We help IT Professionals succeed at work.

ASA 5510 configuration

sujan45 asked
Medium Priority
Last Modified: 2012-05-06
Hi I have been assigned a project that needs configuring ASA 5510. I need to create some access-list as following.
SOURCE                                         DESTINATION                         PROTOCOL                   ACTION
SNMP SERVER         ASA102 MGMT I/F               SNMP, SSH, HTTPS         ALLOW
SKYBOX SERVER        ASA102 MGMT I/F                    SSH                             ALLOW
ANY                                                ASA102 MGMT and EXT I/F      ALL                            DENY
ASA102 MGMT I/F                          SNMP SERVER                     SNMP TRAP                     ALLOW
ASA102 MGMT I/F                          TACACS SERVER                TACACS+                        ALLOW
ASA102 MGMT I/F                          CISCOWORKS SERVER         SYSLOG                        ALLOW
ANY                                               ANY                                        ALL                                DROP

Watch Question

Top Expert 2007

Hello sujan45,
       First of all, you dont have to explicitly permit the return traffic since your firewall inspects the traffic and allows return traffic automatically.
       For ssh and https access to firewall within management segment connected to management interface

ssh management
ssh management

http server enable
http management

   By default, all access towards outside (unsecure) interface is denied. You dont need additional ACL to deny.
   Also make sure SSH is enabled.



How can i enable ssh on ASA 5510?
Top Expert 2007

hostname "firewallshostname"
domain-name "yourdomain.com"
crypto key generate rsa general-keys modulus 1024 noconf
ssh version 2
ssh management
ssh management


According to Cisco site, gereral-keys is optional. What is noconf at the end?
Can i use the following command?
crypto key generate rsa
modulus 1024
Top Expert 2007

Sure you can use that commands too, i just wrote the all in one line, noconf does not ask you about generation etc it just creates.


Hi Thanks for your comments.

I have set up small lab at home with 1 PIX and 2 pc. the PCs are directly connected to PIX e1 and e0 interfaces. I cant ping from inside PC to outside PC and vice versa. nor i can ping the PCs from PIX. I have attached the code. Can you please advise. Thanks
102# sh run: 
PIX Version 7.0(4)
hostname 102
interface Ethernet0 
speed 100 
duplex full 
nameif outside 
security-level 0 
ip address 
interface Ethernet1 
speed 100 
duplex full 
nameif inside 
security-level 100 
ip address
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit tcp any host eq www
access-group 101 in interface outside
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 netmask
nat (inside) 1
static (inside,outside) netmask
access-group 101 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 
half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet timeout 10
ssh timeout 10
ssh version 1
console timeout 0
class-map inspection_default 
 match default-inspection-traffic
policy-map global_policy
 class inspection_default  
inspect dns maximum-length 512  
inspect ftp  
inspect h323 h225   
inspect h323 ras  
inspect http  
inspect ils  
inspect netbios   
inspect rsh   
inspect rtsp  
inspect skinny 
inspect esmtp 
inspect sqlnet   
inspect sunrpc  
inspect tftp  
inspect sip   
inspect xdmcp
service-policy global_policy global

Open in new window

Top Expert 2007
Add the following

policy-map global_policy
 class inspection_default  
     inspect icmp
   This will allow you to PING from inside to outside. From outside, all traffic is denied by default behaviour of ASA firewall.
    Another concern is, you are NATing the inside traffic to outside single IP, so you cant ping inside hosts real IP from outside interface. You either have to exempt NAT between interfaces, or remove nat statements and put no nat-control. Both two are not recommended practises.
    Also make sure windows frewall is configured with necessary exceptions for ICMP, or turned off temporarily


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ernie BeekSenior infrastructure engineer
Top Expert 2012

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.