Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA5510 configuration

I bought a new ASA5510, as I worked with a pix years ago I tried to configure the ASA myself, as a didn't have luck, asked for help from a certified Cisco consultant, and he didn't had luck either, so I'm asking here, i was using adsm to configure the ASA and the consultant was working with CLI, the problem is really simple, two configuration tried, a simple one internal, one external, just HTTP from one public ip to one internal ip, then tried a more complicated configuration, one internal interface, one external, one DMZ, both configuration didn't work, the asa block the traffic to the server because of the implicit outside deny acl, instead of the permit acl configured, from to public ip permit http, please any help?

Hall of Fame Super Blue

Re: ASA5510 configuration


Can you post the configuration you have at the moment ?


New Member

Re: ASA5510 configuration

I used the getting started guide and configured the same topology from the chapter 6 DMZ configuration, except the ip's, so I have an external ip public sec level 0, an internal sec level 100, DMZ on sec level 50, one server on DMZ with webserver active on port 80, configured ip pools for NAT in DMZ from to, configured PAT for external interface, dynamic NAT configured from internal to DMZ and static from public ip to server ip, and finally acl interface external, incoming, from to public ip, any, http/www

traffic blocked by the outside incoming implicit deny rule.

New Member

Re: ASA5510 configuration

No body knows how this configuration should work?

New Member

Re: ASA5510 configuration

Can you post your current config? Without this nobody is really going to be able to help you.

New Member

Re: ASA5510 configuration

Do you want a file from the firewall with the current configuration?

New Member

Re: ASA5510 configuration

ASA Version 7.2(2)


hostname ciscoasa

domain-name default.domain.invalid

enable password xxx



interface Ethernet0/0

nameif outside

security-level 0

ip address *PUBLIC IP*


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2

nameif DMZ

security-level 50

ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



passwd XXXXXXXXXXXXXXX encrypted

ftp mode passive

clock timezone CLST -4

clock summer-time CLDT recurring 2 Sun Oct 0:00 2 Sun Mar 0:00

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group service MYSERVICES tcp

access-list outside_access_in extended permit tcp host *PUBLIC IP* eq www

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

mtu DMZ 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 200 interface

global (DMZ) 200 netmask

nat (inside) 200

static (DMZ,outside) *PUBLIC IP* netmask

static (outside,DMZ) *PUBLIC IP* netmask

access-group outside_access_in in interface outside

route outside *PUBLIC GATEWAY* 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http outside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet management

telnet timeout 5

ssh timeout 5

console timeout 0

management-access management

dhcpd address management

dhcpd enable management



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end


Re: ASA5510 configuration

any =

access-list outside_access_in extended permit tcp any host *PUBLIC IP* eq www

Also, is *PUBLIC IP* the same ip throughout your config? If it is also the outside interface address, then your static needs the "interface" keyword.

static (DMZ,outside) interface netmask

Also, get rid of this one...

no static (outside,DMZ) *PUBLIC IP* netmask

New Member

Re: ASA5510 configuration


thanks!!, now that I see the solution I can see the error

CreatePlease to create content