We help IT Professionals succeed at work.

ASA 5510 configuration

sujan45
sujan45 asked
on
Medium Priority
326 Views
Last Modified: 2012-05-06
Hi I have been assigned a project that needs configuring ASA 5510. I need to create some access-list as following.
SOURCE                                         DESTINATION                         PROTOCOL                   ACTION
SNMP SERVER         10.0.0.1         ASA102 MGMT I/F               SNMP, SSH, HTTPS         ALLOW
SKYBOX SERVER    10.0.0.2        ASA102 MGMT I/F                    SSH                             ALLOW
ANY                                                ASA102 MGMT and EXT I/F      ALL                            DENY
ASA102 MGMT I/F                          SNMP SERVER                     SNMP TRAP                     ALLOW
ASA102 MGMT I/F                          TACACS SERVER                TACACS+                        ALLOW
ASA102 MGMT I/F                          CISCOWORKS SERVER         SYSLOG                        ALLOW
ANY                                               ANY                                        ALL                                DROP




Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Hello sujan45,
       First of all, you dont have to explicitly permit the return traffic since your firewall inspects the traffic and allows return traffic automatically.
       For ssh and https access to firewall within management segment connected to management interface

ssh 10.0.0.1 255.255.255.255 management
ssh 10.0.0.2 255.255.255.255 management

http server enable
http 10.0.0.1 255.255.255.255 management

   By default, all access towards outside (unsecure) interface is denied. You dont need additional ACL to deny.
   Also make sure SSH is enabled.

Regards

Author

Commented:
How can i enable ssh on ASA 5510?
CERTIFIED EXPERT
Top Expert 2007

Commented:
hostname "firewallshostname"
domain-name "yourdomain.com"
crypto key generate rsa general-keys modulus 1024 noconf
ssh version 2
ssh 10.0.0.1 255.255.255.255 management
ssh 10.0.0.2 255.255.255.255 management

Author

Commented:
According to Cisco site, gereral-keys is optional. What is noconf at the end?
Can i use the following command?
crypto key generate rsa
modulus 1024
CERTIFIED EXPERT
Top Expert 2007

Commented:
Sure you can use that commands too, i just wrote the all in one line, noconf does not ask you about generation etc it just creates.

Author

Commented:
Hi Thanks for your comments.

I have set up small lab at home with 1 PIX and 2 pc. the PCs are directly connected to PIX e1 and e0 interfaces. I cant ping from inside PC to outside PC and vice versa. nor i can ping the PCs from PIX. I have attached the code. Can you please advise. Thanks
102# sh run: 
 
Saved
:
PIX Version 7.0(4)
 
hostname 102
 
 
 
interface Ethernet0 
speed 100 
duplex full 
nameif outside 
security-level 0 
ip address 10.51.120.11 255.255.255.240 
 
interface Ethernet1 
speed 100 
duplex full 
nameif inside 
security-level 100 
ip address 10.51.49.17 255.255.255.240
 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list 101 extended permit tcp any host 10.51.120.1 eq www
access-group 101 in interface outside
 
 
 
mtu outside 1500
 
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu intf5 1500
 
no failover
 
 
no asdm history enable
 
arp timeout 14400
nat-control
global (outside) 1 10.51.120.10 netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.51.120.12 10.51.49.18 netmask 255.255.255.255
access-group 101 in interface outside
 
 
 
 
timeout xlate 3:00:00
timeout conn 1:00:00 
half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
 
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
 
timeout uauth 0:05:00 absolute
 
 
aaa-server TACACS+ protocol tacacs+
 
aaa-server RADIUS protocol radius
 
no snmp-server location
 
no snmp-server contact
 
snmp-server community public
 
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-ipsec
telnet timeout 10
 
ssh timeout 10
 
ssh version 1
 
console timeout 0
class-map inspection_default 
 match default-inspection-traffic
policy-map global_policy
 class inspection_default  
inspect dns maximum-length 512  
inspect ftp  
inspect h323 h225   
inspect h323 ras  
inspect http  
inspect ils  
inspect netbios   
inspect rsh   
inspect rtsp  
inspect skinny 
inspect esmtp 
inspect sqlnet   
inspect sunrpc  
inspect tftp  
inspect sip   
inspect xdmcp
 
 
service-policy global_policy global
Cryptochecksum:615013221b71dee2f524fa58ee727f25:  

Open in new window

CERTIFIED EXPERT
Top Expert 2007
Commented:
Add the following

policy-map global_policy
 class inspection_default  
     inspect icmp
   
   This will allow you to PING from inside to outside. From outside, all traffic is denied by default behaviour of ASA firewall.
    Another concern is, you are NATing the inside traffic to outside single IP 10.51.120.12, so you cant ping inside hosts real IP from outside interface. You either have to exempt NAT between interfaces, or remove nat statements and put no nat-control. Both two are not recommended practises.
    Also make sure windows frewall is configured with necessary exceptions for ICMP, or turned off temporarily

Regards

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.