cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3688
Views
0
Helpful
3
Replies

ASA point-to-point configuration

dmc3106cisco
Level 1
Level 1

I am going to be setting up a private Metro-E point-to-point link between two ASA 5510's supporting two different companies.  These two devices have separate internet connections aside from the Metro-E between them that protect these networks from the Internet.  Can someone give me some guidance on how to configure the ASAs for this metro-e link.  One ASA hosts a class B subnet while the other hosts a class C on the internal subnet.    Thank you!

1 Accepted Solution

Accepted Solutions

Hello,

If you are trying to allow only port 2046 traffic, then you can use

access-lists and you could change the security levels of Metro-ASAx

interface to something less than 100.

On ASA 1:

interface gi 0/2

nameif Metro-ASA1

security-level 50

ip address 192.168.100.1 255.255.255.0

no shut

exit

static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list Metro_access_in permit tcp any any eq 2046

access-group Metro_access_in in interface Metro-ASA1

Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2

On ASA 2:

interface gi 0/2

nameif Metro-ASA2

security-level 50

ip address 192.168.100.2 255.255.255.0

no shut

exit

static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-list Metro_access_in permit tcp any any eq 2046

access-group Metro_access_in in interface Metro-ASA2

route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1

This will allow only port 2046 traffic through the firewall. You can add

additional lines to the access-list if you want to allow more ports.

Hope this helps.

Regards,

NT

View solution in original post

3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

The configuration depends upon the purpose of the connection. If you are

using this connection to enable communication between the corresponding

internal networks, then you can configure the interfaces with security level

of 100.

Here is a sample configuration: (assuming that your internal networks are

10.1.1.0/24 and 172.16.1.0/24 respectively)

On ASA 1:

interface gi 0/2

nameif Metro-ASA1

security-level 100

ip address 192.168.100.1 255.255.255.0

no shut

exit

static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (Metro-ASA1,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2

On ASA 2:

interface gi 0/2

nameif Metro-ASA2

security-level 100

ip address 192.168.100.2 255.255.255.0

no shut

exit

static (Metro-ASA2,inside) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

same-security-traffic permit inter-interface

route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1

If the purpose is different, then the configuration will change.

Hope this helps.

Regards,

NT

Great info - thanks.  I would like to ask - how would the configuration change if we simply needed to allow traffic (to start) for communications of a single app (single port)?

Hello,

If you are trying to allow only port 2046 traffic, then you can use

access-lists and you could change the security levels of Metro-ASAx

interface to something less than 100.

On ASA 1:

interface gi 0/2

nameif Metro-ASA1

security-level 50

ip address 192.168.100.1 255.255.255.0

no shut

exit

static (inside,Metro-ASA1) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

access-list Metro_access_in permit tcp any any eq 2046

access-group Metro_access_in in interface Metro-ASA1

Route Metro-ASA1 172.16.1.0 255.255.255.0 192.168.100.2

On ASA 2:

interface gi 0/2

nameif Metro-ASA2

security-level 50

ip address 192.168.100.2 255.255.255.0

no shut

exit

static (inside,Metro-ASA2) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

access-list Metro_access_in permit tcp any any eq 2046

access-group Metro_access_in in interface Metro-ASA2

route Metro-ASA2 10.1.1.0 255.255.255.0 192.168.100.1

This will allow only port 2046 traffic through the firewall. You can add

additional lines to the access-list if you want to allow more ports.

Hope this helps.

Regards,

NT

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: