ASA 5510 configuration

Posted on 2009-02-11
Last Modified: 2012-05-06
Hi I have been assigned a project that needs configuring ASA 5510. I need to create some access-list as following.
SOURCE                                         DESTINATION                         PROTOCOL                   ACTION
SNMP SERVER         ASA102 MGMT I/F               SNMP, SSH, HTTPS         ALLOW
SKYBOX SERVER        ASA102 MGMT I/F                    SSH                             ALLOW
ANY                                                ASA102 MGMT and EXT I/F      ALL                            DENY
ASA102 MGMT I/F                          SNMP SERVER                     SNMP TRAP                     ALLOW
ASA102 MGMT I/F                          TACACS SERVER                TACACS+                        ALLOW
ASA102 MGMT I/F                          CISCOWORKS SERVER         SYSLOG                        ALLOW
ANY                                               ANY                                        ALL                                DROP

Question by:sujan45
    LVL 29

    Expert Comment

    by:Alan Huseyin Kayahan
    Hello sujan45,
           First of all, you dont have to explicitly permit the return traffic since your firewall inspects the traffic and allows return traffic automatically.
           For ssh and https access to firewall within management segment connected to management interface

    ssh management
    ssh management

    http server enable
    http management

       By default, all access towards outside (unsecure) interface is denied. You dont need additional ACL to deny.
       Also make sure SSH is enabled.


    Author Comment

    How can i enable ssh on ASA 5510?
    LVL 29

    Expert Comment

    by:Alan Huseyin Kayahan
    hostname "firewallshostname"
    domain-name ""
    crypto key generate rsa general-keys modulus 1024 noconf
    ssh version 2
    ssh management
    ssh management

    Author Comment

    According to Cisco site, gereral-keys is optional. What is noconf at the end?
    Can i use the following command?
    crypto key generate rsa
    modulus 1024
    LVL 29

    Expert Comment

    by:Alan Huseyin Kayahan
    Sure you can use that commands too, i just wrote the all in one line, noconf does not ask you about generation etc it just creates.

    Author Comment

    Hi Thanks for your comments.

    I have set up small lab at home with 1 PIX and 2 pc. the PCs are directly connected to PIX e1 and e0 interfaces. I cant ping from inside PC to outside PC and vice versa. nor i can ping the PCs from PIX. I have attached the code. Can you please advise. Thanks
    102# sh run: 
    PIX Version 7.0(4)
    hostname 102
    interface Ethernet0 
    speed 100 
    duplex full 
    nameif outside 
    security-level 0 
    ip address 
    interface Ethernet1 
    speed 100 
    duplex full 
    nameif inside 
    security-level 100 
    ip address
    access-list 101 extended permit icmp any any echo-reply 
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable 
    access-list 101 extended permit icmp any any time-exceeded 
    access-list 101 extended permit tcp any host eq www
    access-group 101 in interface outside
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    no failover
    no asdm history enable
    arp timeout 14400
    global (outside) 1 netmask
    nat (inside) 1
    static (inside,outside) netmask
    access-group 101 in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 
    half-closed 0:10:00 udp 0:01:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-ipsec
    telnet timeout 10
    ssh timeout 10
    ssh version 1
    console timeout 0
    class-map inspection_default 
     match default-inspection-traffic
    policy-map global_policy
     class inspection_default  
    inspect dns maximum-length 512  
    inspect ftp  
    inspect h323 h225   
    inspect h323 ras  
    inspect http  
    inspect ils  
    inspect netbios   
    inspect rsh   
    inspect rtsp  
    inspect skinny 
    inspect esmtp 
    inspect sqlnet   
    inspect sunrpc  
    inspect tftp  
    inspect sip   
    inspect xdmcp
    service-policy global_policy global

    Open in new window

    LVL 29

    Accepted Solution

    Add the following

    policy-map global_policy
     class inspection_default  
         inspect icmp
       This will allow you to PING from inside to outside. From outside, all traffic is denied by default behaviour of ASA firewall.
        Another concern is, you are NATing the inside traffic to outside single IP, so you cant ping inside hosts real IP from outside interface. You either have to exempt NAT between interfaces, or remove nat statements and put no nat-control. Both two are not recommended practises.
        Also make sure windows frewall is configured with necessary exceptions for ICMP, or turned off temporarily

    LVL 35

    Expert Comment

    by:Ernie Beek
    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now