Solved

ASA 5510 Simple Configuration

Posted on 2008-10-27
2
952 Views
Last Modified: 2012-08-13
Installing an ASA 5510 to replace a NS25 firewall.  Just trying to configure it simply to allow internal users access to internet, mail to flow in and out, and remote desktop to our terminal server for now.  Following other examples and posts it seems I have things right but obvioiusly not.  (I've masked my real IPs)

Router IP: 13.14.15.226
Outside IP: 13.14.15.227
Inside IP: 172.16.200.1
Mail Outside: 13.14.15.229
Mail Inside: 172.16.200.11
RDP Outside: 13.14.15.228
RDP Inside: 172.16.200.18
: Saved

:

ASA Version 7.2(4) 

!

hostname HOSTNAME

domain-name DomainName

enable password djBGF9s0Ewnh5zzk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 13.14.15.227 255.255.255.224 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 172.16.200.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.10.10 255.255.255.0 

 management-only

!

ftp mode passive

dns server-group DefaultDNS

 domain-name DomainName

same-security-traffic permit inter-interface

object-group service Mail tcp

 port-object eq www

 port-object eq https

 port-object eq smtp

 port-object eq ssh

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group icmp-type Ping

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object unreachable

object-group service rdp tcp

 port-object eq 3389

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

access-list 100 extended permit tcp any any object-group DM_INLINE_TCP_2 

access-list 100 extended permit tcp any host 13.14.15.229 object-group Mail 

access-list 100 extended permit icmp any any object-group Ping 

access-list 100 extended permit tcp any host 13.14.15.228 object-group rdp 

access-list Inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 

pager lines 24

logging enable

logging timestamp

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (Outside) 1 13.14.15.226

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,Outside) 13.14.15.229 172.16.200.11 netmask 255.255.255.255 

access-group 100 in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 13.14.15.226 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.10.0 255.255.255.0 management

http 172.16.200.0 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.11-192.168.10.254 management

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:b1268413d342cfbe1692ceb23651a6ad

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Comment
Question by:benhar
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22818247
Start by removing the acl from the inside interface
   no access-group Inside_access_in in interface Inside

Then tell us exactly what does work and what does not.
0
 
LVL 4

Author Comment

by:benhar
ID: 22826673
That seems to have done it.  I haven't been able to test if webmail or remote desktop work yet.  I'll do that a little later this week.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now