Advertisement

03.04.2008 at 10:13AM PST, ID: 23213476
[x]
Attachment Details

Basic NAT/Access List setup for 3-leg network

Asked by juggernaughty in Networking Hardware Firewalls, Cisco PIX Firewall

Tags: cisco, asa, 5505, security plus license

Experts,

I need help configuring an ASA 5505 with a security plus license.I have split up the interfaces between three VLANs (Internal), (external), (DMZ). I am new to Cisco so please be verbose. Below I have a list of requirements and also a list of questions pertaining to them.

Specs:
ASA Version: 7.2(3)
ASDM Version: 5.2(3)
Firewall Mode: Routed
Context Mode: Single
In the Attached Picture is the network number scheme that will be used.

Configuration Requirements:
- (Internal) clients need to be able to communicate with devices on the Internet.
- (Internal) clients need to be able to communicate with some (DMZ) clients.
- (External) clients need to be able to communicate with (DMZ) servers.
** - Down the road I want to be able to remotely VPN into the ASA.


Questions:

1. What do I need to configure to allow (internal) resources to access (DMZ) resources? Since all interfaces are a part of the ASA do I need to do any type of routing for the two to talk to each other?

2. What kind of access lists will need to be created for question 1.? Can you give me an example using the attached picture?

3. Configuring NAT: The device came pre-configured so that (internal) resources could access (outside) resources using dynamic NAT. The rule looks like this:
Real address: interface inside, IP address: 0.0.0.0, Netmask: 0.0.0.0
Dynamic Translation: interface: outside
-->What does all 0's mean in the IP and netmask?

4. Should I use static NAT with PAT if I want (external) resources to access specific (DMZ) resources over a specified port?

5. Pertaining to question 4., if I use PAT will the ASA drop any (external) incoming traffic that is not specified for a configured port? For example, if I have a web server and an SMTP spam filter device in the (DMZ) will the ASA only allow traffic that is defined for ports 25 and 80\443 from (external) interface?


Thank you in advance for your time and effort.
Start Free Trial
Attachments:
 
asa.bmp (596 KB) (File Type Details) 
Picture of ASA network
Picture of ASA network
 
 
Keywords: Basic NAT/Access List setup for 3-…
Title
1 Cisco PIX  VPN and NAT
2 Question regarding NAT on ASA 55…
3 VPN to pix 506e NAT issue
4 NAT issue
5 HELP!!!! PIX 515e as VPN Serv…
6 Hiding NAT from customer
 
Loading Advertisement...
 
[+][-]03.04.2008 at 11:24AM PST, ID: 21044146

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Networking Hardware Firewalls, Cisco PIX Firewall
Tags: cisco, asa, 5505, security plus license
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 3
Solution Grade: A
 
 
[+][-]03.04.2008 at 11:35AM PST, ID: 21044246

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 7-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]03.04.2008 at 11:37AM PST, ID: 21044265

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 11:41AM PST, ID: 21044303

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 11:48AM PST, ID: 21044372

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 11:51AM PST, ID: 21044393

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 01:17PM PST, ID: 21045198

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 01:46PM PST, ID: 21045443

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.04.2008 at 01:50PM PST, ID: 21045482

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628