11-19-2007 10:59 PM - edited 03-11-2019 04:33 AM
Dear all,
I wants to configure CISCO asa 5510.
My network is ADSL(Fix IP)--ASA5510--LAN
There is no DMZ.
ADSL ethernet IP: 125.7.34.xxx
firewall OUT side 125.7.34.xxx,
Firewall inside 192.168.1.250
LAN 192.168.1.0
I want one of my server have Public IP
I just add NAT on my ASA 5510 192.168.1.2(my server) to 125.7.34.xxx
so i can connect from outside to this server. Am I correct? anything else i need to configure?
Thanks
Daniel
11-19-2007 11:28 PM
Hi Daniel
Yes you need a static translation eg.
statc (inside,outside) 125.7.34.x 192.168.1.2 netmask 255.255.255.255
and then you need to allow the relevant ports througjh in an access-list eg. for http
access-list outin permit tcp any host 125.7.34.x eq 80
then apply access-list to interface
access-group outin in interface outside
Don't forget that there is an implicit "deny ip any any" at the end of the access-list so any other things you need to give access to from outside to in should be included in the access-list.
HTH
Jon
11-20-2007 03:37 PM
11-21-2007 05:57 PM
This is my Cisco config:
asdm image disk0:/asdm-507.bin
asdm location 192.168.1.2 255.255.255.255 Inside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname GACasa
domain-name default.domain.invalid
enable password xxx
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 125.7.xx.132 255.0.0.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.250 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.250 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
access-list Outside_access_in extended permit tcp any host 125.7.xx.135
access-list Outside_access_out extended permit tcp any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 100 125.17.xx.133-125.17.xx.137
global (Inside) 200 192.168.1.1-192.168.1.10
nat (management) 0 0.0.0.0 0.0.0.0
static (Inside,Outside) 125.7.xx.135 192.168.1.2 netmask 255.255.255.255
static (Outside,Inside) 192.168.1.2 125.7.xx.135 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.1-192.168.10.2 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:xxx
: end
CMMIW
Daniel
11-21-2007 06:24 PM
Your config looks fine but in your access list you allow any tcp port you can leave it as is but I would do it as Jon posted it, be specific what tcp ports you allow inbound.
e.g
your config
access-list Outside_access_in extended permit tcp any host 125.7.xx.135
could be as Jon indicated.
access-list Outside_access_in extended permit tcp any host 125.7.xx.135 eq 80
Jorge
11-21-2007 07:23 PM
Hi Jorge,
Can I put like this:
object-group service openport tcp
description Port opened
port-object eq 5900
port-object eq 10601
port-object eq 6000
port-object eq 1601
port-object eq https
access-list Outside_access_in extended permit tcp any object-group openport host 125.7.xx.135 object-group openport
Thanks
Daniel
11-21-2007 07:48 PM
Upsoluetly Daniel , you can ! and the access list is firm since you are now aware of which tcp ports are permited.
Rgds
Jorge
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: