06-26-2007 07:49 PM - edited 03-11-2019 03:36 AM
I have a cisco Asa 5510. The purpose of this firewall is to block all traffic between two servers and only open port 5450. I have attached a diagram of the connection of the two servers and the firewall. Basically one server is connected to eth0/0 directly and the other server is connected to eth0/1. I have enable both of this network interface and name eth0/0 as outside and eth0/1 as inside. The ip naming can be found in the attachement.
I want to know what other settings need to be done. Is there any static route needed? I seems not able to do a Ping from 1 side to another side. Please help me from scratch.
Thank you so much
06-26-2007 08:35 PM
Can someone help me asap as this is really urgent. Thank you so much
06-26-2007 08:39 PM
can you post the pix configuration?
06-26-2007 08:43 PM
i did not configure anything, but i can show. Teach me how to get the configuration from CLI.
06-26-2007 08:52 PM
console to the pix,
then issue show run
copy and paste here.
I may step out though !
06-26-2007 10:31 PM
ASA Version 7.2(2)
interface Ethernet0/0
nameif outside
security-level 50
ip address 192.168.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 50
ip address 192.168.1.9 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list inside_access_in extended permit icmp any any
access-list inside_access_out extended permit icmp any any
access-list outside_access_out extended permit icmp any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside per-user-override
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.2-10.1.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
06-26-2007 11:12 PM
hello,
change the security-level values for outside to 0 and inside to 100.
you don't really require a route statment if you only have the two connected networks.
perform a
no nat (management) 0 0.0.0.0 0.0.0.0
access-group outside_access_out out no interface outside
access-group inside_access_out out interface inside
try to leave it as simple as possible with only inbound acl's.
add a
static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0
I think that should help you out somewhat.
06-26-2007 11:32 PM
i have tried. but still cannot.
static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0
(this line doesn't work)
i have the latest configuration please all take a look. Maybe I want to do a configure factory-default again and start everything from scratch. Please help me out.
ASA Version 7.2(2)
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.9 255.255.255.248
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.1.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list inside_access_in extended permit icmp any any
access-list inside_access_out extended permit icmp any any
access-list outside_access_out extended permit icmp any any
access-list outside_access_in extended permit icmp any any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
access-group inside_access_in in interface inside per-user-override
access-group inside_access_out out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.1.1.2-10.1.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end
06-26-2007 11:43 PM
when u entered the static statement what error came back or did it just not apply?
06-27-2007 12:04 AM
it give some error message. I think about the gateway issue. I really feel like resetting everything and someone guide me step by step to configure. Please assist
06-27-2007 12:08 AM
Oops sorry.
make that
static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0
Tim
06-27-2007 12:35 AM
hey why is it 192.168.1.8? or should it be 192.168.1.0?
static(inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0
06-27-2007 12:43 AM
the statement
static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0
simply provides a translation between the inside and outside interfaces. In this case there is no translation. The 192.168.1.8 network is defined as being an available network to the outside interface. No NAT occurs.
Your require the 1.8 in the statment as your wanting to allow traffic from the inside to the outside to appear as "unchanged" addressing-wise. Likewise the same is true for traffic in the other direction.
Sorry for the confusion.
How are things looking?
06-27-2007 12:59 AM
I am not at the unit now. I will reply you in a while when i get back to my firewall.
thank you. I hope it will work
06-27-2007 08:17 PM
hi, I have try it.. still cannot add in the static statement.
It says, ERROR: % Invalid input detected at '^' marker.
static (inside,outside) 192.168.1.8 192.168.1.8 255.(marker is here)255.255.248 0 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: