[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How do I configure an ASA 5510 to act like a traditional router

Posted on 2009-05-11
2
Medium Priority
?
634 Views
Last Modified: 2012-05-06
Okay I am trying to configure an ASA 5510 to act like a traditional Cisco router. I don't want any complicated ACL's on this device.

The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.

This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.

So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.

So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.

I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.

I'm a CCNA, but firewalls are pretty foreign to me!

Attached is my config
ASA Version 8.0(3)6 
!
hostname DMZ-ELG-Staging
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Link to DCS DMZ Switch
 nameif dcs_dmz
 security-level 0
 ip address 10.0.10.254 255.255.255.0 
!
interface Ethernet0/1
 description Link to ELG Switch 1
 nameif elg_sw1
 security-level 0
 ip address 10.0.1.1 255.255.255.252 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list default extended permit ip any any 
access-list default extended permit icmp any any echo 
access-list default extended permit icmp any any echo-reply 
pager lines 24
logging console debugging
logging asdm informational
mtu management 1500
mtu dcs_dmz 1500
mtu elg_sw1 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (dcs_dmz) 0 10.0.10.0 255.255.255.0
nat (elg_sw1) 0 10.0.1.0 255.255.255.252
static (elg_sw1,dcs_dmz) 192.168.160.65 10.0.10.100 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.81 10.0.10.101 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.129 10.0.10.102 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.17 10.0.10.103 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.1 10.0.10.104 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.33 10.0.10.105 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.49 10.0.10.106 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.145 10.0.10.107 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.146 10.0.10.108 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.183.129 10.0.10.109 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.209 10.0.10.110 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.210 10.0.10.111 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.113 10.0.10.112 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.97 10.0.10.113 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.3 10.0.10.114 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.251 10.0.10.115 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.65 10.0.10.116 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.2 10.0.10.117 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.1 10.0.10.118 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.17 10.0.10.119 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.33 10.0.10.120 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.1 10.0.10.121 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.17 10.0.10.122 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.182.1 10.0.10.123 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.33 10.0.10.124 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.34 10.0.10.125 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.97 10.0.10.126 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.98 10.0.10.127 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.167 10.0.10.128 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.161 10.0.10.129 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.161 10.0.10.130 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.167 10.0.10.131 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.2 10.0.10.132 netmask 255.255.255.255 
static (dcs_dmz,elg_sw1) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 
static (elg_sw1,dcs_dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.252 
access-group default in interface dcs_dmz
access-group default in interface elg_sw1
route dcs_dmz 172.17.16.0 255.255.252.0 10.0.10.1 1
route dcs_dmz 172.17.60.0 255.255.255.0 10.0.10.1 1
route elg_sw1 192.168.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:10d5ca946cea81c79e2ee6d7107b337f
: end

Open in new window

0
Comment
Question by:wmcdon666
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 24363645
Add this:

conf t
same-security-traffic permit inter-interface

Make sure each PC has the ASA interface IP as their respective default gateway.
0
 

Author Closing Comment

by:wmcdon666
ID: 31580251
Yup totally worked!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question