BandaAncha.eu

  • 🔍 en 📰 artículos ⏎
  • 🔍 en 💬 foros ⏎
  • 🔍 en 👇 este 💬 foro ⏎
  • 🔍 en 👇 este 💬 tema ⏎
Regístrate Regístrate Identifícate Identifícate

Problema en un cisco ASA 5510

1
ecallejo

Llevo ya un montón de tiempo intentando hacer funcionar en mi empresa este firewall de cisco y me está volviendo loco para hacer la cosa más simple del mun(creo yo). Bueno, el caso es el siguiente:Soy incapaz de acceder desde fuera via Terminal Server a mi servidor interno de la red y solo quiero hacer lo que pongo a continuación:

1.-Asegurar nuestra red interna de posibles ataques instalando el ASA entre el router y la red interna.

2.- Permitir únicamente la comunicación externa por determinados puertos(Exchange y Terminal Server por ejemplo)

Os pongo datos:

1.- el router tiene la ip 192.168.0.254.

2.- Tengo la VLan 192.168.0.1 para outside

3.- Tengo la VLan 192.168.1.1 para inside(comunicación interna)

A continuación la configuración del ASA:

[Configuración editada por moderador]

Frankie2004

Por favor, vuelve a pegar la configuración asegurándote que los retornos de carro están en su sitio (usa unix2dos o similares si lo necesitas) porque todo en un único renglón es completamente ilegible. De paso borra los passwords, que nunca se sabe ...

🗨️ 6
ecallejo

Perdonad a todos, os la vuelvo a pegar a ver si hay más suerte:

1.- Configurar un Firewall Cisco ASA 5510 para colocar entre una red interna de ordenadores y un Router Neutro Zyxel P-320W(con IP Fija) que tiene conectado, a su vez , un cable-modem de Euskaltel.

2.- De entrada, no podemos prescindir del Router Zyxel ya que, como Euskaltel utiliza PPPOA y el ASA solo PPPOE y, además tener nosotros IP Fija, no podríamos ni siquiera poner el Router Zyxel como monopuesto y evitar hacer doble NAT.

3.- Lo que queremos hacer es lo siguiente:

3.1.- Asegurar nuestra red interna de posibles ataques instalando el ASA entre el router y la red interna.

3.2.- Permitir únicamente la comunicación externa por determinados puertos(Exchange y Terminal Server por ejemplo).

3.3.- Configurar el ASA para que permita el acceso a los servidores via VPN con el software cisco VPN client de manera segura.(Este punto de momento está sin tocar).

A continuación os pongo la configuracion interna del ASA para ver si podeis ver porque no puedo acceder via terminal server al servidor interno de nuestra red si aparentemente tengo abierto el puerto y está todo permitido.

: Saved
:
ASA Version 8.0(3)6
!
hostname ciscoasa
enable password xxxxxx encrypted
passwd xxxxxx encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.1.70
name-server 192.168.1.80
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object pim
service-object pcp
service-object snp
service-object udp
service-object igmp
service-object ipinip
service-object gre
service-object esp
service-object ah
service-object icmp6
service-object tcp
service-object eigrp
service-object ospf
service-object igrp
service-object nos
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object tcp eq 3389
service-object tcp eq 6667
service-object tcp eq aol
service-object tcp eq bgp
service-object tcp eq chargen
service-object tcp eq cifs
service-object tcp eq citrix-ica
service-object tcp eq ctiqbe
service-object tcp eq daytime
service-object tcp eq discard
service-object tcp eq domain
service-object tcp eq echo
service-object tcp eq exec
service-object tcp eq finger
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq gopher
service-object tcp eq h323
service-object tcp eq hostname
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ident
service-object tcp eq imap4
service-object tcp eq irc
service-object tcp eq kerberos
service-object tcp eq klogin
service-object tcp eq kshell
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq login
service-object tcp eq lotusnotes
service-object tcp eq lpd
service-object tcp eq netbios-ssn
service-object tcp eq nntp
service-object tcp eq pcanywhere-data
service-object tcp eq pim-auto-rp
service-object tcp eq pop2
service-object tcp eq pop3
service-object tcp eq pptp
service-object tcp eq rsh
service-object tcp eq rtsp
service-object tcp eq sip
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq sunrpc
service-object tcp eq tacacs
service-object tcp eq talk
service-object tcp eq telnet
service-object tcp eq uucp
service-object tcp eq whois
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object udp eq biff
service-object udp eq bootpc
service-object udp eq bootps
service-object udp eq cifs
service-object udp eq discard
service-object udp eq dnsix
service-object udp eq domain
service-object udp eq echo
service-object udp eq www
service-object udp eq isakmp
service-object udp eq kerberos
service-object udp eq mobile-ip
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq ntp
service-object udp eq pcanywhere-status
service-object udp eq pim-auto-rp
service-object udp eq radius
service-object udp eq radius-acct
service-object udp eq rip
service-object udp eq secureid-udp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tacacs
service-object udp eq talk
service-object udp eq tftp
service-object udp eq time
service-object udp eq who
service-object udp eq xdmcp
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object icmp
service-object pim
service-object pcp
service-object snp
service-object udp
service-object igmp
service-object ipinip
service-object gre
service-object esp
service-object ah
service-object icmp6
service-object tcp
service-object eigrp
service-object ospf
service-object igrp
service-object nos
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object tcp eq 3389
service-object tcp eq 6667
service-object tcp eq aol
service-object tcp eq bgp
service-object tcp eq chargen
service-object tcp eq cifs
service-object tcp eq citrix-ica
service-object tcp eq ctiqbe
service-object tcp eq daytime
service-object tcp eq discard
service-object tcp eq domain
service-object tcp eq echo
service-object tcp eq exec
service-object tcp eq finger
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq gopher
service-object tcp eq h323
service-object tcp eq hostname
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ident
service-object tcp eq imap4
service-object tcp eq irc
service-object tcp eq kerberos
service-object tcp eq klogin
service-object tcp eq kshell
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq login
service-object tcp eq lotusnotes
service-object tcp eq lpd
service-object tcp eq netbios-ssn
service-object tcp eq nntp
service-object tcp eq pcanywhere-data
service-object tcp eq pim-auto-rp
service-object tcp eq pop2
service-object tcp eq pop3
service-object tcp eq pptp
service-object tcp eq rsh
service-object tcp eq rtsp
service-object tcp eq sip
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq sunrpc
service-object tcp eq tacacs
service-object tcp eq talk
service-object tcp eq telnet
service-object tcp eq uucp
service-object tcp eq whois
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object udp eq biff
service-object udp eq bootpc
service-object udp eq bootps
service-object udp eq cifs
service-object udp eq discard
service-object udp eq dnsix
service-object udp eq domain
service-object udp eq echo
service-object udp eq www
service-object udp eq isakmp
service-object udp eq kerberos
service-object udp eq mobile-ip
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq ntp
service-object udp eq pcanywhere-status
service-object udp eq pim-auto-rp
service-object udp eq radius
service-object udp eq radius-acct
service-object udp eq rip
service-object udp eq secureid-udp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tacacs
service-object udp eq talk
service-object udp eq tftp
service-object udp eq time
service-object udp eq who
service-object udp eq xdmcp
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object pim
service-object pcp
service-object snp
service-object udp
service-object igmp
service-object ipinip
service-object gre
service-object esp
service-object ah
service-object icmp6
service-object tcp
service-object eigrp
service-object ospf
service-object igrp
service-object nos
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object tcp eq 3389
service-object tcp eq 6667
service-object tcp eq aol
service-object tcp eq bgp
service-object tcp eq chargen
service-object tcp eq cifs
service-object tcp eq citrix-ica
service-object tcp eq ctiqbe
service-object tcp eq daytime
service-object tcp eq discard
service-object tcp eq domain
service-object tcp eq echo
service-object tcp eq exec
service-object tcp eq finger
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq gopher
service-object tcp eq h323
service-object tcp eq hostname
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ident
service-object tcp eq imap4
service-object tcp eq irc
service-object tcp eq kerberos
service-object tcp eq klogin
service-object tcp eq kshell
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq login
service-object tcp eq lotusnotes
service-object tcp eq lpd
service-object tcp eq netbios-ssn
service-object tcp eq nntp
service-object tcp eq pcanywhere-data
service-object tcp eq pim-auto-rp
service-object tcp eq pop2
service-object tcp eq pop3
service-object tcp eq pptp
service-object tcp eq rsh
service-object tcp eq rtsp
service-object tcp eq sip
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq sunrpc
service-object tcp eq tacacs
service-object tcp eq talk
service-object tcp eq telnet
service-object tcp eq uucp
service-object tcp eq whois
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object udp eq biff
service-object udp eq bootpc
service-object udp eq bootps
service-object udp eq cifs
service-object udp eq discard
service-object udp eq dnsix
service-object udp eq domain
service-object udp eq echo
service-object udp eq www
service-object udp eq isakmp
service-object udp eq kerberos
service-object udp eq mobile-ip
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq ntp
service-object udp eq pcanywhere-status
service-object udp eq pim-auto-rp
service-object udp eq radius
service-object udp eq radius-acct
service-object udp eq rip
service-object udp eq secureid-udp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tacacs
service-object udp eq talk
service-object udp eq tftp
service-object udp eq time
service-object udp eq who
service-object udp eq xdmcp
service-object icmp unreachable
object-group service DM_INLINE_SERVICE_4
service-object ip
service-object icmp
service-object pim
service-object pcp
service-object snp
service-object udp
service-object igmp
service-object ipinip
service-object gre
service-object esp
service-object ah
service-object icmp6
service-object tcp
service-object eigrp
service-object ospf
service-object igrp
service-object nos
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp mask-reply
service-object icmp mask-request
service-object icmp mobile-redirect
service-object icmp parameter-problem
service-object icmp redirect
service-object icmp router-advertisement
service-object icmp router-solicitation
service-object icmp source-quench
service-object tcp eq 3389
service-object tcp eq 6667
service-object tcp eq aol
service-object tcp eq bgp
service-object tcp eq chargen
service-object tcp eq cifs
service-object tcp eq citrix-ica
service-object tcp eq ctiqbe
service-object tcp eq daytime
service-object tcp eq discard
service-object tcp eq domain
service-object tcp eq echo
service-object tcp eq exec
service-object tcp eq finger
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq gopher
service-object tcp eq h323
service-object tcp eq hostname
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ident
service-object tcp eq imap4
service-object tcp eq irc
service-object tcp eq kerberos
service-object tcp eq klogin
service-object tcp eq kshell
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq login
service-object tcp eq lotusnotes
service-object tcp eq lpd
service-object tcp eq netbios-ssn
service-object tcp eq nntp
service-object tcp eq pcanywhere-data
service-object tcp eq pim-auto-rp
service-object tcp eq pop2
service-object tcp eq pop3
service-object tcp eq pptp
service-object tcp eq rsh
service-object tcp eq rtsp
service-object tcp eq sip
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq sunrpc
service-object tcp eq tacacs
service-object tcp eq talk
service-object tcp eq telnet
service-object tcp eq uucp
service-object tcp eq whois
service-object icmp time-exceeded
service-object icmp timestamp-reply
service-object icmp timestamp-request
service-object icmp traceroute
service-object udp eq biff
service-object udp eq bootpc
service-object udp eq bootps
service-object udp eq cifs
service-object udp eq discard
service-object udp eq dnsix
service-object udp eq domain
service-object udp eq echo
service-object udp eq www
service-object udp eq isakmp
service-object udp eq kerberos
service-object udp eq mobile-ip
service-object udp eq nameserver
service-object udp eq netbios-dgm
service-object udp eq netbios-ns
service-object udp eq ntp
service-object udp eq pcanywhere-status
service-object udp eq pim-auto-rp
service-object udp eq radius
service-object udp eq radius-acct
service-object udp eq rip
service-object udp eq secureid-udp
service-object udp eq sip
service-object udp eq snmp
service-object udp eq snmptrap
service-object udp eq sunrpc
service-object udp eq syslog
service-object udp eq tacacs
service-object udp eq talk
service-object udp eq tftp
service-object udp eq time
service-object udp eq who
service-object udp eq xdmcp
service-object icmp unreachable
access-list Inside_nat_static extended permit ip 192.168.1.0 255.255.255.0 any
access-list Outside_access_out extended permit object-group DM_INLINE_SERVICE_4 any any
access-list Inside_access_out extended permit object-group DM_INLINE_SERVICE_3 any any
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any any
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list Inside_nat_static_1 extended permit tcp host 192.168.1.70 eq 3389 host 192.168.0.2
access-list Outside_nat_outbound extended permit tcp any eq 3389 host 192.168.0.2 eq 3389
access-list Inside_nat0_outbound extended permit ip host 192.168.1.70 host 192.168.0.2
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Inside) 2 192.168.1.80 netmask 255.255.255.0
global (Inside) 1 192.168.1.70 netmask 255.255.255.0
nat (Outside) 1 access-list Outside_nat_outbound dns
nat (Inside) 0 access-list Inside_nat0_outbound
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp 192.168.0.2 3389 access-list Inside_nat_static_1 dns
static (Inside,Outside) 192.168.0.0 access-list Inside_nat_static dns
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server HTTP protocol http-form
aaa-server HTTP (Inside) host 192.168.1.80
start-url xxxxx
user-parameter administrador
password-parameter adivinalo
aaa-server NtDomain protocol nt
aaa-server NtDomain (Inside) host 192.168.1.70
nt-auth-domain-controller dominio
aaa-server NtDomain (Inside) host 192.168.1.80
nt-auth-domain-controller dominio
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.2-192.168.2.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a6b0ed1c79c968368a60b750d97ca312
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

🗨️ 5
BocaDePez
BocaDePez

La configuracion que has copiado está HORRIBLE. Se ve que no tienes ni idea del equipo que tienes en tus manos !!!

🗨️ 2
BocaDePez
BocaDePez

Que son todos esos servicios o protocolos , tu vas a usar todo estos protocolos, creo que el mangu de protocolos y servicio hace ponco entendible tu configuracion. esos no es tan dificir solo con un buen plan y manejo de lo que quiere y no quiere se puede hacer una configuracion mas sencilla

🗨️ 1
BocaDePez
BocaDePez
BocaDePez
BocaDePez

Lo configuraste con ASDM cierto?

Te lo digo de buena onda. Borra todo y armalo denuevo, es muy desprolijo eso y no vas a poder hacer nada en medio de tanto desorden.

Acordate que hay dos formas de arrancar. Permitiendo todo por default y denegando solo lo puntual que no queres permitir o denegando todo por default y permitiendo puntualmente todo lo que queres permitir (ciertamente la forma mas aconsejables en el 99% de los casos).

Te recomiendo que leas unas guias basicas que hay aca:

(link roto)

Y aca tenes unos simuladores de PIX que estan piolas para arrancar:

(link roto)

hay algunas de ASA que es lo mismo que el ASA para lo que vos lo pensas usar.

Lee sobre todo de NAT/Global y Static() y Access-list.

Con eso solo ya podes configurar lo que veo que necesitas. Lo que si te recomiendo que antes de pensar en meterte con VPN tengas andando el ASA perfecto en lo basico sino te vas a enfermar y no vas a saber de donde vienen los problemas. Y sobre todo hace un backup antes de tocar nada.

Suerte con eso.

🗨️ 1
BocaDePez
BocaDePez

Veamos. El firewall está instalado y funcionando. Hace ya bastante de esto así que se puede cerrar el tema. Un saludo y gracias a todos

1