Solved

ASA 5510 Simple Configuration

Posted on 2008-10-27
2
948 Views
Last Modified: 2012-08-13
Installing an ASA 5510 to replace a NS25 firewall.  Just trying to configure it simply to allow internal users access to internet, mail to flow in and out, and remote desktop to our terminal server for now.  Following other examples and posts it seems I have things right but obvioiusly not.  (I've masked my real IPs)

Router IP: 13.14.15.226
Outside IP: 13.14.15.227
Inside IP: 172.16.200.1
Mail Outside: 13.14.15.229
Mail Inside: 172.16.200.11
RDP Outside: 13.14.15.228
RDP Inside: 172.16.200.18
: Saved

:

ASA Version 7.2(4) 

!

hostname HOSTNAME

domain-name DomainName

enable password djBGF9s0Ewnh5zzk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address 13.14.15.227 255.255.255.224 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 172.16.200.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.10.10 255.255.255.0 

 management-only

!

ftp mode passive

dns server-group DefaultDNS

 domain-name DomainName

same-security-traffic permit inter-interface

object-group service Mail tcp

 port-object eq www

 port-object eq https

 port-object eq smtp

 port-object eq ssh

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group icmp-type Ping

 icmp-object echo-reply

 icmp-object time-exceeded

 icmp-object unreachable

object-group service rdp tcp

 port-object eq 3389

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

access-list 100 extended permit tcp any any object-group DM_INLINE_TCP_2 

access-list 100 extended permit tcp any host 13.14.15.229 object-group Mail 

access-list 100 extended permit icmp any any object-group Ping 

access-list 100 extended permit tcp any host 13.14.15.228 object-group rdp 

access-list Inside_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 

pager lines 24

logging enable

logging timestamp

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 101 interface

global (Outside) 1 13.14.15.226

nat (Inside) 101 0.0.0.0 0.0.0.0

static (Inside,Outside) 13.14.15.229 172.16.200.11 netmask 255.255.255.255 

access-group 100 in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 13.14.15.226 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.10.0 255.255.255.0 management

http 172.16.200.0 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.10.11-192.168.10.254 management

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:b1268413d342cfbe1692ceb23651a6ad

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Comment
Question by:benhar
2 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22818247
Start by removing the acl from the inside interface
   no access-group Inside_access_in in interface Inside

Then tell us exactly what does work and what does not.
0
 
LVL 4

Author Comment

by:benhar
ID: 22826673
That seems to have done it.  I haven't been able to test if webmail or remote desktop work yet.  I'll do that a little later this week.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now