TOPIC: ASA5510 configuration

Hi,

I am a newbie and have very limited knowledge of firewall and router configuration. I was "forced" to setup a network for my school project and I am in deep shit :cry: :cry:

I am really appreciated if the experts here can give me some help

Refer to the attached draft diagram, how am I going to configure the access list and route.

1) FTP server is accessed from external network using IP 39.0.2.13.

2) The PIX provide allow anonymous read/write access to the FTP server on the DMZ from both the outside and office networks. Wireless clients are not allowed access to the FTP server.

3) The PIX should allow only read access to the HTTP server for outside networks. All users of the network should also be able to access the HTTP server.

4) The PIX provides syslog information to asyslog server on the office network. A TFTP server is also set up on the office network to save the configuration settings of the PIX. Both the syslog and TFTP servers are not to be accessed by external networks or the DMZ.

Sorry the stupid and lengthy questions.

Thanks in advance

please help me thanks :cry: :cry: :cry: :

alf6901, Welcome to firewall.cx

I will assume first that the physical topology has been setup, That IPs on the PCs and the servers has been already setup. If not, please tell and we'll try to help.

I can try to help with most of the requirements except for syslog which I almost don't know any thing about. Hope that others here do.

Before attacking the stated requirements, I would make sure that basic connectivity is established, IPs of Pix interfaces are setup and that NAT is setup to allow inside users to connect to the outside (internet). These are implicit requirements that really doesn't have to be said in the project description you provided. Your teacher will most probably expect that done.


1. Starting the Pix from scratch

I'm assuming here that you don't want to backup the Pix's configuration and that you want to start from scratch. Type the following on the Pixes CLI (Console Screen):

[code:1]Pix# write erase
Erase PIX configuration in flash memory? [confirm]
[/code:1]

As you can see it asks you to confirm the erase of the current configuration. Press [Enter]. Then type:

[code:1]
Pix# reload
Proceed with reload? [confirm]
[/code:1]

Press [Enter], this will reload the Pix. After it reloads, you will get a message like this:

[code:1]Pre-configure PIX Firewall now through interactive prompts [yes]?[/code:1]

Type n and press [Enter]. Now you are ready to configure the Pix

2. Naming the DMZ interface

[code:1]
Pix# conf t
Pix(config)# nameif ethernet2 dmz security10[/code:1]

This assigns interface ethernet2 to the dmz (as you need in the diagram). It also gives the interface a security level of 10. Security levels go from 0 to 100 (lower to higher security). By default, the ethernet0 and ethernet1 are already named outside and inside respectively. Also by default, inside has the highest security level of 100 and outside has the lowest level of 0.

3. Assigning IP addresses/masks for the Pix interfaces

[code:1]
Pix# conf t
Pix(config)# ip address inside 10.10.10.1 255.255.255.0
Pix(config)# ip address outside 192.168.168.2 255.255.255.0
[/code:1]

Now to turn ON the interfaces:

[code:1]Pix(config)# interface ethernet0 auto
Pix(config)# interface ethernet1 auto
Pix(config)# interface ethernet2 auto
[/code:1]

Now if you connect a PC to the inside interface (E1) you should be able to ping the Pix IP 10.10.10.1

Try to complete up to this point now. Then we'll try to help further.

Hi S0lo,

Thanks for your help. I have already configured the interface address and security level. The problem I am facing now is the access list and the route between the inside to DMZ, outside to DMZ and inside to outside

I only have a few lessons on the configuration and now I have to start with this project :roll:

I have tried to read and understand the configuration but......... :cry:

Then it's better if you post your current config here so we can see exactly where you have reached and help you better.

Hi,

Thanks. Here is my config


ASA Version 7.0(8)
!
hostname asa2
domain-name pbil02.lab
enable password 2EYTZj.pkgTrWllb encrypted
passwd CbFQhu3ysddftY7L encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.168.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 10.10.20.1 255.255.255.240
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
banner exec "No Illegal Login! ! !"
banner login "No Unauthorised Login ! ! !"
ftp mode passive
access-list fromoutside extended permit tcp any host 39.0.2.13 eq ftp
access-list fromoutside extended permit tcp any host 39.0.2.14 eq www
access-list fromoutside extended permit tcp any host 39.0.2.1 eq domain
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging host inside 10.10.10.10
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
global (outside) 1 39.0.2.3-39.0.2.12
global (outside) 1 39.0.2.2
nat (inside) 1 10.10.10.0 255.255.255.0
static (dmz,outside) 39.0.2.1 10.10.20.10 netmask 255.255.255.255
static (dmz,outside) 39.0.2.13 10.10.20.13 netmask 255.255.255.255
static (dmz,outside) 39.0.2.14 10.10.20.14 netmask 255.255.255.255
access-group fromoutside in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.10.10.10 255.255.255.255 inside
telnet timeout 15
ssh timeout 15
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00000000000000000000000000000000
: end
asa2(config)#