Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
3
Helpful
5
Replies

Problems with Cisco ASA5510

miregistrocisco
Level 1
Level 1

‎08-27-2008 04:40 AM - edited ‎03-11-2019 06:36 AM

Hi, I need some help configuring a Cisco ASA5510 firewall. I have connected the ethernet0/0 interface to a D-Link DSL-504T router whose ip address is 192.168.1.1. The ethernet0/1 interface is connected to a 3Com OfficeConnect Dual Speed Switch 5 switch that provides connection to several hosts. At first, I wrote down a basic configuration in order to permit all traffic coming from the inside network and use the ping command, but the firewall drops every incoming packet from the LAN. When I ping the router there is no reply and I also can't surf on internet, but pings to the ethernet0/0 interface are replied. This is the whole list of commands I used:

interface ethernet 0/0

nameif outside

security-level 0

ip address 192.168.1.2 255.255.0.0

no shutdown

exit

interface ethernet 0/1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

no shutdown

exit

route outside 0 0 192.168.1.1 1

dhcpd address 10.0.0.2-10.0.0.254 inside

dhcpd dns 80.58.0.33 62.37.228.20

dhcpd enable inside

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceed

access-list 100 extended permit icmp any any unreachable

access-group 100 in interface outside

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 192.168.3.100-192.168.3.150

global (outside) 1 192.168.3.200

What's wrong with these settings? Did I forget any important detail? In case the configuration is wrong, could you please post here any other basical one?

PD: The ASA5510 works in routed firewall mode.

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎08-27-2008 04:52 AM

You are natting to a seperate IP subnet on the outside?

for testing cut and paste the below:-

global (outside) 2 interface

no nat (inside) 1 10.0.0.0 255.255.255.0

nat (inside) 2 10.0.0.0 255.255.255.0

re-test and post results.

miregistrocisco
Level 1
Level 1
In response to andrew.prince

‎08-28-2008 12:26 AM

It works! but why am I natting to a separate subnet? 192.168.1.2 and 192.168.3.XXX addresses belong to the 192.168.0.0/16 subnet, don't they?

0 Helpful

andrew.prince
Level 10
Level 10
In response to miregistrocisco

‎08-28-2008 12:42 AM

Yes they do - however it all depends on the next hop device. In your config you have:-

interface ethernet 0/0

nameif outside

security-level 0

ip address 192.168.1.2 255.255.0.0

route outside 0 0 192.168.1.1

global (outside) 1 192.168.3.100-192.168.3.150

OK - what is the mask on your next hop device facing the firewall?? /16 or /24 - does the router have arp enabled? Does the firewall have proxy arp enabled on the outside interface?

At the end - do you really need to NAT to a differnet IP subnet? Do you need 253 IP address for NAT?

0 Helpful

miregistrocisco
Level 1
Level 1
In response to andrew.prince

‎08-28-2008 02:06 AM

The router mask is /24, so that was the problem, I hadn't realised. I'll take care of mapped addresses in the future. Thanks a lot!

0 Helpful

andrew.prince
Level 10
Level 10
In response to miregistrocisco

‎08-28-2008 02:11 AM

np - glad to help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card