Link to home
Start Free TrialLog in
Avatar of jwjones2000
jwjones2000

asked on

Cisco 5510 ASA Version 8.0(2) ASDM 6.0(2) Basic configuration.

This is my first time configuring a cisco 5510 ASA firewall. How can I go to the internet using the Cisco 5510 Device?

(outside) Public block IP - 67.115.20.128    255.255.255.128
(outside) Gateway 67.115.20.129

(inside) LAN Block IP  - 10.9.0.0   25.255.255.0

Here is what I got so far:
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 67.115.20.130 255.255.255.192
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.9.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 151.164.1.6
 name-server 68.94.157.1
 name-server 204.60.203.190
 domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 67.115.
20.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:72bf6f02ffcbaceeb869cb80c8824120
ciscoasa#

Avatar of jwjones2000
jwjones2000

ASKER

Update on the cisco configuration:

ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 67.115.20.130 255.255.255.128
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.9.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 151.164.1.6
 name-server 68.94.157.1
 name-server 204.60.203.190
 domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 67.115.
20.128 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
static (Inside,Inside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.9.0.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47e78117519a81c927dc1a96f4626085
I won't do another change but this is the last thing I have on the Cisco 5510 ASA

ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 67.115.20.130 255.255.255.128
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.9.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 151.164.1.6
 name-server 68.94.157.1
 name-server 204.60.203.190
 domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
access-group Inside_access_in_2 in interface Inside
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:aeb4262d8a5e1196cb83a9c9da17138a
Avatar of Les Moore
Remove the acl from the interface. It is not necessary unless you want to severely restrict outbound traffic:

 no access-group Inside_access_in_2 in interface Inside

Add icmp inspect. Use Command line tool, Multi-line. Copy/paste the following:
 policy-map global_policy
 class inspection_default
  inspect icmp

>global (Outside) 101 interface
>static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
You can't do both using the interface IP. You can't do both static and dynamic using "interface".
no static (Inside,Outside) interface 67.115.20.130 netmask 255.255.255.255
clear xlate


I did the following commands:

no access-group Inside_access_in_2 in interface Inside

I got the following Error:
ERROR: access-list Inside_access_in_2 is not associated with interface Inside


The multi-line command was successful


The last command no static:

ERROR: static element not found

ASA Version 8.0(2)
!
hostname ciscoasa
domain-name hbr.ads.inc
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
 description WAN Interface
 nameif Outside
 security-level 0
 ip address 67.115.20.130 255.255.255.128
 ospf cost 10
!
interface Ethernet0/1
 description LAN Interface
 nameif Inside
 security-level 100
 ip address 10.9.0.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 151.164.1.6
 name-server 68.94.157.1
 name-server 204.60.203.190
 domain-name hbr.ads.inc
access-list Inside_access_in extended permit ip 10.9.0.0 255.255.255.0 66.120.12
7.0 255.255.255.192
access-list Inside_access_in_1 extended permit ip 66.120.127.0 255.255.255.192 a
ny
access-list Inside_access_in_2 extended permit ip 10.9.0.0 255.255.255.0 host 67
.115.20.130
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
route Outside 67.115.20.128 255.255.255.128 67.115.20.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.9.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 10.9.0.2-10.9.0.5 Inside
dhcpd dns 10.9.0.1 interface Inside
dhcpd enable Inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:681c0d129d06328ddb166db40a9be338


OK, but it looks like it removed the acl anyway. Any change in results?
Can you ping your gateway from the ASA? 67.115.20.129
Can you ping that gateway from a PC?
Can you ping anything else past that, like 198.6.1.2 ?
OK, but it looks like it removed the acl anyway. Any change in results?


Can you ping your gateway from the ASA? 67.115.20.129
PIng 67.115.20.129 using Interface (outside)

Results :

Type escape sequence to abort.
sending 5, 100-byte ICMP Echos to 67.115.20.129, timeout is 2 seconds:
!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10ms

Can you ping that gateway from a PC?

1st PC settings
IP address: 10.9.0.2
subnet: 255.255.255.0
gateway: 10.9.0.1
DNS: 10.9.0.1
Ping to 10.9.0.1 (GOOD)
browse to www.msn.com (NOT GOOD)



2nd PC settings (managment card)
IP address: 192.168.1.2
subnet: 255.255.255.0
gateway: 192.168.1.1
DNS: 192.168.1.1
ping to 192.168.1.1 (GOOD)
browse to www.msn.com (NOT GOOD)


Can you ping anything else past that, like 198.6.1.2 ?
PC1 NO
PC2 NO
Let me tell you the device layout

AT&T gave us a Cisco router ( cisco 2600) I don't have access to that router but it's just a point to point.

AT&T cisco router goes to 8 port Switch (DMZ zone)
from switch (DMZ) port 1 goes to Sonic wall (PUBLIC IP 66.120.127.3)
from switch (DMZ) port 2 goes to CISCO 5510 ASA (PUBLIC IP 67.155.20.130)

We have two blocks of IP from AT&T
66.120.127.0/26
67.115.20.128/25

Why I have 2 firewall after DMZ switch? as soon Cisco 5510 starts working I will remove sonic wall and the cisco 5510 will replace sonicwall.

Does 67.115.20.130 works? Yes it does work because I plug in a stand alone computer on the DMZ zone before the sonic wall and cisco firewall and I configure the network card from my pc and it works I can go out using that public IP.


ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial