Need help setting up Cisco ASA 5510

Posted on 2007-10-17
Last Modified: 2010-05-18
I need some help getting this ASA 5510 setup. This device is new out of the box. I have attempted making some changes, and have gotten as far as being able to ping from the pix, but my inside host cannot ping, nor access the internet. This is a test setup, so I can make any changes needed:

ASA Version 7.0(7)
hostname reg1asa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.2
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd xxxxxxxxxxxxxxx encrypted
ftp mode passive
pager lines 20
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
route outside x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd address management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy globa

The x.x.x.1 and x.x.x.2 share the same x.x.x  just in case you were wondering. All I need to accomplish is to give the inside interface access to the internet, through the outside interface, with the ability to use icmp from the inside, to the internet. l
Question by:ptuttle1319
    LVL 5

    Accepted Solution

    Your config is pretty close, you might try

    dhcpd dns
    (using the ip of your ISP provided dns server)
    You will need to ipconfig /renew your clients

    access-list outside_access_in permit icmp any any
    access-group outside_access_in in interface outside
    should allow you to use ping

    Good Luck,

    Author Comment

    That worked with the pinging. In the end, this device will be on a network where the clients are getting their dhcp and dns from an active directory DC (I only had the dhcp turned on the inside interface for testing) so how would I get internet access to the host, assuming it was pointing at an internal dns server? Or say I pointed it to I am used to working with the PIX firewalls, so I am a little fuzzy on the new look to the acl rules, how would the outside_access_in rule compare to a comprable pix rule?
    LVL 5

    Expert Comment

    Actually, If you have a domain controller, that will act as your dns server so you will not need to add any additional commands to the ASA. The domain controller will act as the DNS server, if there are external DNS requests it will use its database of known DNS servers, and since the ASA is a stateful firewall it will allow the DNS querries to be answered to your domain controller by default.

    The only time you need to create an access list with the ASA is when the connection is initiated from outside your network. ie. you have a web server or mail server. In the case of your ping issue ping initiates a seperate responce from the host being pinged so it is a little different.

    Hope this helps clearify a little.

    Good Luck


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now