Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Beginner configuration of the ASA 5510 Firewall

I have a cisco Asa 5510. The purpose of this firewall is to block all traffic between two servers and only open port 5450. I have attached a diagram of the connection of the two servers and the firewall. Basically one server is connected to eth0/0 directly and the other server is connected to eth0/1. I have enable both of this network interface and name eth0/0 as outside and eth0/1 as inside. The ip naming can be found in the attachement.

I want to know what other settings need to be done. Is there any static route needed? I seems not able to do a Ping from 1 side to another side. Please help me from scratch.

Thank you so much

18 REPLIES
New Member

Re: Beginner configuration of the ASA 5510 Firewall

Can someone help me asap as this is really urgent. Thank you so much

Re: Beginner configuration of the ASA 5510 Firewall

can you post the pix configuration?

New Member

Re: Beginner configuration of the ASA 5510 Firewall

i did not configure anything, but i can show. Teach me how to get the configuration from CLI.

Re: Beginner configuration of the ASA 5510 Firewall

console to the pix,

then issue show run

copy and paste here.

I may step out though !

New Member

Re: Beginner configuration of the ASA 5510 Firewall

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 50

ip address 192.168.1.1 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 50

ip address 192.168.1.9 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

access-list outside_access_out extended permit icmp any any

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (management) 0 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside per-user-override

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

New Member

Re: Beginner configuration of the ASA 5510 Firewall

hello,

change the security-level values for outside to 0 and inside to 100.

you don't really require a route statment if you only have the two connected networks.

perform a

no nat (management) 0 0.0.0.0 0.0.0.0

access-group outside_access_out out no interface outside

access-group inside_access_out out interface inside

try to leave it as simple as possible with only inbound acl's.

add a

static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

I think that should help you out somewhat.

New Member

Re: Beginner configuration of the ASA 5510 Firewall

i have tried. but still cannot.

static (inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

(this line doesn't work)

i have the latest configuration please all take a look. Maybe I want to do a configure factory-default again and start everything from scratch. Please help me out.

ASA Version 7.2(2)

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.9 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list inside_access_in extended permit icmp any any

access-list inside_access_out extended permit icmp any any

access-list outside_access_out extended permit icmp any any

access-list outside_access_in extended permit icmp any any

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

access-group inside_access_in in interface inside per-user-override

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.2-10.1.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

New Member

Re: Beginner configuration of the ASA 5510 Firewall

when u entered the static statement what error came back or did it just not apply?

New Member

Re: Beginner configuration of the ASA 5510 Firewall

it give some error message. I think about the gateway issue. I really feel like resetting everything and someone guide me step by step to configure. Please assist

New Member

Re: Beginner configuration of the ASA 5510 Firewall

Oops sorry.

make that

static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0

Tim

New Member

Re: Beginner configuration of the ASA 5510 Firewall

hey why is it 192.168.1.8? or should it be 192.168.1.0?

static(inside,outside) 192.168.1.0 192.168.1.0 255.255.255.248 0 0

New Member

Re: Beginner configuration of the ASA 5510 Firewall

the statement

static(inside,outside) 192.168.1.8 192.168.1.8 255.255.255.248 0 0

simply provides a translation between the inside and outside interfaces. In this case there is no translation. The 192.168.1.8 network is defined as being an available network to the outside interface. No NAT occurs.

Your require the 1.8 in the statment as your wanting to allow traffic from the inside to the outside to appear as "unchanged" addressing-wise. Likewise the same is true for traffic in the other direction.

Sorry for the confusion.

How are things looking?

New Member

Re: Beginner configuration of the ASA 5510 Firewall

I am not at the unit now. I will reply you in a while when i get back to my firewall.

thank you. I hope it will work

New Member

Re: Beginner configuration of the ASA 5510 Firewall

hi, I have try it.. still cannot add in the static statement.

It says, ERROR: % Invalid input detected at '^' marker.

static (inside,outside) 192.168.1.8 192.168.1.8 255.(marker is here)255.255.248 0 0

New Member

Re: Beginner configuration of the ASA 5510 Firewall

i have tried,

static (inside,outside) 192.168.1.8 192.168.1.8 netmask 255.255.255.248 0 0

this works.. but still it cannot ping from inside to outside.

New Member

Re: Beginner configuration of the ASA 5510 Firewall

Isuue this commands in your ASA5510.

Enable

Config t

policy-map global_policy

class inspection_default

inspect icmp

This work on my ASA5505.

New Member

Re: Beginner configuration of the ASA 5510 Firewall

Actually can i reset everything now and please teach from the start? the architecture is like this,

Inside network:

server nic address: 192.168.1.10 subnet mask: 255.255.255.248

connect directly to eth0/1: 192.168.1.9 subnet mask: 255.255.255.248

Outside Network:

server nic address: 192.168.1.4 subnet mask: 255.255.255.248

connect directly to eth0/0: 192.168.1.1 subnet mask: 255.255.255.248

I reset to factory settings at management port, 10.1.1.1 subnet mask 255.255.255.0

can someone teach me from here?

New Member

Re: Beginner configuration of the ASA 5510 Firewall

Yes.

This is fine.

email me tim.kaye@empired.com

591
Views
5
Helpful
18
Replies
CreatePlease to create content