• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

ASA 5510 configuration

Hi I have been assigned a project that needs configuring ASA 5510. I need to create some access-list as following.
SOURCE                                         DESTINATION                         PROTOCOL                   ACTION
SNMP SERVER         10.0.0.1         ASA102 MGMT I/F               SNMP, SSH, HTTPS         ALLOW
SKYBOX SERVER    10.0.0.2        ASA102 MGMT I/F                    SSH                             ALLOW
ANY                                                ASA102 MGMT and EXT I/F      ALL                            DENY
ASA102 MGMT I/F                          SNMP SERVER                     SNMP TRAP                     ALLOW
ASA102 MGMT I/F                          TACACS SERVER                TACACS+                        ALLOW
ASA102 MGMT I/F                          CISCOWORKS SERVER         SYSLOG                        ALLOW
ANY                                               ANY                                        ALL                                DROP




0
sujan45
Asked:
sujan45
  • 4
  • 3
1 Solution
 
Alan Huseyin KayahanCommented:
Hello sujan45,
       First of all, you dont have to explicitly permit the return traffic since your firewall inspects the traffic and allows return traffic automatically.
       For ssh and https access to firewall within management segment connected to management interface

ssh 10.0.0.1 255.255.255.255 management
ssh 10.0.0.2 255.255.255.255 management

http server enable
http 10.0.0.1 255.255.255.255 management

   By default, all access towards outside (unsecure) interface is denied. You dont need additional ACL to deny.
   Also make sure SSH is enabled.

Regards
0
 
sujan45Author Commented:
How can i enable ssh on ASA 5510?
0
 
Alan Huseyin KayahanCommented:
hostname "firewallshostname"
domain-name "yourdomain.com"
crypto key generate rsa general-keys modulus 1024 noconf
ssh version 2
ssh 10.0.0.1 255.255.255.255 management
ssh 10.0.0.2 255.255.255.255 management
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
sujan45Author Commented:
According to Cisco site, gereral-keys is optional. What is noconf at the end?
Can i use the following command?
crypto key generate rsa
modulus 1024
0
 
Alan Huseyin KayahanCommented:
Sure you can use that commands too, i just wrote the all in one line, noconf does not ask you about generation etc it just creates.
0
 
sujan45Author Commented:
Hi Thanks for your comments.

I have set up small lab at home with 1 PIX and 2 pc. the PCs are directly connected to PIX e1 and e0 interfaces. I cant ping from inside PC to outside PC and vice versa. nor i can ping the PCs from PIX. I have attached the code. Can you please advise. Thanks
102# sh run: 
 
Saved
:
PIX Version 7.0(4)
 
hostname 102
 
 
 
interface Ethernet0 
speed 100 
duplex full 
nameif outside 
security-level 0 
ip address 10.51.120.11 255.255.255.240 
 
interface Ethernet1 
speed 100 
duplex full 
nameif inside 
security-level 100 
ip address 10.51.49.17 255.255.255.240
 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit tcp any host 10.51.120.1 eq www
access-group 101 in interface outside
 
 
 
mtu outside 1500
 
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
 
no failover
 
 
no asdm history enable
 
arp timeout 14400
nat-control
global (outside) 1 10.51.120.10 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.51.120.12 10.51.49.18 netmask 255.255.255.255
access-group 101 in interface outside
 
 
 
 
timeout xlate 3:00:00
timeout conn 1:00:00 
half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
 
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
 
timeout uauth 0:05:00 absolute
 
 
aaa-server TACACS+ protocol tacacs+
 
aaa-server RADIUS protocol radius
 
no snmp-server location
 
no snmp-server contact
 
snmp-server community public
 
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet timeout 10
 
ssh timeout 10
 
ssh version 1
 
console timeout 0
class-map inspection_default 
 match default-inspection-traffic
policy-map global_policy
 class inspection_default  
inspect dns maximum-length 512  
inspect ftp  
inspect h323 h225   
inspect h323 ras  
inspect http  
inspect ils  
inspect netbios   
inspect rsh   
inspect rtsp  
inspect skinny 
inspect esmtp 
inspect sqlnet   
inspect sunrpc  
inspect tftp  
inspect sip   
inspect xdmcp
 
 
service-policy global_policy global
Cryptochecksum:615013221b71dee2f524fa58ee727f25:  

Open in new window

0
 
Alan Huseyin KayahanCommented:
Add the following

policy-map global_policy
 class inspection_default  
     inspect icmp
   
   This will allow you to PING from inside to outside. From outside, all traffic is denied by default behaviour of ASA firewall.
    Another concern is, you are NATing the inside traffic to outside single IP 10.51.120.12, so you cant ping inside hosts real IP from outside interface. You either have to exempt NAT between interfaces, or remove nat statements and put no nat-control. Both two are not recommended practises.
    Also make sure windows frewall is configured with necessary exceptions for ICMP, or turned off temporarily

Regards
0
 
Ernie BeekExpertCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now