10. oktober 2008 - 17:04
Der er
13 kommentarer og 2 løsninger
Cisco ASA 5505 konfig.
Hej nu har jeg brug for hjælp igen... Jeg har fået TDC internet og min konfig gik helt i selv sving. Jeg har fast IP adresse fra TDC og skal bruge lidt hjælp til at konfigurere det, går ud fra det skal hedde NAT ??? Henrik
Annonceindlæg fra GlobalConnect
11. oktober 2008 - 13:30
#1
Hej igen..:-) Paste config og fortæl hvad der galt el hvad du ønsker. /Rubeck
12. oktober 2008 - 10:48
#2
Hej Rubeck. Jeg får TDC pro på torsdag med 32 faste IP adresser. Lige Pt. har jeg en priv. TDC med fast DHCP IP. Jeg kan IKKE får den til at bruge fast IP endnu, lige så snart jeg sætte IP adressen på wan porten dør linjen. Det gør vi ikke noget ved, jeg vil bare hvis muligt være klar til på torsdag. Hvad skal jeg ændre og hvordan? Min konfig er : ASA Version 8.0(4) ! hostname ciscoasa domain-name cpq.dk enable password NuLKvvWGg.x9HEKO encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa804-k8.bin ftp mode passive dns server-group DefaultDNS domain-name cpq.dk access-list outside2inside extended permit tcp any interface outside eq smtp access-list outside2inside extended permit tcp any interface outside eq www access-list outside2inside extended permit tcp any interface outside eq https access-list outside2inside extended permit tcp any interface outside eq 3389 access-list outside2inside extended permit tcp any interface outside eq pop3 access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255 .240 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool cpq 192.168.1.50-192.168.1.60 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255. 255 static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.25 5 static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.25 5.255 static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255. 255 static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255. 255 access-group outside2inside in interface outside route outside 0.0.0.0 0.0.0.0 83.88.166.241 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time seconds 28800 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.33 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 192.168.1.2 vpn-tunnel-protocol l2tp-ipsec default-domain value cpq.dk username henrik password tPCj1prxCF8r9dJYxHvz4A== nt-encrypted privilege 0 username henrik attributes vpn-group-policy DefaultRAGroup tunnel-group DefaultRAGroup general-attributes address-pool cpq default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:a0edff7664aef3d27e1dcd4903e309ba
13. oktober 2008 - 17:36
#3
Hejsa.. Ok.. Jeg har lige lavet et eksemepel ud fra din konfig, som flg: Public IP net tidelt: 69.10.10.0 /27 (fiktivt, selvflg) ASA Outside IP: 69.10.10.2 255.255.255.224 Deafault GW: 69.10.10.1 Mailserver public IP: 69.10.10.3 Mailserver private IP: 192.168.1.2 SMTP, POP3 og RDP tilladt fra internet Webserver public IP: 69.10.10.4 Webserver private IP: 192.168.1.3 HTTP, HTTPS og RDP tilladt fra internet ASA Version 8.0(4) ! hostname ciscoasa domain-name cpq.dk enable password NuLKvvWGg.x9HEKO encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 69.10.10.2 255.255.224 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa804-k8.bin ftp mode passive dns server-group DefaultDNS domain-name cpq.dk access-list outside2inside extended permit tcp any host 69.10.10.3 eq smtp access-list outside2inside extended permit tcp any host 69.10.10.3 eq pop3 access-list outside2inside extended permit tcp any host 69.10.10.4 eq www access-list outside2inside extended permit tcp any host 69.10.10.4 eq https access-list outside2inside extended permit tcp any host 69.10.10.3 eq 3389 access-list outside2inside extended permit tcp any host 69.10.10.4 eq 3389 access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255 .240 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool cpq 192.168.1.50-192.168.1.60 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) 69.10.10.3 192.168.1.2 netmask 255.255.255. 255 static (inside,outside) 69.10.10.4 192.168.1.3 netmask 255.255.255. 255 access-group outside2inside in interface outside route outside 0.0.0.0 0.0.0.0 69.10.10.1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time seconds 28800 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life time kilobytes 4608000 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.4-192.168.1.33 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes dns-server value 192.168.1.2 vpn-tunnel-protocol l2tp-ipsec default-domain value cpq.dk username henrik password tPCj1prxCF8r9dJYxHvz4A== nt-encrypted privilege 0 username henrik attributes vpn-group-policy DefaultRAGroup tunnel-group DefaultRAGroup general-attributes address-pool cpq default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:a0edff7664aef3d27e1dcd4903e309ba /Rubeck
16. oktober 2008 - 08:56
#4
Hej Rubeck. Kunne jeg logge dig til at lave en komando oversigt som i sidste spørgsmål?
16. oktober 2008 - 10:26
#5
Jeg kan da prøve: Fjern ACL fra Interface: no access-group outside2inside in interface outside Slet ACL no access-list outside2inside Slet PAT mapninger: no static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 no static (inside,outside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 no static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 no static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255 no static (inside,outside) tcp interface pop3 192.168.1.2 pop3 netmask 255.255.255.255 Tilføj NAT mapninger static (inside,outside) 69.10.10.3 192.168.1.2 netmask 255.255.255.255 static (inside,outside) 69.10.10.4 192.168.1.3 netmask 255.255.255.255 Lav ny ACL: access-list outside2inside extended permit tcp any host 69.10.10.3 eq smtp access-list outside2inside extended permit tcp any host 69.10.10.3 eq pop3 access-list outside2inside extended permit tcp any host 69.10.10.4 eq www access-list outside2inside extended permit tcp any host 69.10.10.4 eq https access-list outside2inside extended permit tcp any host 69.10.10.3 eq 3389 access-list outside2inside extended permit tcp any host 69.10.10.4 eq 3389 Assing ny WAN IP: interface Vlan2 ip address 69.10.10.2 255.255.224 Slet og opret ny Default route: no route outside 0.0.0.0 0.0.0.0 83.88.166.241 1 route outside 0.0.0.0 0.0.0.0 60.10.10.1 /Rubeck
16. oktober 2008 - 12:02
#6
Hej Kim. Et eller andet lavede jeg galt for den smed nogle af min konfigs... :-( Har reesat dyret for at tage det fra toppen af
16. oktober 2008 - 12:06
#7
smider lige en ny comfig up om 2 min.
16. oktober 2008 - 12:15
#8
ASA Version 8.0(4) ! hostname ciscoasa domain-name cpq.dk enable password 4z.VbQeNreGzl0a4 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 93.163.67.6 255.255.255.252 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa804-k8.bin ftp mode passive dns server-group DefaultDNS domain-name cpq.dk pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 global (outside) 1 93.163.67.33-93.163.67.62 netmask 255.255.255.224 nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.33 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:d2f4179a4659d5da61e42d2e2a1617f5 : end
16. oktober 2008 - 12:46
#9
Har du rigitge IP adresser som du har fået tildelt? Hvis ja, tør du så poste dem? Hvis ikke så send dem til eksperten@rubeck.dk. Så kan jeg lave en mere el mindre komplet konfig.. /Rubeck
16. oktober 2008 - 16:19
#10
Det var en MEGA fejl.... :-S havde eller lavet en tilrettet kopi og kopierede den i udklipsholderen men et eller andet gik galt og så det først da det var for sent.
16. oktober 2008 - 16:57
#11
øøøøøøøøøøøøøøh jeg har lidt et problem... Jeg går fint på nettet og har sat en IP med 6 som pri ip adresse på ASA. men jeg er på med en 38????
17. oktober 2008 - 10:31
#12
Er på med en .38? Hvad mener du med det? Der er angivet en NAP pool, for dine inside klienter (global (outside) 1 93.163.67.33-93.163.67.62 netmask 255.255.255.224) Der vil så være random hvilken NAT IP adresse du bruger inden for denne "pool". Paste el send conf. /Rubeck
17. oktober 2008 - 10:32
#13
NAP = NAT :-)
17. oktober 2008 - 11:21
#14
Hej Kim. Jeg har sendt dig en mail..
17. oktober 2008 - 18:10
#15
Har svaret :-)
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.