[c-nsp] ASA help configuration

Jorge Evangelista netsecuredata at gmail.com
Thu Mar 6 23:50:29 EST 2008


Hi, Cisco friends, the issue was solved, the problem was a unmanaged dlink
switch, I changed it with a switch 3COM, now  Cisco ASA works fine.

Regards.



On 3/6/08, Fields, Jesse <Jesse.Fields at wesd.org> wrote:
>
> I have ran into a similar problem recently on a 5505 and kicked myself
> for overlooking it.  Try hard setting your port speed/duplex on the ASA
> and switch.  GL
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jorge
> Evangelista
> Sent: Thursday, March 06, 2008 7:03 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] ASA help configuration
>
> Hi guys,
>
> I have configured  a Cisco ASA 5505 with two LAN's one for inside
> (servers)
> and other for business  (users),  I can do a ping from business to
> inside
> and viceversa hosts, I can authenticate me in the domani MS only when I
> connect a PC in ports of ASA with access vlan 3, however when I connect
> a
> switch via crossover cable to interface business of
> ASA, and PCs connected to this switch,
> I can do a ping to my servers, but I start to lost packets, also I can
> not connect to domain controller.
> Is there some mismatch o error in my configuration?, thanks in advance,
> any
> help is appreciated.
>
>
>
>
> Here my configuration
>
> INFFRW01# sh run
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname INFFRW01
> domain-name infonet
> enable password TKDiZkUkxqC/29zO encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> pppoe client vpdn group infonet
> ip address pppoe setroute
> !
> interface Vlan3
> nameif business
> security-level 100
> ip address 172.16.1.1 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> description PCs INFONET LAN
> switchport access vlan 3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> passwd .tmIcdcvUoZGQ9bt encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> clock timezone PEST -5
> dns server-group DefaultDNS
> domain-name infonet
> same-security-traffic permit inter-interface
> object-group network LAN
> description network servers
> network-object 192.168.1.0 255.255.255.0
> object-group network Bussiness
> description network PCsINFONET
> network-object 172.16.1.0 255.255.255.0
> access-list inside_access_in extended permit ip host 192.168.1.21 any
> access-list inside_access_in extended permit ip host 192.168.1.100 any
> access-list inside_access_in extended permit ip host 192.168.1.105 any
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q www
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q https
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q ftp
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q ftp-data
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q smtp
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q pop3
> access-list inside_access_in extended permit udp 192.168.1.0
> 255.255.255.0any e
> q domain
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q sqlnet
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q netbios-ssn
> access-list inside_access_in extended permit tcp 192.168.1.0
> 255.255.255.0any e
> q 445
> access-list inside_access_in extended permit icmp 192.168.1.0
> 255.255.255.0any
> echo
> access-list inside_access_in extended permit icmp 192.168.1.0
> 255.255.255.0any
> echo-reply
> access-list outside_access_in extended permit ip host 64.76.95.138
> interface
> out
> side
> access-list business_access_in extended permit ip 172.16.1.0
> 255.255.255.0
> 192.1
> 68.1.0 255.255.255.0
> access-list outside_access_out extended permit ip any any
> access-list business_outbound_nat0_acl extended permit ip object-group
> Bussiness
> object-group LAN
> access-list inside_outbound_nat0_acl extended permit ip object-group LAN
> object-
> group Bussiness
> pager lines 24
> logging enable
> logging timestamp
> logging monitor notifications
> logging buffered informational
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> mtu business 1500
> ip verify reverse-path interface outside
> ip audit name idsattack attack action alarm reset
> ip audit name idsinfo info action alarm
> ip audit interface outside idsinfo
> ip audit interface outside idsattack
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any inside
> icmp permit any echo inside
> icmp permit any echo-reply inside
> icmp permit host 64.76.95.138 echo outside
> icmp permit any echo-reply outside
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_outbound_nat0_acl
> nat (inside) 1 0.0.0.0 0.0.0.0
> nat (business) 0 access-list business_outbound_nat0_acl
> nat (business) 1 0.0.0.0 0.0.0.0
> access-group inside_access_in in interface inside
> access-group business_access_in in interface business
> route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa local authentication attempts max-fail 10
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> telnet 192.168.1.0 255.255.255.0 inside
> telnet timeout 5
> ssh 192.168.1.0 255.255.255.0 inside
> ssh timeout 5
> console timeout 5
> vpdn group infonet request dialout pppoe
> vpdn group infonet localname xxxxx at speedyplus
> vpdn group infonet ppp authentication chap
> vpdn username xxxxx at speedyplus password *********
> dhcpd auto_config outside
> !
> dhcpd address 192.168.1.2-192.168.1.254 inside
> dhcpd enable inside
> !
>
> threat-detection basic-threat
> threat-detection statistics access-list
> !
> class-map type inspect im match-all InstantMSN
> match protocol msn-im yahoo-im
> !
> !
> policy-map type inspect im IMBlock
> parameters
> class InstantMSN
> drop-connection log
> !
> prompt hostname context
> Cryptochecksum:cd27619b7d15523a934badb87c74c6f5
> : end
> INFFRW01# conf t
> INFFRW01(config)# exit
> INFFRW01#
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
"The network is the computer"


More information about the cisco-nsp mailing list