't "access" the other VLAN, it just can't initiate traffic to it. A lot of people get that wrong.Let's say you've got three VLANs, one is OUTSIDE, two is DMZ, and three is INSIDE. On the second VLAN would I enter the no forward interface as vlan 3, then set the name via the nameif command and everything will work just fine. The DMZ will not be able to initiate traffic to the INSIDE, but will to the outside, and assuming you have your ACLs and NAT set up properly, it will be able to respond to traffic from the INSIDE.
Would that be best practice or would I enter the "no forward" interface as in VLAN 1, thus is being able to respond to traffic from the outside as opposed to the inside.
I had a DMZ set up but since there was an intrusion into my network, I am building it again.
ASA 5505, I got a security plus license which allows multiple VLANs.I want to be able to configure the ASA to allow only RDP session (One way) to another Switch where all the VLANs are. I've attached a pic of what I want but I'm struggling.
I looked at documentation saying you should have inside and outside interface but I'm not sure on this scenario.I've configured inside interface on ASA e0/1 and interface VLANs but not sure what to do between ASA and Switch?
I've been trying to track down intermitent problems with one of our branch office ASA5505's .The way we have been tracking it is primarily through ping/icmp connectivity. Occasionily our tracking software will report that is stops responding to ping requests then in almost less than a minute it will start replying again. I'm allowing icmp to that interface and it is internal. Examing the logs it almost looks like the config is being reloaded but I've never seen this kinda of log before so I'm not sure if it is just sending it's config to a host or actually reloading its config.
Here is the first part of it:
2011-10-17 07:05:05 Local4.Notice 192.168.22.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.20' command. 2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'logging host inside 192.168.2.21' command. 2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN1 192.168.254.9 1 track 1' command. 2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN98 192.168.254.9 1 track 2' command. 2011-10-17 07:05:05 Local4.Notice 192.168.254.10 Oct 17 2011 07:05:05: %ASA-5-111008: User 'Config' executed the 'route inside VLAN202 192.168.254.9 1 track 3'
I've santized certain parts, but it does look like its realoding the config?
while configuring my ASA 5505 I changed the IP address range of the internal network. Obviously I made an error because I cannot reach the box neither at the old nor the new address. How can I restore the interface and firewall definitions or reset the box to its initial state ? I found a doc how to reset the password, but not explaining how to restore the complete initial config.
I want to configure multiple DHCP configuration on ASA 5505. I tried to create sub interface for different IP Pool but it was not configure on ASA 5505. is it possible to create subinterface on ASA 5505?
ASA 5505 IOS version: 8.3(1) License: Security Plus
i did a reset on my asa by stopping the boot process because i could not remember what my enable password was, i had no problems with the reset the asa came backup as it should and i started configuring the device again. My problem is when the device is powered off and back on i lose all configuration that were made, i save the changes with "write me" before the restart and they are still being over wrote.
I am new with ASA devices I have a ASA 5505, the former IT manager does not remember the password of it. I am just wondering do I lose the configuration on it if I reset the password?if yes, how can I download the configuration before resetting the password. and how can I upload the downloaded configuration
in my past days i am using bsnl broadband. and also using adsl router for net-connection. i am connecting internet through wifi adsl router. now i am not using bsnl broadband. now i am using beem broadband in hyderabad. that internet connection is directly to my laptop through rj45 cable. but i want to configure adsl router to my beem broadband because i want to connect internet through wifi.it is possible or not? if possible tell me the procedure.
I am planning to imlpement an ASA 5505 in my home network and I am wondering if this is a valid configuration. I am wondering if it is necessary to have 3 separate internal subnets or if these can be cabeled together in a more efficient fashion?
I plan to keep the 2 servers (game, e-mail) branched off the ASA directly in a DMZ configuration. The rest of the clients connect through the wireless/wired router.
Any unforseen problems with a setup like this (Modem -> Firewall -> Internal Router)? I have read sites that say I will have to accept an IP via DHCP for the ASA's external interface.
Here's my situation:I live in a house that has AT&T U-verse. My pc is a couple of rooms away from the U-verse router so I pick up my Internet signal via a Netgear WG111v2 USB wireless adapter. Works great. But I have a couple of "new" Palm Pre handhelds with sync software that requires a wireless connection (won't do USB). Fortunately, I had a Netgear WGR614 v4 54 Mbps Wireless Router in storage. (I used it years ago so it had already been configured but back then it was wired directly to an AT&T router with a patch cable to my roommate's pc and to my pc wirelessly.)
So I just powered it up, plugged a patch cable into my pc's NIC and plugged the other end into the WAN port. Voila! I had connectivity to my Palm Pre's. All was well for about 15 minutes when all of a sudden my pc lost connection (wirelessly) to the U-verse router. And though the Netgear Smart Wizard showed a strong signal from the Netgear WGR614 Wireless Router and the Palm's were picking up a strong signal from it, they couldn't "surf" the Net.
I guess WinXP (being PnP) decided to adjust things causing everything to stop working. (Just a guess.I moved the patch cable from the WAN port to a LAN port. This enabled me to access the Netgear router wizard for the first time since I used it years agohttp://192.168.0.1) I couldn't access it earlier in this "endeavor" when the patch cable was connected to the WAN port. So this seemed encouraging. But no, it didn't work. Nothing was connecting to the Net. And the only way to restore my pc's connection via the Netgear USB wireless adapter to U-verse was to unplug the Netgear wireless router.
I have a router manufactured by AirTies,the model is Air 4450.This has the capability of being an Access Point in a current network, which is how I want to use it. (Introducing it into my current Sky Broadband network with a Sagem F@ST 2504N router).However, I cannot access the configuration page whatsoever.The manual states the default IP address of the router is 192.168.2.254, so I have set my laptop to a static IP of 192.168.2.100 and patched into LAN port #1 on the rear of the Airties 4450, powered on the unit and cannot access the router at all.I have held down the reset button several times to no avail.how I can configure this unit ?