New to Cisco

Discussion in 'Cisco' started by KEN, Nov 6, 2007.

  1. KEN

    KEN Guest

    I need a detailed tutorial or guide on how to set up basic services
    like traffic through port 80 translated to a web server using ASDM 6.0
    for a PIX 515E I have the super basic config set like interfaces and
    admin users but I am having trouble doing basic nat for port 80 443
    and 22 traffic. Also if you have a good resource on remote VPN access
    configuration for the MS VPN client that would be helpful.

    I have looked through the help files that come along with ASDM and
    thought I had the config correct but no luck.

    thanks in advance -
     
    KEN, Nov 6, 2007
    #1
    1. Advertisements

  2. KEN

    swesterhoff Guest

    Can you get on a console? Enable SSH or Telnet on the inside
    interface and login to the device. Do you have an IP address for the
    outside interface or will it be dynamic? Post a cleansed version of
    your "show run" output and we can help.

    ASDM is pretty hard to describe, better to see the configuration in
    the console and in my view it is clearer once you get the hang of it.
    Use ADSM for viewing stats and VPN connections and CPU useage, not
    configuration (at least at first).

    My 2cents.
     
    swesterhoff, Nov 7, 2007
    #2
    1. Advertisements

  3. Some examples:

    NAT will use the outside IP:

    global (outside) 1 interface

    PAT (Port Address Translation) uses the outside interface:

    static (inside,outside) tcp interface smtp 192.168.168.5 smtp netmask
    255.255.255.255
    static (inside,outside) tcp interface 5900 192.168.168.5 5900 netmask
    255.255.255.255
    static (inside,outside) tcp interface www 192.168.168.5 www netmask
    255.255.255.255

    Then we permit these ports via an access-list:

    access-list your-list-in permit tcp any interface outside eq smtp
    access-list your-list-in permit tcp any interface outside eq 5900
    access-list your-list-in permit tcp any interface outside eq www

    access-group your-list-in in interface outside

    On the VPN, I strongly suggest using the Cisco VPN (comes with your
    PIX unlimited clients) as it is very easy to deploy and connects very
    quickly.
     
    Shawn Westerhoff, Nov 7, 2007
    #3
  4. Some examples:

    NAT will use the outside IP:

    global (outside) 1 interface

    PAT (Port Address Translation) uses the outside interface:

    static (inside,outside) tcp interface smtp 192.168.168.5 smtp netmask
    255.255.255.255
    static (inside,outside) tcp interface 5900 192.168.168.5 5900 netmask
    255.255.255.255
    static (inside,outside) tcp interface www 192.168.168.5 www netmask
    255.255.255.255

    Then we permit these ports via an access-list:

    access-list your-list-in permit tcp any interface outside eq smtp
    access-list your-list-in permit tcp any interface outside eq 5900
    access-list your-list-in permit tcp any interface outside eq www

    access-group your-list-in in interface outside

    On the VPN, I strongly suggest using the Cisco VPN (comes with your
    PIX unlimited clients) as it is very easy to deploy and connects very
    quickly.
     
    Shawn Westerhoff, Nov 7, 2007
    #4
  5. KEN

    KEN Guest

    Thanks for the response. I have set the external ip and internal ip
    both are static. I have telnet enabled and used it to enable the
    interfaces and a few policies......

    This is the current config:

    : Saved
    :
    PIX Version 8.0(2)
    !
    hostname
    domain-name
    enable password encrypted
    names
    name
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address ip cleaned 255.255.255.240
    ospf cost 10
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address ip cleaned 255.255.255.0
    ospf cost 10
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    passwd IGt/YV.MXoTSVYGO encrypted
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns server-group DefaultDNS
    domain-name cleaned
    access-list inside_nat0_outbound extended permit ip any 10.0.1.192
    255.255.255.192
    access-list inside_nat0_outbound extended permit ip 10.0.1.0
    255.255.255.0 10.0.1.192 255.255.255.192
    access-list inside_nat0_outbound extended permit ip host cleaned any
    access-list outside_1_cryptomap extended permit ip host cleaned any
    access-list outside_access_in extended permit tcp any eq www host
    cleaned eq www
    access-list outside_access_in_1 extended permit ip any host cleaned
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    ip local pool cleaned mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,inside) cleaned cleaned netmask 255.255.255.255
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 12.190.141.209 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    http server enable
    http 10.0.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-
    AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-
    DES-MD5 TRANS_ESP_3DES_SHA
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer 202.58.134.102
    crypto map outside_map 1 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic
    SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic
    SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto isakmp enable outside
    crypto isakmp enable inside
    crypto isakmp policy 10
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 50
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet 10.0.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    threat-detection basic-threat
    threat-detection statistics
    !
    class-map class_sip_udp
    match port udp eq sip
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect sqlnet
    inspect tftp
    class class_sip_udp
    inspect sip
    !
    service-policy global_policy global
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 10.0.1.3 10.0.1.3
    vpn-tunnel-protocol l2tp-ipsec
    default-domain value cleaned
    group-policy MSI internal
    group-policy MSI attributes
    dns-server value cleaned cleaned
    vpn-tunnel-protocol l2tp-ipsec
    default-domain value cleaned
    username cleaned password DcCQs5C1bsormATL6ekOYw== nt-encrypted
    privilege 0
    username cleaned attributes
    vpn-group-policy MSI
    tunnel-group DefaultRAGroup general-attributes
    address-pool MSI
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group WNS type ipsec-l2l
    tunnel-group WNS ipsec-attributes
    pre-shared-key *
    tunnel-group MSI type remote-access
    tunnel-group MSI general-attributes
    address-pool MSI
    default-group-policy MSI
    prompt hostname context
    Cryptochecksum:4a7f6c9d832d7b62a55abf5a49db9747
    : end
    asdm image flash:/asdm-602.bin
    no asdm history enable


    The config looks like it should work for NAT and the www but I can't
    get it to connect. If I can get the NAT for www I think I can handle
    the rest pretty well. I have most of my experience with watch guard
    products which aren't the best but are pretty easy to configure.
    Although I can use the Cisco remote VPN client I would rather not
    because I installed it and it conflicts with another VPN client I
    use. So if there's a way to use the MS VPN client that would be cool.

    Thanks again -
     
    KEN, Nov 7, 2007
    #5
  6. KEN

    Chad Mahoney Guest


    access-list outside_access_in_1 permit tcp any host <IP of external
    interface> eq www

    static (inside,outside) tcp <IP of outside interface> www <Ip of
    internal host> www netmask 255.255.255.255
     
    Chad Mahoney, Nov 7, 2007
    #6
  7. KEN

    KEN Guest

    Thanks I added those items to the config and wrote it to the memory.
    I still do not get our site when I open the external ip address on
    port 80.

    So I have
    access-list outside_access_in extended permit tcp any eq www host
    10.0.1.200 eq www
    access-list outside_access_in_1 extended permit ip any host
    10.0.1.200
    access-list outside_access_in_1 extended permit tcp any host
    (external ip) eq www

    and

    static (inside,outside) tcp our (external ip) www 10.0.1.200 www
    netmask 255.255.255.255

    But no site. Any thing I have wrong here? Thanks so much again.
     
    KEN, Nov 7, 2007
    #7
  8. KEN

    KEN Guest

    Thanks I added those items to the config and wrote it to the memory.
    I still do not get our site when I open the external ip address on
    port 80.

    So I have
    access-list outside_access_in extended permit tcp any eq www host
    10.0.1.200 eq www
    access-list outside_access_in_1 extended permit ip any host
    10.0.1.200
    access-list outside_access_in_1 extended permit tcp any host
    (external ip) eq www

    and

    static (inside,outside) tcp our (external ip) www 10.0.1.200 www
    netmask 255.255.255.255

    But no site. Any thing I have wrong here? Thanks so much again.
     
    KEN, Nov 7, 2007
    #8
  9. KEN

    Chad Mahoney Guest

    So I have

    You need to remove the first 2 entries:
     
    Chad Mahoney, Nov 7, 2007
    #9
  10. KEN

    KEN Guest

    This is the current config:
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I got rid of the other items. I still can't get into our web server.

    thanks -
     
    KEN, Nov 7, 2007
    #10
  11. KEN

    KEN Guest

    This is the current config:
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I got rid of the other items. I still can't get into our web server.

    thanks -
     
    KEN, Nov 7, 2007
    #11
  12. KEN

    KEN Guest

    This is the current config:
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I got rid of the other items. I still can't get into our web server.

    thanks -
     
    KEN, Nov 7, 2007
    #12
  13. KEN

    KEN Guest

    This is the current config:
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I got rid of the other items. I still can't get into our web server.

    thanks -
     
    KEN, Nov 7, 2007
    #13
  14. KEN

    KEN Guest

    This is the current config:
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I got rid of the other items. I still can't get into our web server.

    thanks -
     
    KEN, Nov 7, 2007
    #14
  15. KEN

    KEN Guest

    Thanks I removed those settings now we have:

    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    and nat:

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255

    I am still unable to get into our server via web.

    thanks -
     
    KEN, Nov 7, 2007
    #15
  16. KEN

    Chad Mahoney Guest

    Try a clear xlate command.

    Also repost the current ACL list, static list, and access-group such as:
     
    Chad Mahoney, Nov 7, 2007
    #16
  17. KEN

    Chad Mahoney Guest


    What is the inside_nat0_outbound ACL used for, do you have VPN's in use
    currently? Please describe your topology a bit more....
     
    Chad Mahoney, Nov 7, 2007
    #17
  18. KEN

    KEN Guest

    access-list inside_nat0_outbound extended permit ip any 10.0.1.192
    255.255.255.192
    access-list inside_nat0_outbound extended permit ip 10.0.1.0
    255.255.255.0 10.0.1.192 255.255.255.192
    access-list inside_nat0_outbound extended permit ip any 10.0.1.224
    255.255.255.252
    access-list outside_access_in_1 extended permit tcp any host
    12.190.141.214 eq www
    access-list your-list-in extended permit tcp any interface outside eq
    www

    static (inside,outside) tcp 12.190.141.214 www 10.0.1.200 www netmask
    255.255.255.255
    static (inside,outside) tcp interface smtp 12.190.141.214 smtp netmask
    255.255.255.255

    access-group outside_access_in_1 in interface outside

    I ran that command as well. Thanks a bunch again-
     
    KEN, Nov 7, 2007
    #18
  19. KEN

    Chad Mahoney Guest


    Ken,

    Why do you have the statement :

    access-list inside_nat0_outbound extended permit IP any 10.0.1.192
    255.255.255.252 ?

    Those ACL's will bypass NAT and could be the source of your problem.

    Also why are you trying to subnet your /24 subnet in half? it appears
    you want 10.0.1.1 through 10.0.1.192 to bypass NAT completely making any
    hosts in those range unable to access the internet. As well as
    10.0.1.224 through 10.0.1.254? Sorry I am a bit confused...
     
    Chad Mahoney, Nov 7, 2007
    #19
  20. KEN

    KEN Guest

    We currently have a watch guard product that we are trying to move to
    PIX I have two vpns that I need to set up on the PIX as well as remote
    access for a couple users (see posts above).

    Right now I have the 1st of two VPN's set up. And I tried to
    configure the remote access VPN's but they are not working either.

    The network topology is pretty basic. An internal network with a web
    server and a couple other servers. One of the VPN's is used daily the
    other one is a remote office and is only used from time to time.
    That's about it.
     
    KEN, Nov 7, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.