Please help me with my ASA

sdettelepak · ‎06-19-2006

Our company has finally outgrown our home user 3Com firewall unit. We have recently purchased our ASA 5510. This is my first exposure to the Cisco world, please pardon me if this question comes off as stupid.

I have a simple network of around 50 clients and a handful of servers. Does the ASA need a router between itself and the other networks that it is attached to? For instance, do I need a router between the inside network and the ASA, and then another router between the ASA and the outside network?

Thanks for any replies.

Tony

joneschw1 · ‎06-19-2006

Tony,

You don't need a router between the ASA and the inside, or the ASA and the outside. The ASA5510 has multiple interfaces. Generally, it is set up with an inside, dmz, and outside interface. The inside interface will have an inside IP address (The address is your default gateway for your internal clients). The outside interface will have a public IP address or one provided to you by your ISP. You cannot plug a T1 line into the ASA. The ASA can only handle ethernet. So, if you have a DSL line for internet, you will need to run the ethernet cable from the DSL modem out to the ASA. If you have a t1 or partial T1, Frame relay, etc. you will have to run the line into a router and then ethernet from the router to the ASA. I suspect that you will be able to just take the same cable that your 3Com had running into it, and switch that to the ASA outside interface. The ASA will handle routing packets from the inside to the outside. There are a number of example configs on Cisco's website.

sdettelepak · ‎06-20-2006

jonesschw1,

Thanks for your reply. I have checked into the example configs with limited success. My goal is to have an internal (192.168.11.x) network, a DMZ (10.10.10.x) network, and the Outside (216.241.48.x) network. My webserver will be the only machine residing in the DMZ. My exchange server will reside in the Inside network. I brought the ASA up with the config that I am attaching, and turned on the logging to try and figure out why nothing was working. I got some no route errors. I dont totally understand the static route deal. Do I need a static route for all 3 of my interfaces? Thanks again for any help.

Tony

grant.maynard · ‎06-21-2006

example with dmz mail server at http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

What are the "no route errors"?

Your static NATs are ok.

You need to adjust outside ACL. you may not want to permit any to smtp (first line below):

access-list Outside_access_in extended permit tcp any host 216.241.48.67 eq smtp

no access-list Outside_access_in extended permit tcp host 216.241.48.67 host 216.241.48.67 eq smtp

no access-list Outside_access_in extended permit tcp any any

If you don't want to NAT inside-DMZ:

access-list Inside_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 10.10.10.0 255.255.255.0

DMZ has no acces to outside unless you put ACL on that interface.

I must admit "nat (Inside) 1 Inside 255.255.255.0 outside" confused me and I think you should remove it.