[c-nsp] ASA help configuration
Jorge Evangelista
netsecuredata at gmail.com
Thu Mar 6 10:02:48 EST 2008
Hi guys,
I have configured a Cisco ASA 5505 with two LAN's one for inside (servers)
and other for business (users), I can do a ping from business to inside
and viceversa hosts, I can authenticate me in the domani MS only when I
connect a PC in ports of ASA with access vlan 3, however when I connect a
switch via crossover cable to interface business of
ASA, and PCs connected to this switch,
I can do a ping to my servers, but I start to lost packets, also I can
not connect to domain controller.
Is there some mismatch o error in my configuration?, thanks in advance, any
help is appreciated.
Here my configuration
INFFRW01# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname INFFRW01
domain-name infonet
enable password TKDiZkUkxqC/29zO encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group infonet
ip address pppoe setroute
!
interface Vlan3
nameif business
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
description PCs INFONET LAN
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd .tmIcdcvUoZGQ9bt encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PEST -5
dns server-group DefaultDNS
domain-name infonet
same-security-traffic permit inter-interface
object-group network LAN
description network servers
network-object 192.168.1.0 255.255.255.0
object-group network Bussiness
description network PCsINFONET
network-object 172.16.1.0 255.255.255.0
access-list inside_access_in extended permit ip host 192.168.1.21 any
access-list inside_access_in extended permit ip host 192.168.1.100 any
access-list inside_access_in extended permit ip host 192.168.1.105 any
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q www
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q https
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q ftp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q ftp-data
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q smtp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q pop3
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0any e
q domain
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q sqlnet
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q netbios-ssn
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0any e
q 445
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0any
echo
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0any
echo-reply
access-list outside_access_in extended permit ip host 64.76.95.138 interface
out
side
access-list business_access_in extended permit ip 172.16.1.0 255.255.255.0
192.1
68.1.0 255.255.255.0
access-list outside_access_out extended permit ip any any
access-list business_outbound_nat0_acl extended permit ip object-group
Bussiness
object-group LAN
access-list inside_outbound_nat0_acl extended permit ip object-group LAN
object-
group Bussiness
pager lines 24
logging enable
logging timestamp
logging monitor notifications
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu business 1500
ip verify reverse-path interface outside
ip audit name idsattack attack action alarm reset
ip audit name idsinfo info action alarm
ip audit interface outside idsinfo
ip audit interface outside idsattack
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit host 64.76.95.138 echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
nat (business) 0 access-list business_outbound_nat0_acl
nat (business) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group business_access_in in interface business
route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa local authentication attempts max-fail 10
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
vpdn group infonet request dialout pppoe
vpdn group infonet localname xxxxx at speedyplus
vpdn group infonet ppp authentication chap
vpdn username xxxxx at speedyplus password *********
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map type inspect im match-all InstantMSN
match protocol msn-im yahoo-im
!
!
policy-map type inspect im IMBlock
parameters
class InstantMSN
drop-connection log
!
prompt hostname context
Cryptochecksum:cd27619b7d15523a934badb87c74c6f5
: end
INFFRW01# conf t
INFFRW01(config)# exit
INFFRW01#
More information about the cisco-nsp
mailing list