Solved

How do I configure an ASA 5510 to act like a traditional router

Posted on 2009-05-11
2
615 Views
Last Modified: 2012-05-06
Okay I am trying to configure an ASA 5510 to act like a traditional Cisco router. I don't want any complicated ACL's on this device.

The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.

This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.

So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.

So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.

I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.

I'm a CCNA, but firewalls are pretty foreign to me!

Attached is my config
ASA Version 8.0(3)6 

!

hostname DMZ-ELG-Staging

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

 description Link to DCS DMZ Switch

 nameif dcs_dmz

 security-level 0

 ip address 10.0.10.254 255.255.255.0 

!

interface Ethernet0/1

 description Link to ELG Switch 1

 nameif elg_sw1

 security-level 0

 ip address 10.0.1.1 255.255.255.252 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

ftp mode passive

access-list default extended permit ip any any 

access-list default extended permit icmp any any echo 

access-list default extended permit icmp any any echo-reply 

pager lines 24

logging console debugging

logging asdm informational

mtu management 1500

mtu dcs_dmz 1500

mtu elg_sw1 1500

no failover   

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat (dcs_dmz) 0 10.0.10.0 255.255.255.0

nat (elg_sw1) 0 10.0.1.0 255.255.255.252

static (elg_sw1,dcs_dmz) 192.168.160.65 10.0.10.100 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.81 10.0.10.101 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.129 10.0.10.102 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.17 10.0.10.103 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.1 10.0.10.104 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.33 10.0.10.105 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.49 10.0.10.106 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.145 10.0.10.107 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.146 10.0.10.108 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.183.129 10.0.10.109 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.209 10.0.10.110 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.210 10.0.10.111 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.113 10.0.10.112 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.97 10.0.10.113 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.210.3 10.0.10.114 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.251 10.0.10.115 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.65 10.0.10.116 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.210.2 10.0.10.117 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.191.1 10.0.10.118 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.191.17 10.0.10.119 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.191.33 10.0.10.120 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.150.1 10.0.10.121 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.150.17 10.0.10.122 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.182.1 10.0.10.123 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.150.33 10.0.10.124 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.150.34 10.0.10.125 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.161.97 10.0.10.126 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.161.98 10.0.10.127 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.167 10.0.10.128 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.160.161 10.0.10.129 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.150.161 10.0.10.130 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.161.167 10.0.10.131 netmask 255.255.255.255 

static (elg_sw1,dcs_dmz) 192.168.170.2 10.0.10.132 netmask 255.255.255.255 

static (dcs_dmz,elg_sw1) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 

static (elg_sw1,dcs_dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.252 

access-group default in interface dcs_dmz

access-group default in interface elg_sw1

route dcs_dmz 172.17.16.0 255.255.252.0 10.0.10.1 1

route dcs_dmz 172.17.60.0 255.255.255.0 10.0.10.1 1

route elg_sw1 192.168.0.0 255.255.0.0 10.0.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:10d5ca946cea81c79e2ee6d7107b337f

: end

Open in new window

0
Comment
Question by:wmcdon666
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24363645
Add this:

conf t
same-security-traffic permit inter-interface

Make sure each PC has the ASA interface IP as their respective default gateway.
0
 

Author Closing Comment

by:wmcdon666
ID: 31580251
Yup totally worked!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now