7mega adaptive

sganderson · sab 09 giu , 2012 10:53 am

Salve

Sto configurando un firewall asa 5510 su una 7 mega adaptive(alice).

vi posto la configurazione del firewall

Result of the command: "show run"

: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 31.XXX.XXX.58 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
object network A_31.XXX.XXX.57
host 31.XXX.XXX.57
object network webserver
host 192.168.10.2
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
route outside 0.0.0.0 0.0.0.0 31.XXX.XXX.57 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.25 inside
dhcpd dns 151.99.125.2 151.99.0.100 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c9f1fa6379437377661c9f0cefcb90b
: end

con questa configurazione riesco correttamente a uscire dalla inside e navigo.
ora avrei la necessità di rendere acccessibile dall'esterno un pc collegato alla inside.
A memoria direi che dovrei configurare una nat statica sull'ip da pubblicare e una acl per permettere il traffico.

Giusto?
Qualcuno mi dà una mano sono arrugginito.

Rizio · lun 11 giu , 2012 7:51 am

Si, quello che ti serve è uno static e un'acl:

Codice: Seleziona tutto

access-list NOME_ACL permit IP|TCP|UDP any host IP_PC_INTERNO eq PORTE_CHE_VUOI_ESPORRE
access-group NOME_ACL IN interface OUTSIDE
static (inside,outside) TCP|UDP IP_PC_INTERNO PORTA interface PORTA

più o meno è questa la strada.

Rizio

sganderson · lun 11 giu , 2012 6:17 pm

Ciao

Ho cambiato leggermente la configurazione e fatto come dici tu:

Codice: Seleziona tutto

: Saved
:
ASA Version 8.4(3) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
 nameif outside
 security-level 0
 ip address 31.XX.XX.58 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/2
 nameif outside2
 security-level 0
 pppoe client vpdn group telecom
 ip address pppoe setroute 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
object network A_31.XXX.XXX.57
 host 31.XXX.XXX.57
object service gmailIN
 service tcp source eq 465 destination eq 465 
object service gmailOUT
 service tcp source eq 995 destination eq 995 
object service www
 service tcp source eq www destination eq www 
object network Webserver
 host 192.168.10.2
object network webserverdasd
 host 192.168.10.6
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
 protocol-object ip
 protocol-object icmp
access-list outside2_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 
access-list outside2_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any any 
access-list outside_access_in extended permit tcp any object Webserver eq www 
access-list ingresso extended permit tcp any host 192.168.10.6 eq www 
access-list test extended permit tcp any host 192.168.10.6 eq www 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu outside2 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside2) source dynamic any interface
!
object network webserverdasd
 nat (any,any) static 192.168.10.6
access-group test in interface outside2
access-group outside2_access_out out interface outside2
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group telecom request dialout pppoe
vpdn group telecom localname @alicebiz.routed
vpdn group telecom ppp authentication pap
vpdn username @alicebiz.routed password ***** 
dhcpd address 192.168.10.2-192.168.10.25 inside
dhcpd dns 151.99.125.2 151.99.0.100 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:847f87b3ebf1d054f7ddaeb6142fa318
: end

il comando della nat mi va in errore ho provato ad inserirne una alla boia di un giuda

Codice: Seleziona tutto

Result of the command: "static (inside,outside2) TCP 192.168.10.6 80 interface 80"

static (inside,outside2) TCP 192.168.10.6 80 interface 80
                                             ^
ERROR: % Invalid Hostname

ma comunque se provo ad accedere dall'esterno vedo nel log

Codice: Seleziona tutto

3	Jun 11 2012	10:07:28		37.102.147.53	42576	79.XXX.XXX.79	80	TCP access denied by ACL from 37.102.147.53/42576 to outside2:79.XXX.XXX.79/80

è sbagliata la mia acl?

Rizio · mar 12 giu , 2012 9:13 am

Secondo me ti sei lasciato scappare un pò la mano ehhh

Ora c'è un pò tanto bordello direi.....btw, proviamo ad andare avanti:
Per il nat può dipendere dalla versione di ios che hai, nelle prime versioni della 8 ricordo che non accettava il parametro "interface" ma voleva l'ip, forse il problema è quello. Prova ad inserire direttamente l'ip pubblico con cui vuoi nattare il web server verso l'esterno.

Per l'acl si, secondo me è un pò incasinata. Considera che gli object group funzionano bene quando li puoi usare per "grandi numeri" altrimenti rischiano di renderti poco leggibile la conf per nulla (tutto IMHO ehhh).

Considera che dell'acl ne hai bisogno per permettere ad un pacchetto di uscire dalla sua interfaccia e attraversarne una con una security minore. E su questo devi anche considerare le politiche di natting.

Prova a rimetterle giù le idee a fronte di questi 2 parametri, dopo aver capito dov'è l'errore nel nat.

Rizio

7mega adaptive

Login • Iscriviti