• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 642
  • Last Modified:

How do I configure an ASA 5510 to act like a traditional router

Okay I am trying to configure an ASA 5510 to act like a traditional Cisco router. I don't want any complicated ACL's on this device.

The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.

This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.

So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.

So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.

I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.

I'm a CCNA, but firewalls are pretty foreign to me!

Attached is my config
ASA Version 8.0(3)6 
!
hostname DMZ-ELG-Staging
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Link to DCS DMZ Switch
 nameif dcs_dmz
 security-level 0
 ip address 10.0.10.254 255.255.255.0 
!
interface Ethernet0/1
 description Link to ELG Switch 1
 nameif elg_sw1
 security-level 0
 ip address 10.0.1.1 255.255.255.252 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list default extended permit ip any any 
access-list default extended permit icmp any any echo 
access-list default extended permit icmp any any echo-reply 
pager lines 24
logging console debugging
logging asdm informational
mtu management 1500
mtu dcs_dmz 1500
mtu elg_sw1 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (dcs_dmz) 0 10.0.10.0 255.255.255.0
nat (elg_sw1) 0 10.0.1.0 255.255.255.252
static (elg_sw1,dcs_dmz) 192.168.160.65 10.0.10.100 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.81 10.0.10.101 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.129 10.0.10.102 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.17 10.0.10.103 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.1 10.0.10.104 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.33 10.0.10.105 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.49 10.0.10.106 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.145 10.0.10.107 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.146 10.0.10.108 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.183.129 10.0.10.109 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.209 10.0.10.110 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.210 10.0.10.111 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.113 10.0.10.112 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.97 10.0.10.113 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.3 10.0.10.114 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.251 10.0.10.115 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.65 10.0.10.116 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.2 10.0.10.117 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.1 10.0.10.118 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.17 10.0.10.119 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.33 10.0.10.120 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.1 10.0.10.121 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.17 10.0.10.122 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.182.1 10.0.10.123 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.33 10.0.10.124 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.34 10.0.10.125 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.97 10.0.10.126 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.98 10.0.10.127 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.167 10.0.10.128 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.161 10.0.10.129 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.161 10.0.10.130 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.167 10.0.10.131 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.2 10.0.10.132 netmask 255.255.255.255 
static (dcs_dmz,elg_sw1) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 
static (elg_sw1,dcs_dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.252 
access-group default in interface dcs_dmz
access-group default in interface elg_sw1
route dcs_dmz 172.17.16.0 255.255.252.0 10.0.10.1 1
route dcs_dmz 172.17.60.0 255.255.255.0 10.0.10.1 1
route elg_sw1 192.168.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:10d5ca946cea81c79e2ee6d7107b337f
: end

Open in new window

0
wmcdon666
Asked:
wmcdon666
1 Solution
 
JFrederick29Commented:
Add this:

conf t
same-security-traffic permit inter-interface

Make sure each PC has the ASA interface IP as their respective default gateway.
0
 
wmcdon666Author Commented:
Yup totally worked!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now