justsoso Premium Member join:2013-08-19 united state |
justsoso
Premium Member
2014-Apr-24 1:55 pm
Re: Cisco ASA 5505This config was for a different purpose and was pulled from use. |
|
|
aryoba
MVM
2014-Apr-24 2:19 pm
On side note, how is your Internet connection like? Do you have an external modem or router that the PIX 501 firewall will connect to? |
|
justsoso Premium Member join:2013-08-19 united state |
justsoso
Premium Member
2014-Apr-24 2:21 pm
router with static ip |
|
|
aryoba
MVM
2014-Apr-24 2:26 pm
I image you already know that the PIX 501 WAN port goes to the router and the LAN ports connect to the three users.
Once you have the following info from the ASA 5505 network admin, you can start configure the PIX.
* What IP address are they expecting you to come from? Your NAT-ed (single IP address) or else? * What IP address are the three of your users in need to access? * What is the remote site's ASA 5505 VPN termination IP address? * What is the PIX 501 VPN termination IP address? * How is the Phases 1 and 2 setting like? * What is the pre-shared key (assuming you use one)? |
|
aryoba |
to justsoso
You may want to ask your ISP (or whomever manage the router) to no longer doing NAT once you install the PIX 501 firewall. The firewall will then do the NAT as needed. The router will then do just routing and provide static Public IP address connectivity to the firewall. |
|
justsoso Premium Member join:2013-08-19 united state |
justsoso
Premium Member
2014-Apr-24 2:47 pm
Its a larger router, there are just 3 of us that will need access to this vpn. Now Im off to try and pull the config off the 5505. I'm assuming the router is blocking my tftp requests... |
|
|
aryoba
MVM
2014-Apr-24 2:53 pm
said by justsoso:I'm assuming the router is blocking my tftp requests... Either that or your Windows 7 firewall blocks the TFTP request |
|
justsoso Premium Member join:2013-08-19 united state |
justsoso
Premium Member
2014-Apr-24 3:03 pm
tftp question I can see the requests hitting the tfpt server so its getting through.. I'm getting access denied. ASDM is saying its not getting a response. What does it want in the config path? I didn't have to put anything in with the pix |
|
|
aryoba
MVM
2014-Apr-24 3:09 pm
|
|
justsoso Premium Member join:2013-08-19 united state |
justsoso
Premium Member
2014-Apr-24 3:09 pm
I've got the pix info this is for the 5505. There is no longer a firewall in the picture |
|
|
aryoba
MVM
2014-Apr-24 3:12 pm
The steps on ASA running OS version 7 are similar » www.cisco.com/c/en/us/su ··· ure.html |
|
YDC join:2007-11-13 Hewlett, NY |
to justsoso
You can also send the config via FTP via the command copy running-config ftp |
|
justsoso Premium Member join:2013-08-19 united state |
to aryoba
Result of the command: "sho run"
: Saved : ASA Version 7.2(4) ! hostname domain-name enable password encrypted passwd encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.11.145.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 255.255.255.128 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 !
dns server-group DefaultDNS domain-name access-list outside_1_cryptomap extended permit ip access-list CSI_SplitTunnelAcl standard permit access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list inside_nat0_outbound extended permit ip access-list outside_access_in extended permit ip any any access-list outside_40_cryptomap extended permit ip access-list outside_60_cryptomap extended permit ip access-list outside_60_cryptomap extended permit ip access-list outside_60_cryptomap extended permit ip access-list avail_splitTunnelAcl standard permit access-list CALR_splitTunnelAcl standard permit access-list outside_30_cryptomap extended permit ip access-list outside_30_cryptomap extended permit ip access-list outside_30_cryptomap extended permit ip access-list inside_access_in extended permit ip any any access-list outside_nat0_outbound extended permit ip any any access-list inside_nat_outbound extended permit ip any any access-list inside_nat_outbound_1 extended permit ip any any pager lines 24 logging enable logging timestamp logging list ConfigChanges level debugging class config logging monitor debugging logging trap ConfigChanges logging asdm debugging logging host inside 10.1.2.182 logging permit-hostdown mtu inside 1500 mtu outside 1500 ip local pool Remote_VPN 192.168.200.100-192.168.200.200 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 access-list inside_nat_outbound_1 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route inside 172.16.96.0 255.255.255.0 10.11.145.2 1 route inside 192.168.145.0 255.255.255.0 10.11.145.2 1 route inside 172.16.150.0 255.255.255.0 10.11.145.2 1 route outside 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL aaa authentication enable console LOCAL aaa authentication telnet console LOCAL aaa authentication http console LOCAL http server enable http 0.0.0.0 0.0.0.0 inside http 0.0.0.0 0.0.0.0 outside snmp-server host inside community snmp-server host inside community snmp-server location no snmp-server contact snmp-server community snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set crypto dynamic-map outside_dyn_map 20 set crypto dynamic-map outside_dyn_map 20 set transform-set crypto dynamic-map outside_dyn_map 40 set m-set crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set crypto map outside_map 1 set crypto map outside_map 1 set transform-set crypto map outside_map 30 match address outside_30_cryptomap crypto map outside_map 30 set crypto map outside_map 30 set crypto map outside_map 30 set transform-set crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set crypto map outside_map 40 set crypto map outside_map 40 set transform-set crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set crypto map outside_map 60 set crypto map outside_map 60 set transform-set crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 45 console timeout 0 management-access inside
ntp server 10.1.2.182 source inside prefer group-policy internal group-policy attributes dns-server value vpn-tunnel-protocol IPSec ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value group-policy csi internal group-policy csi attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value group-policy avail internal group-policy avail attributes vpn-tunnel-protocol IPSec ipsec-udp enable ipsec-udp-port 10000 split-tunnel-policy tunnelspecified split-tunnel-network-list value avail_splitTunnelAcl username tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * tunnel-group avail type ipsec-ra tunnel-group avail general-attributes address-pool Remote_VPN default-group-policy avail tunnel-group avail ipsec-attributes pre-shared-key * tunnel-group type ipsec-ra tunnel-group general-attributes address-pool Remote_VPN default-group-policy tunnel-group ipsec-attributes pre-shared-key * tunnel-group type ipsec-ra tunnel-group general-attributes address-pool Remote_VPN tunnel-group ipsec-attributes pre-shared-key * tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * ! ! prompt hostname context Cryptochecksum: : end |
|
justsoso |
to aryoba
Result of the command: "sho version"
Cisco Adaptive Security Appliance Software Version 7.2(4) Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders System image file is "disk0:/asa724-k8.bin" Config file at boot was "startup-config"
up 226 days 15 hours
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz Internal ATA Compact Flash, 128MB BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0) Boot microcode : CNlite-MC-Boot-Cisco-1.2 SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03 IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05 0: Int: Internal-Data0/0 : address is c84c.7576.7ec9, irq 11 1: Ext: Ethernet0/0 : address is c84c.7576.7ec1, irq 255 2: Ext: Ethernet0/1 : address is c84c.7576.7ec2, irq 255 3: Ext: Ethernet0/2 : address is c84c.7576.7ec3, irq 255 4: Ext: Ethernet0/3 : address is c84c.7576.7ec4, irq 255 5: Ext: Ethernet0/4 : address is c84c.7576.7ec5, irq 255 6: Ext: Ethernet0/5 : address is c84c.7576.7ec6, irq 255 7: Ext: Ethernet0/6 : address is c84c.7576.7ec7, irq 255 8: Ext: Ethernet0/7 : address is c84c.7576.7ec8, irq 255 9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255 10: Int: Not used : irq 255 11: Int: Not used : irq 255
Licensed features for this platform: Maximum Physical Interfaces : 8 VLANs : 3, DMZ Restricted Inside Hosts : Unlimited Failover : Disabled VPN-DES : Enabled VPN-3DES-AES : Enabled VPN Peers : 10 WebVPN Peers : 2 Dual ISPs : Disabled VLAN Trunk Ports : 0
This platform has a Base license.
Serial Number: Running Activation Key: Configuration register is |
|