cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1687
Views
0
Helpful
6
Replies

ASA 5510 basic configuration

andri.daniel
Level 1
Level 1

Dear all,

I wants to configure CISCO asa 5510.

My network is ADSL(Fix IP)--ASA5510--LAN

There is no DMZ.

ADSL ethernet IP: 125.7.34.xxx

firewall OUT side 125.7.34.xxx,

Firewall inside 192.168.1.250

LAN 192.168.1.0

I want one of my server have Public IP

I just add NAT on my ASA 5510 192.168.1.2(my server) to 125.7.34.xxx

so i can connect from outside to this server. Am I correct? anything else i need to configure?

Thanks

Daniel

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi Daniel

Yes you need a static translation eg.

statc (inside,outside) 125.7.34.x 192.168.1.2 netmask 255.255.255.255

and then you need to allow the relevant ports througjh in an access-list eg. for http

access-list outin permit tcp any host 125.7.34.x eq 80

then apply access-list to interface

access-group outin in interface outside

Don't forget that there is an implicit "deny ip any any" at the end of the access-list so any other things you need to give access to from outside to in should be included in the access-list.

HTH

Jon

Hi Jon,

Thanks for yor reply, I just configure my Cisco by ASDM and add access list on Security policy (see attachment for detail). Is it correct? Sorry for my stupid question, I am still beginner :)

Thanks

Daniel

This is my Cisco config:

asdm image disk0:/asdm-507.bin

asdm location 192.168.1.2 255.255.255.255 Inside

no asdm history enable

: Saved

:

ASA Version 7.0(7)

!

hostname GACasa

domain-name default.domain.invalid

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 125.7.xx.132 255.0.0.0

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.250 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.250 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

access-list Outside_access_out extended permit tcp any any

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 100 125.17.xx.133-125.17.xx.137

global (Inside) 200 192.168.1.1-192.168.1.10

nat (management) 0 0.0.0.0 0.0.0.0

static (Inside,Outside) 125.7.xx.135 192.168.1.2 netmask 255.255.255.255

static (Outside,Inside) 192.168.1.2 125.7.xx.135 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Outside_access_out out interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.1-192.168.10.2 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

CMMIW

Daniel

Your config looks fine but in your access list you allow any tcp port you can leave it as is but I would do it as Jon posted it, be specific what tcp ports you allow inbound.

e.g

your config

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

could be as Jon indicated.

access-list Outside_access_in extended permit tcp any host 125.7.xx.135 eq 80

Jorge

Jorge Rodriguez

Hi Jorge,

Can I put like this:

object-group service openport tcp

description Port opened

port-object eq 5900

port-object eq 10601

port-object eq 6000

port-object eq 1601

port-object eq https

access-list Outside_access_in extended permit tcp any object-group openport host 125.7.xx.135 object-group openport

Thanks

Daniel

Upsoluetly Daniel , you can ! and the access list is firm since you are now aware of which tcp ports are permited.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: