Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
5
Replies

ASA 5505 config review

andyhoien
Level 1
Level 1

‎10-12-2010 02:46 PM - edited ‎03-11-2019 11:53 AM

Hello,

I've been working on an asa 5505 config at my office.  Getting ready to test at our client site soon and would like to post the sh run output for the experts to review as I'm new to Cisco products.  The objectives of this firewall are:

1. Allow internet access from vlan1 (primary LAN).

2. Allow internet access- port 80 and 443 only from vlan12(public wireless hotspot) during peak hours(8:00am-7:00pm).

3. Block traffic from flowing between vlan1 and vlan12.

4. Allow outside access to the server at 192.168.110.11 through ports defined in the HOMS service.

5. Provide client IP addresses through DHCP on vlan1 and vlan12.

sh run output attached.

Thanks,

Andy

Labels:
73390-asashrun1.txt.zip
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-12-2010 03:14 PM

Andy,

All looks well, except for access to that server.

I believe I might need a static NAT or PAT, even if identity, otherwise connectivity initiated from outside will fail.

Marcin

0 Helpful

andyhoien
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-13-2010 08:16 AM

Thanks for the reply Marcin.  I seem to be having an issue with the correct nat statements, the asa is rejecting them.  Would you mind posting an example for me to reference?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to andyhoien

‎10-13-2010 08:42 AM

Andy,

Sure thing. Here goes.

Say you have your ASA with your inside and outside networks .

Example 1. You want your inside host 192.168.1.2 to be visible as 192.0.2.2 on the outside.

static (inside,outside) 192.0.2.2 192.168.1.2

Exmaple 2. You want your host on the inside 192.168.1.2 to be avilable via same IP address.

static (inside,outside) 192.168.1.2 192.168.1.2

Please note that in both cases the router on the outside may need to  know that this host is available via ASA(if not directly connected), a  simple route will suffice.

You mention you received some errors when applying yours ... if you still have that problem post what you get.

Hope this helps,

Marcin

0 Helpful

andyhoien
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-13-2010 09:23 AM

What if the connection from the outside will be made through https?

There is a group of ports that I've defined as HOMS service.  These ports are needed for application functionality to the outside users.  Do I need to consider this when configuring nat?  The access rules for HOMS have already been defined and are present in the sh run attachment provided earlier.

thanks.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to andyhoien

‎10-13-2010 09:58 AM

Andy,

Typical NAT is layer 3 functionality, it does not account for anything on L4, we can mate argument about PAT (NAT overload) and policy NAT/PAT.

But stratight staic NAT the one I've done above will not be looing at ports.

What you need to have a connection from outside interface to an inside interface is access-list allowing this and xlate (static command will permanently install an xlate in the table).

If you want a per-port translation you can also use static PAT ;-)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card