dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
41
justsoso
Premium Member
join:2013-08-19
united state

justsoso

Premium Member

Re: Cisco ASA 5505

This config was for a different purpose and was pulled from use.
aryoba
MVM
join:2002-08-22

aryoba

MVM

On side note, how is your Internet connection like? Do you have an external modem or router that the PIX 501 firewall will connect to?
justsoso
Premium Member
join:2013-08-19
united state

justsoso

Premium Member

router with static ip
aryoba
MVM
join:2002-08-22

aryoba

MVM

I image you already know that the PIX 501 WAN port goes to the router and the LAN ports connect to the three users.

Once you have the following info from the ASA 5505 network admin, you can start configure the PIX.

* What IP address are they expecting you to come from? Your NAT-ed (single IP address) or else?
* What IP address are the three of your users in need to access?
* What is the remote site's ASA 5505 VPN termination IP address?
* What is the PIX 501 VPN termination IP address?
* How is the Phases 1 and 2 setting like?
* What is the pre-shared key (assuming you use one)?
aryoba

aryoba to justsoso

MVM

to justsoso
said by justsoso:

router with static ip

You may want to ask your ISP (or whomever manage the router) to no longer doing NAT once you install the PIX 501 firewall. The firewall will then do the NAT as needed. The router will then do just routing and provide static Public IP address connectivity to the firewall.
justsoso
Premium Member
join:2013-08-19
united state

justsoso

Premium Member

Its a larger router, there are just 3 of us that will need access to this vpn. Now Im off to try and pull the config off the 5505. I'm assuming the router is blocking my tftp requests...
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by justsoso:

I'm assuming the router is blocking my tftp requests...

Either that or your Windows 7 firewall blocks the TFTP request
justsoso
Premium Member
join:2013-08-19
united state

justsoso

Premium Member

tftp question I can see the requests hitting the tfpt server so its getting through.. I'm getting access denied. ASDM is saying its not getting a response. What does it want in the config path? I didn't have to put anything in with the pix
aryoba
MVM
join:2002-08-22

aryoba

MVM

Did you try this step?
»supportforums.cisco.com/ ··· firewall
justsoso
Premium Member
join:2013-08-19
united state

justsoso

Premium Member

I've got the pix info this is for the 5505. There is no longer a firewall in the picture
aryoba
MVM
join:2002-08-22

aryoba

MVM

The steps on ASA running OS version 7 are similar
»www.cisco.com/c/en/us/su ··· ure.html
YDC
join:2007-11-13
Hewlett, NY

YDC to justsoso

Member

to justsoso
You can also send the config via FTP via the command copy running-config ftp
justsoso
Premium Member
join:2013-08-19
united state

justsoso to aryoba

Premium Member

to aryoba
Result of the command: "sho run"

: Saved
:
ASA Version 7.2(4)
!
hostname
domain-name
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.145.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

dns server-group DefaultDNS
domain-name
access-list outside_1_cryptomap extended permit ip
access-list CSI_SplitTunnelAcl standard permit
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list outside_access_in extended permit ip any any
access-list outside_40_cryptomap extended permit ip
access-list outside_60_cryptomap extended permit ip
access-list outside_60_cryptomap extended permit ip
access-list outside_60_cryptomap extended permit ip
access-list avail_splitTunnelAcl standard permit
access-list CALR_splitTunnelAcl standard permit
access-list outside_30_cryptomap extended permit ip
access-list outside_30_cryptomap extended permit ip
access-list outside_30_cryptomap extended permit ip
access-list inside_access_in extended permit ip any any
access-list outside_nat0_outbound extended permit ip any any
access-list inside_nat_outbound extended permit ip any any
access-list inside_nat_outbound_1 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging list ConfigChanges level debugging class config
logging monitor debugging
logging trap ConfigChanges
logging asdm debugging
logging host inside 10.1.2.182
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool Remote_VPN 192.168.200.100-192.168.200.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 access-list inside_nat_outbound_1
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 172.16.96.0 255.255.255.0 10.11.145.2 1
route inside 192.168.145.0 255.255.255.0 10.11.145.2 1
route inside 172.16.150.0 255.255.255.0 10.11.145.2 1
route outside 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside community
snmp-server host inside community
snmp-server location
no snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set
crypto dynamic-map outside_dyn_map 20 set
crypto dynamic-map outside_dyn_map 20 set transform-set
crypto dynamic-map outside_dyn_map 40 set m-set
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set
crypto map outside_map 1 set
crypto map outside_map 1 set transform-set
crypto map outside_map 30 match address outside_30_cryptomap
crypto map outside_map 30 set
crypto map outside_map 30 set
crypto map outside_map 30 set transform-set
crypto map outside_map 40 match address outside_40_cryptomap
crypto map outside_map 40 set
crypto map outside_map 40 set
crypto map outside_map 40 set transform-set
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set
crypto map outside_map 60 set
crypto map outside_map 60 set transform-set
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 45
console timeout 0
management-access inside

ntp server 10.1.2.182 source inside prefer
group-policy internal
group-policy attributes
dns-server value
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
group-policy csi internal
group-policy csi attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
group-policy avail internal
group-policy avail attributes
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value avail_splitTunnelAcl
username
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group avail type ipsec-ra
tunnel-group avail general-attributes
address-pool Remote_VPN
default-group-policy avail
tunnel-group avail ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-ra
tunnel-group general-attributes
address-pool Remote_VPN
default-group-policy
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-ra
tunnel-group general-attributes
address-pool Remote_VPN
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:
: end
justsoso

justsoso to aryoba

Premium Member

to aryoba
Result of the command: "sho version"

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
Config file at boot was "startup-config"

up 226 days 15 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is c84c.7576.7ec9, irq 11
1: Ext: Ethernet0/0 : address is c84c.7576.7ec1, irq 255
2: Ext: Ethernet0/1 : address is c84c.7576.7ec2, irq 255
3: Ext: Ethernet0/2 : address is c84c.7576.7ec3, irq 255
4: Ext: Ethernet0/3 : address is c84c.7576.7ec4, irq 255
5: Ext: Ethernet0/4 : address is c84c.7576.7ec5, irq 255
6: Ext: Ethernet0/5 : address is c84c.7576.7ec6, irq 255
7: Ext: Ethernet0/6 : address is c84c.7576.7ec7, irq 255
8: Ext: Ethernet0/7 : address is c84c.7576.7ec8, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0

This platform has a Base license.

Serial Number:
Running Activation Key:
Configuration register is