ASA 5510 basic configuration

Unanswered Question
Nov 19th, 2007

Dear all,

I wants to configure CISCO asa 5510.

My network is ADSL(Fix IP)--ASA5510--LAN

There is no DMZ.

ADSL ethernet IP:

firewall OUT side,

Firewall inside


I want one of my server have Public IP

I just add NAT on my ASA 5510 server) to

so i can connect from outside to this server. Am I correct? anything else i need to configure?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 11/19/2007 - 23:28

Hi Daniel

Yes you need a static translation eg.

statc (inside,outside) 125.7.34.x netmask

and then you need to allow the relevant ports througjh in an access-list eg. for http

access-list outin permit tcp any host 125.7.34.x eq 80

then apply access-list to interface

access-group outin in interface outside

Don't forget that there is an implicit "deny ip any any" at the end of the access-list so any other things you need to give access to from outside to in should be included in the access-list.



andri.daniel Tue, 11/20/2007 - 15:37

Hi Jon,

Thanks for yor reply, I just configure my Cisco by ASDM and add access list on Security policy (see attachment for detail). Is it correct? Sorry for my stupid question, I am still beginner :)



andri.daniel Wed, 11/21/2007 - 17:57

This is my Cisco config:

asdm image disk0:/asdm-507.bin

asdm location Inside

no asdm history enable

: Saved


ASA Version 7.0(7)


hostname GACasa

domain-name default.domain.invalid

enable password xxx




interface Ethernet0/0

nameif Outside

security-level 0

ip address 125.7.xx.132


interface Ethernet0/1

nameif Inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

access-list Outside_access_out extended permit tcp any any

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400


global (Outside) 100 125.17.xx.133-125.17.xx.137

global (Inside) 200

nat (management) 0

static (Inside,Outside) 125.7.xx.135 netmask

static (Outside,Inside) 125.7.xx.135 netmask

access-group Outside_access_in in interface Outside

access-group Outside_access_out out interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http management

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management


class-map inspection_default

match default-inspection-traffic



policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global


: end



JORGE RODRIGUEZ Wed, 11/21/2007 - 18:24

Your config looks fine but in your access list you allow any tcp port you can leave it as is but I would do it as Jon posted it, be specific what tcp ports you allow inbound.


your config

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

could be as Jon indicated.

access-list Outside_access_in extended permit tcp any host 125.7.xx.135 eq 80


andri.daniel Wed, 11/21/2007 - 19:23

Hi Jorge,

Can I put like this:

object-group service openport tcp

description Port opened

port-object eq 5900

port-object eq 10601

port-object eq 6000

port-object eq 1601

port-object eq https

access-list Outside_access_in extended permit tcp any object-group openport host 125.7.xx.135 object-group openport



JORGE RODRIGUEZ Wed, 11/21/2007 - 19:48

Upsoluetly Daniel , you can ! and the access list is firm since you are now aware of which tcp ports are permited.




This Discussion