Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Need help setting up Cisco ASA 5510

Posted on 2007-10-17
3
Medium Priority
?
1,045 Views
Last Modified: 2010-05-18
I need some help getting this ASA 5510 setup. This device is new out of the box. I have attempted making some changes, and have gotten as far as being able to ping 4.2.2.2 from the pix, but my inside host cannot ping, nor access the internet. This is a test setup, so I can make any changes needed:

ASA Version 7.0(7)
!
hostname reg1asa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address x.x.x.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.21.15.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxxxxxxx encrypted
ftp mode passive
pager lines 20
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.21.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.21.100.2-10.21.100.254 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy globa

The x.x.x.1 and x.x.x.2 share the same x.x.x  just in case you were wondering. All I need to accomplish is to give the inside interface access to the internet, through the outside interface, with the ability to use icmp from the inside, to the internet. l
0
Comment
Question by:ptuttle1319
  • 2
3 Comments
 
LVL 5

Accepted Solution

by:
Darkstriker69 earned 2000 total points
ID: 20097786
Your config is pretty close, you might try

dhcpd dns xxx.xxx.xxx.xxx
(using the ip of your ISP provided dns server)
You will need to ipconfig /renew your clients

access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
should allow you to use ping

Good Luck,
Darkstriker69
0
 

Author Comment

by:ptuttle1319
ID: 20100969
That worked with the pinging. In the end, this device will be on a network where the clients are getting their dhcp and dns from an active directory DC (I only had the dhcp turned on the inside interface for testing) so how would I get internet access to the host, assuming it was pointing at an internal dns server? Or say I pointed it to 4.2.2.2? I am used to working with the PIX firewalls, so I am a little fuzzy on the new look to the acl rules, how would the outside_access_in rule compare to a comprable pix rule?
0
 
LVL 5

Expert Comment

by:Darkstriker69
ID: 20105383
Actually, If you have a domain controller, that will act as your dns server so you will not need to add any additional commands to the ASA. The domain controller will act as the DNS server, if there are external DNS requests it will use its database of known DNS servers, and since the ASA is a stateful firewall it will allow the DNS querries to be answered to your domain controller by default.

The only time you need to create an access list with the ASA is when the connection is initiated from outside your network. ie. you have a web server or mail server. In the case of your ping issue ping initiates a seperate responce from the host being pinged so it is a little different.

Hope this helps clearify a little.

Good Luck

Darkstriker69
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question