ASA5510 configuration

Unanswered Question
Aug 19th, 2008
User Badges:

I bought a new ASA5510, as I worked with a pix years ago I tried to configure the ASA myself, as a didn't have luck, asked for help from a certified Cisco consultant, and he didn't had luck either, so I'm asking here, i was using adsm to configure the ASA and the consultant was working with CLI, the problem is really simple, two configuration tried, a simple one internal, one external, just HTTP from one public ip to one internal ip, then tried a more complicated configuration, one internal interface, one external, one DMZ, both configuration didn't work, the asa block the traffic to the server because of the implicit outside deny acl, instead of the permit acl configured, from to public ip permit http, please any help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Jon Marshall Wed, 08/20/2008 - 00:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Can you post the configuration you have at the moment ?


claudio.lara Wed, 08/20/2008 - 06:18
User Badges:

I used the getting started guide and configured the same topology from the chapter 6 DMZ configuration, except the ip's, so I have an external ip public sec level 0, an internal sec level 100, DMZ on sec level 50, one server on DMZ with webserver active on port 80, configured ip pools for NAT in DMZ from to, configured PAT for external interface, dynamic NAT configured from internal to DMZ and static from public ip to server ip, and finally acl interface external, incoming, from to public ip, any, http/www

traffic blocked by the outside incoming implicit deny rule.

tlessard1 Wed, 08/20/2008 - 13:38
User Badges:

Can you post your current config? Without this nobody is really going to be able to help you.

claudio.lara Wed, 08/20/2008 - 14:35
User Badges:

Do you want a file from the firewall with the current configuration?

claudio.lara Wed, 08/20/2008 - 14:46
User Badges:

ASA Version 7.2(2)


hostname ciscoasa

domain-name default.domain.invalid

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address *PUBLIC IP*


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif DMZ

security-level 50

ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd XXXXXXXXXXXXXXX encrypted

ftp mode passive

clock timezone CLST -4

clock summer-time CLDT recurring 2 Sun Oct 0:00 2 Sun Mar 0:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service MYSERVICES tcp

access-list outside_access_in extended permit tcp host *PUBLIC IP* eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 200 interface

global (DMZ) 200 netmask

nat (inside) 200

static (DMZ,outside) *PUBLIC IP* netmask

static (outside,DMZ) *PUBLIC IP* netmask

access-group outside_access_in in interface outside

route outside *PUBLIC GATEWAY* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http outside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet management

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address management

dhcpd enable management



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end

acomiskey Wed, 08/20/2008 - 16:57
User Badges:
  • Green, 3000 points or more

any =

access-list outside_access_in extended permit tcp any host *PUBLIC IP* eq www

Also, is *PUBLIC IP* the same ip throughout your config? If it is also the outside interface address, then your static needs the "interface" keyword.

static (DMZ,outside) interface netmask

Also, get rid of this one...

no static (outside,DMZ) *PUBLIC IP* netmask

claudio.lara Thu, 08/21/2008 - 04:15
User Badges:


thanks!!, now that I see the solution I can see the error


This Discussion