Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5510 basic configuration

Dear all,

I wants to configure CISCO asa 5510.

My network is ADSL(Fix IP)--ASA5510--LAN

There is no DMZ.

ADSL ethernet IP: 125.7.34.xxx

firewall OUT side 125.7.34.xxx,

Firewall inside 192.168.1.250

LAN 192.168.1.0

I want one of my server have Public IP

I just add NAT on my ASA 5510 192.168.1.2(my server) to 125.7.34.xxx

so i can connect from outside to this server. Am I correct? anything else i need to configure?

Thanks

Daniel

6 REPLIES
Hall of Fame Super Blue

Re: ASA 5510 basic configuration

Hi Daniel

Yes you need a static translation eg.

statc (inside,outside) 125.7.34.x 192.168.1.2 netmask 255.255.255.255

and then you need to allow the relevant ports througjh in an access-list eg. for http

access-list outin permit tcp any host 125.7.34.x eq 80

then apply access-list to interface

access-group outin in interface outside

Don't forget that there is an implicit "deny ip any any" at the end of the access-list so any other things you need to give access to from outside to in should be included in the access-list.

HTH

Jon

New Member

Re: ASA 5510 basic configuration

Hi Jon,

Thanks for yor reply, I just configure my Cisco by ASDM and add access list on Security policy (see attachment for detail). Is it correct? Sorry for my stupid question, I am still beginner :)

Thanks

Daniel

New Member

Re: ASA 5510 basic configuration

This is my Cisco config:

asdm image disk0:/asdm-507.bin

asdm location 192.168.1.2 255.255.255.255 Inside

no asdm history enable

: Saved

:

ASA Version 7.0(7)

!

hostname GACasa

domain-name default.domain.invalid

enable password xxx

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 125.7.xx.132 255.0.0.0

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.250 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.250 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

access-list Outside_access_out extended permit tcp any any

pager lines 24

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 100 125.17.xx.133-125.17.xx.137

global (Inside) 200 192.168.1.1-192.168.1.10

nat (management) 0 0.0.0.0 0.0.0.0

static (Inside,Outside) 125.7.xx.135 192.168.1.2 netmask 255.255.255.255

static (Outside,Inside) 192.168.1.2 125.7.xx.135 netmask 255.255.255.255

access-group Outside_access_in in interface Outside

access-group Outside_access_out out interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.1-192.168.10.2 management

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxx

: end

CMMIW

Daniel

Re: ASA 5510 basic configuration

Your config looks fine but in your access list you allow any tcp port you can leave it as is but I would do it as Jon posted it, be specific what tcp ports you allow inbound.

e.g

your config

access-list Outside_access_in extended permit tcp any host 125.7.xx.135

could be as Jon indicated.

access-list Outside_access_in extended permit tcp any host 125.7.xx.135 eq 80

Jorge

New Member

Re: ASA 5510 basic configuration

Hi Jorge,

Can I put like this:

object-group service openport tcp

description Port opened

port-object eq 5900

port-object eq 10601

port-object eq 6000

port-object eq 1601

port-object eq https

access-list Outside_access_in extended permit tcp any object-group openport host 125.7.xx.135 object-group openport

Thanks

Daniel

Re: ASA 5510 basic configuration

Upsoluetly Daniel , you can ! and the access list is firm since you are now aware of which tcp ports are permited.

Rgds

Jorge

964
Views
0
Helpful
6
Replies
CreatePlease to create content