5510 config

Unanswered Question
Feb 12th, 2007


I have been hitting my head against this brick wall called an ASA5510. I was trying to configure it as a straight firewall with a DMZ interface and connecting a DNS server to that. But right now I would be happy with just passing HTTP between int 0/0 to 0/2

Current config is attached

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vitripat Mon, 02/12/2007 - 13:18

Setting all the 3 interfaces at same security-level will cause problems. Here is what is recommended:

Outside interface (security-level 0)

DMZ interface (security-level 50)

Inside interface (security-level 100), you can enter following commands to set interfaces accordingly-

interface Ethernet0/0

security 0

interface Ethernet0/1

security 100

interface Ethernet0/2

security 50

no nat (DMZ) 200 10.10.RRR.RRR

nat (DMZ) 200 10.30.xxx.xxx

no global (DMZ) 200 10.30.RRR.RRR-10.30.RRR.RRR netmask

global (DMZ) 200 interface

nat (inside) 200 0 0

clear xlate

Please implement above commands.

Fernando_Meza Mon, 02/12/2007 - 16:38

Hi still using security 50 for all the interfaces. You could use the below command to allow traffic to traverse the firewall but you really should change the secutity levels as recommended on previous posts.

same-security-traffic permit inter-interface

I hope it helps .. please rate it if it does !!!

vitripat Mon, 02/12/2007 - 16:41

Could you also add following commands:

no service-policy outside-policy interface outside

I had mentioned these command also earlier:

nat (DMZ) 200 10.30.xxx.xxx

global (DMZ) 200 interface

Then issue "clear xlate".

After these commands, let me know from 10.30.x.x (DMZ) network if you

are able to ping the default gateway of PIX.

woody48055 Tue, 02/13/2007 - 06:05

First off let me thank you for all your help it is greatly appreciated. I have attached the current config of the ASA5510 with the various commands highlighted; this is for my benefit, so that I am assured that they were entered correctly. As I have been working with this for 2+ weeks.

Some additional info this device is going in place of an old firewall that was on a NT4.0 server running gauntlet s/w. I have reused the addresses that are currently on the current FW and whenever testing of the ASA configuration it is inserted into the gauntlets place removing it from the circuit. None of our equipment filters MAC addresses so that cannot be an issue.



This Discussion