Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1520
Views
5
Helpful
18
Replies

Beginner configuration of the ASA 5510 Firewall

glenchang79
Level 1
Level 1

‎06-26-2007 07:49 PM - edited ‎03-11-2019 03:36 AM

I have a cisco Asa 5510. The purpose of this firewall is to block all traffic between two servers and only open port 5450. I have attached a diagram of the connection of the two servers and the firewall. Basically one server is connected to eth0/0 directly and the other server is connected to eth0/1. I have enable both of this network interface and name eth0/0 as outside and eth0/1 as inside. The ip naming can be found in the attachement.

I want to know what other settings need to be done. Is there any static route needed? I seems not able to do a Ping from 1 side to another side. Please help me from scratch.

Thank you so much

Labels:
Preview file
60 KB
0 Helpful
18 Replies 18

glenchang79
Level 1
Level 1

‎06-26-2007 08:35 PM

Can someone help me asap as this is really urgent. Thank you so much

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10

‎06-26-2007 08:39 PM

can you post the pix configuration?

Jorge Rodriguez
0 Helpful

glenchang79
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-26-2007 08:43 PM

i did not configure anything, but i can show. Teach me how to get the configuration from CLI.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to glenchang79

‎06-26-2007 08:52 PM

console to the pix,

then issue show run

copy and paste here.

I may step out though !

Jorge Rodriguez
0 Helpful

glenchang79
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-26-2007 10:31 PM

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 50

ip address 192.168.1.1 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 50

ip address 192.168.1.9 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

access-list outside_access_out extended permit icmp any any

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (management) 0 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside per-user-override

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

0 Helpful

timkaye
Level 1
Level 1
In response to glenchang79

‎06-26-2007 11:12 PM

hello,

change the security-level values for outside to 0 and inside to 100.

you don't really require a route statment if you only have the two connected networks.

perform a

no nat (management) 0 0.0.0.0 0.0.0.0

access-group outside_access_out out no interface outside

access-group inside_access_out out interface inside

try to leave it as simple as possible with only inbound acl's.

add a

static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

I think that should help you out somewhat.

0 Helpful

glenchang79
Level 1
Level 1
In response to timkaye

‎06-26-2007 11:32 PM

i have tried. but still cannot.

static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

(this line doesn't work)

i have the latest configuration please all take a look. Maybe I want to do a configure factory-default again and start everything from scratch. Please help me out.

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.9 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

access-list outside_access_out extended permit icmp any any

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside per-user-override

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

0 Helpful

timkaye
Level 1
Level 1
In response to glenchang79

‎06-26-2007 11:43 PM

when u entered the static statement what error came back or did it just not apply?

0 Helpful

glenchang79
Level 1
Level 1
In response to timkaye

‎06-27-2007 12:04 AM

it give some error message. I think about the gateway issue. I really feel like resetting everything and someone guide me step by step to configure. Please assist

timkaye
Level 1
Level 1
In response to glenchang79

‎06-27-2007 12:08 AM

Oops sorry.

make that

static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0

Tim

0 Helpful

glenchang79
Level 1
Level 1
In response to timkaye

‎06-27-2007 12:35 AM

hey why is it 192.168.1.8? or should it be 192.168.1.0?

static(inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

0 Helpful

timkaye
Level 1
Level 1
In response to glenchang79

‎06-27-2007 12:43 AM

the statement

static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0

simply provides a translation between the inside and outside interfaces. In this case there is no translation. The 192.168.1.8 network is defined as being an available network to the outside interface. No NAT occurs.

Your require the 1.8 in the statment as your wanting to allow traffic from the inside to the outside to appear as "unchanged" addressing-wise. Likewise the same is true for traffic in the other direction.

Sorry for the confusion.

How are things looking?

0 Helpful

glenchang79
Level 1
Level 1
In response to timkaye

‎06-27-2007 12:59 AM

I am not at the unit now. I will reply you in a while when i get back to my firewall.

thank you. I hope it will work

0 Helpful

glenchang79
Level 1
Level 1
In response to glenchang79

‎06-27-2007 08:17 PM

hi, I have try it.. still cannot add in the static statement.

It says, ERROR: % Invalid input detected at '^' marker.

static (inside,outside) 192.168.1.8 192.168.1.8 255.(marker is here)255.255.248 0 0

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card