Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 config review

Hello,

I've been working on an asa 5505 config at my office.  Getting ready to test at our client site soon and would like to post the sh run output for the experts to review as I'm new to Cisco products.  The objectives of this firewall are:

1. Allow internet access from vlan1 (primary LAN).

2. Allow internet access- port 80 and 443 only from vlan12(public wireless hotspot) during peak hours(8:00am-7:00pm).

3. Block traffic from flowing between vlan1 and vlan12.

4. Allow outside access to the server at 192.168.110.11 through ports defined in the HOMS service.

5. Provide client IP addresses through DHCP on vlan1 and vlan12.

sh run output attached.

Thanks,

Andy

Everyone's tags (1)
5 REPLIES
Cisco Employee

Re: ASA 5505 config review

Andy,

All looks well, except for access to that server.

I believe I might need a static NAT or PAT, even if identity, otherwise connectivity initiated from outside will fail.

Marcin

New Member

Re: ASA 5505 config review

Thanks for the reply Marcin.  I seem to be having an issue with the correct nat statements, the asa is rejecting them.  Would you mind posting an example for me to reference?

Cisco Employee

Re: ASA 5505 config review

Andy,

Sure thing. Here goes.

Say you have your ASA with your inside and outside networks .

Example 1. You want your inside host 192.168.1.2 to be visible as 192.0.2.2 on the outside.

static (inside,outside) 192.0.2.2 192.168.1.2

Exmaple 2. You want your host on the inside 192.168.1.2 to be avilable via same IP address.

static (inside,outside) 192.168.1.2 192.168.1.2

Please note that in both cases the router on the outside may need to  know that this host is available via ASA(if not directly connected), a  simple route will suffice.

You mention you received some errors when applying yours ... if you still have that problem post what you get.

Hope this helps,

Marcin

New Member

Re: ASA 5505 config review

What if the connection from the outside will be made through https?

There is a group of ports that I've defined as HOMS service.  These ports are needed for application functionality to the outside users.  Do I need to consider this when configuring nat?  The access rules for HOMS have already been defined and are present in the sh run attachment provided earlier.

thanks.

Cisco Employee

Re: ASA 5505 config review

Andy,

Typical NAT is layer 3 functionality, it does not account for anything on L4, we can mate argument about PAT (NAT overload) and policy NAT/PAT.

But stratight staic NAT the one I've done above will not be looing at ports.

What you need to have a connection from outside interface to an inside interface is access-list allowing this and xlate (static command will permanently install an xlate in the table).

If you want a per-port translation you can also use static PAT ;-)

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html

Marcin

621
Views
0
Helpful
5
Replies