Avatar billede mr.d Nybegynder
10. oktober 2008 - 17:04 Der er 13 kommentarer og
2 løsninger

Cisco ASA 5505 konfig.

Hej nu har jeg brug for hjælp igen...

Jeg har fået TDC internet og min konfig gik helt i selv sving.

Jeg har fast IP adresse fra TDC og skal bruge lidt hjælp til at konfigurere det, går ud fra det skal hedde NAT ???

Henrik
Avatar billede rubeck Nybegynder
11. oktober 2008 - 13:30 #1
Hej igen..:-)

Paste config og fortæl hvad der galt el hvad du ønsker.

/Rubeck
Avatar billede mr.d Nybegynder
12. oktober 2008 - 10:48 #2
Hej Rubeck.

Jeg får TDC pro på torsdag med 32 faste IP adresser.
Lige Pt. har jeg en priv. TDC med fast DHCP IP.
Jeg kan IKKE får den til at bruge fast IP endnu, lige så snart jeg sætte IP adressen på wan porten dør linjen.
Det gør vi ikke noget ved, jeg vil bare hvis muligt være klar til på torsdag.
Hvad skal jeg ændre og hvordan?
Min konfig er :
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name cpq.dk
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cpq.dk
access-list outside2inside extended permit tcp any interface outside eq smtp
access-list outside2inside extended permit tcp any interface outside eq www
access-list outside2inside extended permit tcp any interface outside eq https
access-list outside2inside extended permit tcp any interface outside eq 3389
access-list outside2inside extended permit tcp any interface outside eq pop3
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255
.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool cpq 192.168.1.50-192.168.1.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.
255
static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25
5
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.25
5.255
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.
255
static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.
255
access-group outside2inside in interface outside
route outside 0.0.0.0 0.0.0.0 83.88.166.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value cpq.dk
username henrik password tPCj1prxCF8r9dJYxHvz4A== nt-encrypted privilege 0
username henrik attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool cpq
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a0edff7664aef3d27e1dcd4903e309ba
Avatar billede rubeck Nybegynder
13. oktober 2008 - 17:36 #3
Hejsa..

Ok.. Jeg har lige lavet et eksemepel ud fra din konfig, som flg:

Public IP net tidelt: 69.10.10.0 /27 (fiktivt, selvflg)

ASA Outside IP: 69.10.10.2 255.255.255.224
Deafault GW: 69.10.10.1

Mailserver public IP: 69.10.10.3
Mailserver private IP: 192.168.1.2
SMTP, POP3 og RDP tilladt fra internet

Webserver public IP: 69.10.10.4
Webserver private IP: 192.168.1.3
HTTP, HTTPS og RDP tilladt fra internet


ASA Version 8.0(4)
!
hostname ciscoasa
domain-name cpq.dk
enable password NuLKvvWGg.x9HEKO encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.10.10.2 255.255.224
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cpq.dk
access-list outside2inside extended permit tcp any host 69.10.10.3 eq smtp
access-list outside2inside extended permit tcp any host 69.10.10.3 eq pop3
access-list outside2inside extended permit tcp any host 69.10.10.4 eq www
access-list outside2inside extended permit tcp any host 69.10.10.4 eq https
access-list outside2inside extended permit tcp any host 69.10.10.3 eq 3389
access-list outside2inside extended permit tcp any host 69.10.10.4 eq 3389
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255
.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool cpq 192.168.1.50-192.168.1.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside)  69.10.10.3 192.168.1.2  netmask 255.255.255.
255
static (inside,outside)  69.10.10.4 192.168.1.3  netmask 255.255.255.
255
access-group outside2inside in interface outside
route outside 0.0.0.0 0.0.0.0 69.10.10.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.33 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.1.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value cpq.dk
username henrik password tPCj1prxCF8r9dJYxHvz4A== nt-encrypted privilege 0
username henrik attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool cpq
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a0edff7664aef3d27e1dcd4903e309ba

/Rubeck
Avatar billede mr.d Nybegynder
16. oktober 2008 - 08:56 #4
Hej Rubeck.

Kunne jeg logge dig til at lave en komando oversigt som i sidste spørgsmål?
Avatar billede rubeck Nybegynder
16. oktober 2008 - 10:26 #5
Jeg kan da prøve:


Fjern ACL fra Interface:
no access-group outside2inside in interface outside

Slet ACL
no access-list outside2inside

Slet PAT mapninger:
no static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
no static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
no static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
no static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255

Tilføj NAT mapninger
static (inside,outside)  69.10.10.3 192.168.1.2  netmask 255.255.255.255
static (inside,outside)  69.10.10.4 192.168.1.3  netmask 255.255.255.255

Lav ny ACL:
access-list outside2inside extended permit tcp any host 69.10.10.3 eq smtp
access-list outside2inside extended permit tcp any host 69.10.10.3 eq pop3
access-list outside2inside extended permit tcp any host 69.10.10.4 eq www
access-list outside2inside extended permit tcp any host 69.10.10.4 eq https
access-list outside2inside extended permit tcp any host 69.10.10.3 eq 3389
access-list outside2inside extended permit tcp any host 69.10.10.4 eq 3389

Assing ny WAN IP:
interface Vlan2
ip address 69.10.10.2 255.255.224

Slet og opret ny Default route:
no route outside 0.0.0.0 0.0.0.0 83.88.166.241 1
route outside 0.0.0.0 0.0.0.0 60.10.10.1

/Rubeck
Avatar billede mr.d Nybegynder
16. oktober 2008 - 12:02 #6
Hej Kim.

Et eller andet lavede jeg galt for den smed nogle af min konfigs... :-(
Har reesat dyret for at tage det fra toppen af
Avatar billede mr.d Nybegynder
16. oktober 2008 - 12:06 #7
smider lige en ny comfig up om 2 min.
Avatar billede mr.d Nybegynder
16. oktober 2008 - 12:15 #8
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name cpq.dk
enable password 4z.VbQeNreGzl0a4 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 93.163.67.6 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cpq.dk
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 93.163.67.33-93.163.67.62 netmask 255.255.255.224
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2f4179a4659d5da61e42d2e2a1617f5
: end
Avatar billede rubeck Nybegynder
16. oktober 2008 - 12:46 #9
Har du rigitge IP adresser som du har fået tildelt? Hvis ja, tør du så poste dem? Hvis ikke så send dem til eksperten@rubeck.dk.

Så kan jeg lave en mere el mindre komplet konfig..

/Rubeck
Avatar billede mr.d Nybegynder
16. oktober 2008 - 16:19 #10
Det var en MEGA fejl.... :-S havde eller lavet en tilrettet kopi og kopierede den i udklipsholderen men et eller andet gik galt og så det først da det var for sent.
Avatar billede mr.d Nybegynder
16. oktober 2008 - 16:57 #11
øøøøøøøøøøøøøøh jeg har lidt et problem...
Jeg går fint på nettet og har sat en IP med 6 som pri ip adresse på ASA.
men jeg er på med en 38????
Avatar billede rubeck Nybegynder
17. oktober 2008 - 10:31 #12
Er på med en .38? Hvad mener du med det?
Der er angivet en NAP pool, for dine inside klienter (global (outside) 1 93.163.67.33-93.163.67.62 netmask 255.255.255.224)

Der vil så være random hvilken NAT IP adresse du bruger inden for denne "pool".

Paste el send conf.

/Rubeck
Avatar billede rubeck Nybegynder
17. oktober 2008 - 10:32 #13
NAP = NAT :-)
Avatar billede mr.d Nybegynder
17. oktober 2008 - 11:21 #14
Hej Kim.

Jeg har sendt dig en mail..
Avatar billede rubeck Nybegynder
17. oktober 2008 - 18:10 #15
Har svaret :-)
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester