I have looked through a lot of these posts on the Cisco ASA5505 as well as gone online. I am looking for some straight forward step by step instructions to complete the following tasks.
I know how to get it functioning with an inside and outside interface so that's great!
I need some step by step for the following tasks
-
Configuring the firewall.
There will be two servers attached to the inside interface: one is a web server so ports 80, 25, etc… The other is the DC so all standard ports for that need to be opened up. We also need RDP opened to both machines we use a non-standard port. I feel if I saw one example like for port 80 I could replicate that. Are there any other configs I should be aware of to secure the actually firewall or does it come setup pretty well out of the box? -
Setup access to the appliance from our main office and my offsite lab. I could also RDP to the DC on the inside interface then connect if that was more secure.
Here is my current status. Right now it is just setup on my work machine for some testing. So the outside interface just goes to the office network.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname superasa
domain-name somedomainname
enable password /****** encrypted
passwd ******************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.9 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.120
domain-name somedomain
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http 192.168.2.4 255.255.255.255 inside
http 192.168.1.108 255.255.255.255 outside
http internetip 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.120 208.67.222.222
dhcpd domain somedomain
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.33 inside
dhcpd dns 192.168.1.120 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
dhcpd dns 192.168.1.120 interface outside
dhcpd domain supernova interface outside
!
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:abunchofnumbersgohere
: end
Best Answer
On your first point, the firewall portion is already setup. Those "security-level" commands that you issued for the interface took care of that. Higher levels are able to communicate with lower levels but lower levels need to be given access to resources at higher levels. To grant access, you create an access-list and assign it to an interface with the access-group command. Since you are NATing as well, you need to create some static mappings so the firewall knows where to send traffic to. I've left the DC out of my instructions because you don't need to expose anything to the DC (it's a security issue to do so). If you have remote offices that need to authenticate, setup a site to site VPN. Here's what it would look like:
You could, alternatively, use PAT instead of assigning the server its own external IP address. I recommend not doing this if possible as it is more commands to configure and keeping an email server on its own IP address helps you to not get blacklisted. If you'd like to do this, here's what you'd do (note in this configuration you have to create a static mapping for each port):
In order to enable access you just tell ssh where to listen, how to authenticate (a local database is easiest to setup), and generate a key:
EDIT
You cannot do the type of failover you're looking for on the ASA. It can failover ISP's but not hosts. What you might want to look into is Network Load Balancer on Windows or a dedicated hardware load balancer.
The first snippet of code is not about site-to-site VPN. Sorry for the confusion. It is for forwarding ports with a dedicated IP (also known as static NAT) as opposed to an IP address shared with the firewall. When it's a shared IP, it's called port address translation (PAT) because the port number and type dictates which host it's forwarded to. When you have a dedicated IP address it's called static NAT. You are already using NAT and you can use either PAT or static NAT in combination with NAT.