wmcdon666
asked on
How do I configure an ASA 5510 to act like a traditional router
Okay I am trying to configure an ASA 5510 to act like a traditional Cisco router. I don't want any complicated ACL's on this device.
The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.
This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.
So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.
So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.
I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.
I'm a CCNA, but firewalls are pretty foreign to me!
Attached is my config
The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.
This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.
So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.
So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.
I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.
I'm a CCNA, but firewalls are pretty foreign to me!
Attached is my config
ASA Version 8.0(3)6
!
hostname DMZ-ELG-Staging
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description Link to DCS DMZ Switch
nameif dcs_dmz
security-level 0
ip address 10.0.10.254 255.255.255.0
!
interface Ethernet0/1
description Link to ELG Switch 1
nameif elg_sw1
security-level 0
ip address 10.0.1.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list default extended permit ip any any
access-list default extended permit icmp any any echo
access-list default extended permit icmp any any echo-reply
pager lines 24
logging console debugging
logging asdm informational
mtu management 1500
mtu dcs_dmz 1500
mtu elg_sw1 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (dcs_dmz) 0 10.0.10.0 255.255.255.0
nat (elg_sw1) 0 10.0.1.0 255.255.255.252
static (elg_sw1,dcs_dmz) 192.168.160.65 10.0.10.100 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.81 10.0.10.101 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.129 10.0.10.102 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.17 10.0.10.103 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.1 10.0.10.104 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.33 10.0.10.105 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.49 10.0.10.106 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.145 10.0.10.107 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.146 10.0.10.108 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.183.129 10.0.10.109 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.209 10.0.10.110 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.210 10.0.10.111 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.113 10.0.10.112 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.97 10.0.10.113 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.210.3 10.0.10.114 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.251 10.0.10.115 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.65 10.0.10.116 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.210.2 10.0.10.117 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.191.1 10.0.10.118 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.191.17 10.0.10.119 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.191.33 10.0.10.120 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.150.1 10.0.10.121 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.150.17 10.0.10.122 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.182.1 10.0.10.123 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.150.33 10.0.10.124 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.150.34 10.0.10.125 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.161.97 10.0.10.126 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.161.98 10.0.10.127 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.167 10.0.10.128 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.160.161 10.0.10.129 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.150.161 10.0.10.130 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.161.167 10.0.10.131 netmask 255.255.255.255
static (elg_sw1,dcs_dmz) 192.168.170.2 10.0.10.132 netmask 255.255.255.255
static (dcs_dmz,elg_sw1) 10.0.10.0 10.0.10.0 netmask 255.255.255.0
static (elg_sw1,dcs_dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.252
access-group default in interface dcs_dmz
access-group default in interface elg_sw1
route dcs_dmz 172.17.16.0 255.255.252.0 10.0.10.1 1
route dcs_dmz 172.17.60.0 255.255.255.0 10.0.10.1 1
route elg_sw1 192.168.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:10d5ca946cea81c79e2ee6d7107b337f
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER