Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

5510 config

Help

I have been hitting my head against this brick wall called an ASA5510. I was trying to configure it as a straight firewall with a DMZ interface and connecting a DNS server to that. But right now I would be happy with just passing HTTP between int 0/0 to 0/2

Current config is attached

8 REPLIES
Silver

Re: 5510 config

Config is missing ..

New Member

Re: 5510 config

I pulled it off to clean addressing

Silver

Re: 5510 config

Setting all the 3 interfaces at same security-level will cause problems. Here is what is recommended:

Outside interface (security-level 0)

DMZ interface (security-level 50)

Inside interface (security-level 100), you can enter following commands to set interfaces accordingly-

interface Ethernet0/0

security 0

interface Ethernet0/1

security 100

interface Ethernet0/2

security 50

no nat (DMZ) 200 10.10.RRR.RRR 255.255.255.0

nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0

no global (DMZ) 200 10.30.RRR.RRR-10.30.RRR.RRR netmask 255.0.0.0

global (DMZ) 200 interface

nat (inside) 200 0 0

clear xlate

Please implement above commands.

New Member

Re: 5510 config

still not passing any traffic attached updated config

New Member

Re: 5510 config

config is attached after edits

Re: 5510 config

Hi still using security 50 for all the interfaces. You could use the below command to allow traffic to traverse the firewall but you really should change the secutity levels as recommended on previous posts.

same-security-traffic permit inter-interface

I hope it helps .. please rate it if it does !!!

Silver

Re: 5510 config

Could you also add following commands:

no service-policy outside-policy interface outside

I had mentioned these command also earlier:

nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0

global (DMZ) 200 interface

Then issue "clear xlate".

After these commands, let me know from 10.30.x.x (DMZ) network if you

are able to ping the default gateway of PIX.

New Member

Re: 5510 config

First off let me thank you for all your help it is greatly appreciated. I have attached the current config of the ASA5510 with the various commands highlighted; this is for my benefit, so that I am assured that they were entered correctly. As I have been working with this for 2+ weeks.

Some additional info this device is going in place of an old firewall that was on a NT4.0 server running gauntlet s/w. I have reused the addresses that are currently on the current FW and whenever testing of the ASA configuration it is inserted into the gauntlets place removing it from the circuit. None of our equipment filters MAC addresses so that cannot be an issue.

210
Views
0
Helpful
8
Replies
CreatePlease to create content