Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need some help getting started with ASA 5510: Help needed!

Well, have very very limited experience with ASA and PIX. My new job here as an ASA appliance and I am going to be taking over the duties for it. Which is fine and great and I look forward to it. I am just a little "raw" and need some help.

I will be back here a lot :) , and will post my configs as I look for suggestions and help.

In the meantime, I have been asked to setup a VPN connection, using PPTP from the vendors location (public IP addresses have been given) to servers within our network.

I went out and grabbed some ASA books (Hucaby Handbook) and will be going over it.

In the meantime, does anyone have suggestions on how to get started?

In a nutshell, I need a crash course to get up to speed.

Thanks for the help.

Jason

8 REPLIES
New Member

Re: Need some help getting started with ASA 5510: Help needed!

Ok...have some more information. Have been reading up on some documentation A LOT. Just need some feedback here.

I have a list of 7 public IP address from the originating PPTP connections from our vendor. I will have the public IP address that will be mapped to our internal Authentication server internally.

for now, lets say public IP address is: 20.10.5.2 (remember, I have 6 more)

Say our internal Authentication server is:

172.15.5.1 inside, public outside is: 32.16.8.4

For simplicity.

When setting up the ACL's, would it be something like this?

access-list inbound_pptp_traffic permit gre host 20.x.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.x.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.x.x.4 172.15.5.1 255.255.0.0

access-group inbound_pptp_traffic in interface outside

Is that right so far?

if it is right, do I need to setup 7 individual rules for each public IP address to get to the internal server?

Thanks.

New Member

Re: Need some help getting started with ASA 5510: Help needed!

Let me edit this again:

20.10.5.2 -- remote host making connection

32.16.8.4 -- public IP statically assigned to internal authentication server

access-list inbound_pptp_traffic permit gre host 20.10.5.2 host 32.16.8.4

access-list inbound_pptp_traffic permit tcp host 20.10.5.2 host 32.16.8.4 eq 1723

static (inside,outside) 32.16.8.4 172.15.5.1 255.255.255.255

access-group inbound_pptp_traffic in interface outside

That look right?

do I need to setup a rule to make sure the return traffic would get through?

Thanks.

New Member

Re: Need some help getting started with ASA 5510: Help needed!

can anyone tell me if I am on the right track? :)

Cisco Employee

Re: Need some help getting started with ASA 5510: Help needed!

hii,

Are u setting up a tunnel between the two locations.

if not,then it's absolutely right.

for inbound connections over normal internet traffic,we need to have a static statement for the mapping n translation purpose and an access-list on the outside interface which is permitting the traffic.

Cisco Employee

Re: Need some help getting started with ASA 5510: Help needed!

if it's vpn tunnel ( not a vpn passthrough ),then you might need to setup a lot of vpn configuration for setting up both,phase 1 and phase 2 sets on both the ends.

if it's just a passthrough and firewall is not acting as a terminating point of the tunnel,then you are on the right track.

New Member

Re: Need some help getting started with ASA 5510: Help needed!

Thanks for the feedback. Yes, it is not a tunnel between two locations. Just remote connections.

I setup network-objects so I did not have to put in 14 rules.

Thanks for the help!

TCG

New Member

Re: Need some help getting started with ASA 5510: Help needed!

Hi,

1) as you can have only 1 access-group (ACL) for an interface maybe it's better to use a generic name like "outside_in"

2) the ASA is a stateful fw

New Member

Re: Need some help getting started with ASA 5510: Help needed!

Yep...made sure my ACL name is the same to match what already exists.

Appreciate it.

234
Views
8
Helpful
8
Replies
CreatePlease login to create content