08-02-2010 06:55 PM - edited 03-04-2019 09:17 AM
I am going to be setting up a private Metro-E point-to-point link between two ASA 5510's supporting two different companies. These two devices have separate internet connections aside from the Metro-E between them that protect these networks from the Internet. Can someone give me some guidance on how to configure the ASAs for this metro-e link. One ASA hosts a class B subnet while the other hosts a class C on the internal subnet. Thank you!
Solved! Go to Solution.
08-02-2010 08:33 PM
Hello,
If you are trying to allow only port 2046 traffic, then you can use
access-lists and you could change the security levels of Metro-ASAx
interface to something less than 100.
On ASA 1:
interface gi 0/2
nameif Metro-ASA1
security-level 50
ip address 192.168.100.1 255.255.255.0
no shut
exit
static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list Metro_access_in permit tcp any any eq 2046
access-group Metro_access_in in interface Metro-ASA1
Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2
On ASA 2:
interface gi 0/2
nameif Metro-ASA2
security-level 50
ip address 192.168.100.2 255.255.255.0
no shut
exit
static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-list Metro_access_in permit tcp any any eq 2046
access-group Metro_access_in in interface Metro-ASA2
route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1
This will allow only port 2046 traffic through the firewall. You can add
additional lines to the access-list if you want to allow more ports.
Hope this helps.
Regards,
NT
08-02-2010 07:15 PM
Hello,
The configuration depends upon the purpose of the connection. If you are
using this connection to enable communication between the corresponding
internal networks, then you can configure the interfaces with security level
of 100.
Here is a sample configuration: (assuming that your internal networks are
10.1.1.0/24 and 172.16.1.0/24 respectively)
On ASA 1:
interface gi 0/2
nameif Metro-ASA1
security-level 100
ip address 192.168.100.1 255.255.255.0
no shut
exit
static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (Metro-ASA1,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2
On ASA 2:
interface gi 0/2
nameif Metro-ASA2
security-level 100
ip address 192.168.100.2 255.255.255.0
no shut
exit
static (Metro-ASA2,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
same-security-traffic permit inter-interface
route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1
If the purpose is different, then the configuration will change.
Hope this helps.
Regards,
NT
08-02-2010 08:10 PM
Great info - thanks. I would like to ask - how would the configuration change if we simply needed to allow traffic (to start) for communications of a single app (single port)?
08-02-2010 08:33 PM
Hello,
If you are trying to allow only port 2046 traffic, then you can use
access-lists and you could change the security levels of Metro-ASAx
interface to something less than 100.
On ASA 1:
interface gi 0/2
nameif Metro-ASA1
security-level 50
ip address 192.168.100.1 255.255.255.0
no shut
exit
static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0
access-list Metro_access_in permit tcp any any eq 2046
access-group Metro_access_in in interface Metro-ASA1
Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2
On ASA 2:
interface gi 0/2
nameif Metro-ASA2
security-level 50
ip address 192.168.100.2 255.255.255.0
no shut
exit
static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0
access-list Metro_access_in permit tcp any any eq 2046
access-group Metro_access_in in interface Metro-ASA2
route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1
This will allow only port 2046 traffic through the firewall. You can add
additional lines to the access-list if you want to allow more ports.
Hope this helps.
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: