Windows and Cisco ASA5505 Problems…

What is a View?

A View looks and behaves just like a table, but it is generated. Most commonly, you create a view for a person or application to have access to a part of your database. You might simplify the data to just what people need to do adhoc queries, or you might provide an application the data it needs in a read-only view.

What’s in a View?

Would a view by any other name show the same data? It might, depending on the query that is used to dynamically construct the view. How do we see that query?

MySQL

SHOW CREATE VIEW databasename.viewname;

Microsoft SQL

EXEC sp_helptext ‘databasename.viewname’

What is NAT? It stands for Network Address Translation. It means that we can have a public IP outside the Cisco Firewall, and it will route traffic inside to the internal address we select. Of course, because it’s a firewall, we need to tell the ASA5055 what traffic to allow through the firewall to the inside address. The decision on what to allow through is based on what port the traffic is coming in on.

This is all very easy to do on consumer grade hardware, but it’s difficult to do on the ASA5505 using the Cisco ASDM. I’m going to go through the steps I went through to set up NAT and port forwarding using the ASDM software.

First, setting up NAT

1. Use the ASDM software to log into your device.
2. Click “Configuration” at the top, then “NAT” on the left.
3. Click “Add,” then select “Add Static NAT Rule…”
4. Under “Real Address” type the destination, or internal address. For example: “192.168.10.111″
5. Change Netmask to: “255.255.255.255″
6. Under “Static Translation,” change the Interface to: “outside.”
7. Enter the outside, routable IP which you want to use to access the device from outside the firewall.
8. Click “OK.”
9. Click “Apply.”

Allowing traffic through the firewall, or Port Forwarding

Now all packets which are allowed through the firewall and are addressed to the outside IP address we just named will be delivered to the internal IP address. So, to use our internal IP address as a server, we need to open the firewall to allow traffic to come to this device.

1. Click “Security Policy” on the left.
2. First, we are going to define the services we want to let through. Click the “Services” tab in the right pane.
3. You’ll see a list of pre-defined services. This is helpful (especially http and https), but there are probably services you’ll use that aren’t listed here.
• Fileshares:
  Click “Add,” then TCP-UDP Service Group
  Type in a “Group Name” such as “fileshare.”
  Check the “Port #” radio button.
  Type in “137″ to “139″ and click the “Add >>” button.
  Next type in “445″ to “445″ and click the “Add >>” button.
• Remote Desktop:
  Click “Add,” then TCP-UDP Service Group
  Type in a “Group Name” such as “remotedesktop.”
  Check the “Port #” radio button.
  Type in “3389″ to “3389″ and click the “Add >>” button.
• SQL Connections
  Click “Add,” then TCP Service Group
  Type in a “Group Name” such as “sql.”
  Check the “Port #” radio button.
  Type in “3306″ to “3306″ and click the “Add >>” button.
4. Next, we want to define groups of IP addresses that are allowed to access different services. For our setup, we have a few subnets that are all allowed access to all services, but you might want to restrict more. You should create a group for each security level.
• Click the “Addresses Tab.”
• Click “Add” and select “Network Object Group…”
• Choose a group name, for example: “office.”
• Add the subnets you wish to allow. You probably want outside-network/24, which is the subnet of the units external interface. Click that and click “Add >>”
• Enter new subnets by typing in the IP address as: “xxx.xxx.xxx.0″ for example: “172.25.204.0″, and setting the Netmask to: “255.255.255.0″ This will allow 172.25.204.1 through 172.25.204.254. click “Add >>”
  When you are done, Click “OK.”
5. Now to define which networks are allowed on which services.
• Click “Security Policy” on the left and then in the center pane, click “Add.”
• Change the Interface dropdown to “Outside” and make sure Direction says: “incoming.”
• Under Source, change Type to “Network Object Group,” then select the group name we set previously.
• Under Destination, click the “…” button by IP address, and select the outside, world-routable IP address of the device you wish to allow access to.
• Change the Protocol dropdown to “tcp.”
• Leave Source Port as “any.”
• Under Destination Port, select the “Group” radio button.
• In the dropdown, select the service group we previously defined.
• Click OK.
• Click “Apply.”
• Now to save and reload the box, click ‘Tools/System reload’
• Select ‘Save the running configuration at time of reload’
• Click ‘Schedule Reload’

Update your server’s software firewall

Lastly, don’t forget to update the exceptions in the server’s software firewall!
If you were managing which subnets have access on the server’s software firewall, instead of doubling up your efforts you may choose to change the option to “Any computer” and let the Cisco ASA 5505 restrict by subnet. If not, you may still want to add the new internal subnet so that other servers behind the firewall can have access too.

***If your NAT isn’t working***

I used these directions to set up my NAT, but found that my NAT’ed addresses were not able to access network resources outside of the firewall. Luckily, if you are having that trouble, I posted my solution here!

If you haven’t done this yet or lack faith in your NAT setup, I have also posted instructions on how to set up a NAT on the Cisco ASA 5505.

After setting up my Cisco ASA5505 to perform NAT (Network Address Translation) I wasn’t able to access the server from outside the firewall. I also noticed that the Server behind the firewall was not able to access network resources outside the firewall. Using a packet sniffer, I determined that the Cisco device was sending the request packets out, and recieving responses from devices but not allowing those packets through the firewall.

Removing the server from the NAT rule by simply changing the NAT rules internal address IP and hitting apply allowed the server to instantly send traffic out. Using a whatismyip service showed that I was being identified by the firewall’s IP address.

There seems to be a bug in the Cisco firewall, because the “solution” is silly; change a setting and change it back.

1. Log into the ASA5505 using the Cisco ASDM software
2. Click “Configuration” at the top, then “Interfaces” on the left.
3. Select the “outside” interface and click “Edit.”
4. Select “Use static IP” and set the interfaces IP to the same as the outside IP address you’ve specified in your NAT Rule.
5. Click “OK,” then “Apply.” The device will take a few moments to change this setting.
6. Try to access a network service outside the firewall using your NAT’ed server. It should work!
7. Now, Click “Edit” again, and change the setting back to whatever you had there before.
8. Unbelievably, the NAT’ed server will still work AND your Cisco device will have the separate IP address you require. You haven’t changed any settings, but now it works!

If you have been mucking around in your Cisco ASA5505 and want to return to factory defaults using the ASDM management software, it’s pretty easy.

If you can’t use the ASDM, I have also have a write up for Resetting the Cisco asa 5505 Using the Console.

1. Click the “Wizards” drop down menu and select “Startup Wizard…”
2. Change the radio button to “Reset configuration to factory defaults.”
3. I suggest changing the management IP. This will change the subnet of devices behind the firewall. This is useful if you ever have to put another firewall device behind this device as some consumer grade devices make it a pain to change the internal subnet. You can use any non-routable IP, such as 192.168.x.1 where x is 1-254.
4. Click “Yes.”
5. After a few minutes, I got a status message with an ERROR. This is because the ASDM is trying to manage the device using the old IP.
6. Close the ASDM without saving, renew you DHCP lease and log in using the ASDM to the new address.
7. This doesn’t seem to reset the Enable password, so you’ll have to use that to login.

This walkthrough will describe how to use your Cisco ASA5505 as a VPN server for a remote client. The remote client doe not need to have an 5505 as a VPN endpoint, it only needs to have the Cisco VPN Client software installed.

To configure the ASA5505, first log into it using the Cisco ASDM.

1. Click the “Wizards” drop down, select “VPN Wizard.”
2. Select “Remote Access,” click Next.
3. Select “Cisco VPN Client,” click Next
4. Select “Pre-shared key,” then fill in what I’m going to call your “VPN Connection Password.” This will be saved in the client and should be as long and secure as possible.
5. Tunnel Group Name: Enter what I’m going to call your “VPN Connection Username,” and Click Next.
6. Select “Authenticate using the local user database,” click Next.
7. Create a username and password for each VPN user, click Next.
8. Click “New…” to create a new VPN IP pool. You can do whatever you want here, but here is my suggestion:
• Name: VPNUsers
• Starting IP Address: 192.168.15.194
• Ending IP Address: 192.168.15.220
• Subnet Mask: 255.255.255.224
• Click “OK.”
9. Click Next.
10. Fill in DNS and WINS for your outside network and Click Next.
11. IKE Policy defaults are fine, click Next.
12. IPSec defaults are fine, click Next.
13. Leave NAT Settings blank, but check “Enable Split tunneling” at the bottom and click Next.
14. Click Finish.

One more step, without this you won’t be able to connect to anything besides the internal network when you are connected to the VPN.

1. Click “Configuration” at the top of the screen.
2. Click “VPN” on the left side of the screen.
3. Under “General,” click “Group Policy.”
4. Click the Group Policy that corresponds to the one you defined during the Wizard, and click the Edit button.
5. Click the Client Configuration Tab.
6. Click the “Manage” button next to Split Tunnel Network List.
7. Double click the Entry under the Standard ACL tab.
8. Change the IP address and Netmask to match that of your internal network, the subnet where your servers are located.
9. Click OK, OK, OK and finally: Apply.

Now that we’ve done all that, we should save it from working memory into the flash. I like to do a reboot while I do this, and we can do it using the Cisco ASDM!

1. Click Tools and select System Reload.
2. Be sure to change the radio button at the top to Save the running configuration at the time of reload.
3. Click “Schedule Reload,” Yes, and Exit ASDM.

To connect your new VPN, you’ll need the Cisco VPN Client. I’m using version 4.6.

1. Install the Cisco VPN Client.
2. Click “New.”
• Connection Entry: Name of the VPN connection. I used the same thing I put in for the Tunnel Group Name (VPN Connection Username), but you can use whatever you want.
• Host: The IP address or DNS name of the VPN Server.
• On the Authentication Tab, make sure “Group Authentication” is selected.
• Name: Put whatever you put for Tunnel Group Name (VPN Connection Username).
• Password: put in your “Pre-shared Key” VPN (Connection password).
  That’s it! Hit Save.

To connect, double-click the connection entry you just created.
Enter your username and password, which we defined users on the Cisco ASA5505 device during the VPN Wizard.

Done and Done!