cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1505
Views
0
Helpful
6
Replies

Cisco ASA 5505

Oli2ander
Level 1
Level 1

I have a Cisco ASA 5505 as im trying to set up with the following scenario:

I need eth0/0 - Outside that get its IP from a DCHP withing my ISP’s net

Then I need eth0/3 - Inside that run DHCP 192.168.1.100 – 192.168.1.250 with normal Internet access and normal LAN access. This should use eth0/3 through eth0/8 since the last two Ethernet ports has PoE. This way I can use the last two ports for the Cisco WIFI radios with PoE within my LAN. Third I need a eth0/2 – DMZ on the 10.1.1.0/24 net where I can host two servers. One TS3 server with port forwarding : Default voice port (UDP): 9987, Default filetransfer port (TCP): 30033,
Default serverquery port (TCP): 10011
. And a BHD server with port forwarding Default game port (UDP): 17479, Remote adminport (UDP): 31000.

I don’t have much experience with ASA but I know how to “paste” a config into the consol (Telnet) and I have checking around a bit in the ASDM (without luck in this scenario). Is there anyone that can help me out in this matter?

6 Replies 6

Hi,

You're talking about using three interfaces on the ASA 5505.

If the ASA has a base license you only have 2 real interfaces (inside and outside), you do have a DMZ but limited.

If the ASA has a security plus license, then you can fully use the 3 interfaces.

The ASA 5505 works with VLANs, so you group the physical ports into the appropiate VLAN, where the VLANs are the actual interfaces (outside, inside and DMZ).

Federico.

The ASA has a security plus license so this isnt the issue. The issue is that i really aint into the ASA quite yet. Im concentrating on swithes for now so i need help to set up the ASA. Dunno where else to turn...

interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute

interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.x 255.255.255.0

interface vlan 3
nameif dmz
security-level 50
ip address 10.1.1.x 255.255.255.0

interface fas0
no shut
switchport vlan 2

interface fas1
no shut
switchport vlan 1

interface fas2
no shut
switchport vlan 3

To create access-lists and NAT and apply it to the correct interfaces as well.

The above is to get you started.

Federico.

Thank you very much Federico.

Just one more question, the interface fas1 command? this i am unfamiliar with, I thought it should be interface eth0/x.

Can u explain this command for me?

Oli2ander
Level 1
Level 1

Okei, i used the interface eth0/x and i now have managed to get inside, outside and DMZ interfaces to work. I've got normal internet access from both inside and DMZ. Now i need to make the rules for the port forwarding on the DMZ interface. Should i use NAT, PAT or ACL for this?

For the rules to the DMZ...

For traffic coming from the outside to DMZ, you require a static NAT and ACL:

static (dmz,out) public_IP real_IP

access-list outside permit ....

access-group outside in interface outside

For outbound traffic from DMZ, is permitted by default, so there's no need for ACL.

However, if you need to send traffic from DMZ to inside, you require an ACL.

This is because trafic from a higher-security flows to a lower-security by default but the other way around requires an ACL.


Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: