Link to home
Start Free TrialLog in
Avatar of wmcdon666
wmcdon666

asked on

How do I configure an ASA 5510 to act like a traditional router

Okay I am trying to configure an ASA 5510 to act like a traditional Cisco router. I don't want any complicated ACL's on this device.

The only reason I'm using an ASA 5510 for this is because I have a lot of them laying around and I want the fail-over capability.

This device is in place to do a whack of static NAT'ing for a environment where I work. The kicker is, I need to connect 7 of these environments up to a Checkpoint firewall. Oh yeah each environment is IP'd exactly the same.

So my solution is to put an ASA 5510 (to start, then add a second and use fail-over) in-line to each environment. Each config on the ASA's will be pretty much identical except the one subnet (dcs_dmz) will change for each environment.

So I have configured the ASA the way I think it should be, but when I connect a laptop into each interface (one laptop is at 10.0.1.2, the other at 10.0.10.50) I cannot ping through.

I haven't had a chance to put this into QA to see if the static NAT statements work, I just want to see if ICMP will work first.

I'm a CCNA, but firewalls are pretty foreign to me!

Attached is my config
ASA Version 8.0(3)6 
!
hostname DMZ-ELG-Staging
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description Link to DCS DMZ Switch
 nameif dcs_dmz
 security-level 0
 ip address 10.0.10.254 255.255.255.0 
!
interface Ethernet0/1
 description Link to ELG Switch 1
 nameif elg_sw1
 security-level 0
 ip address 10.0.1.1 255.255.255.252 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
access-list default extended permit ip any any 
access-list default extended permit icmp any any echo 
access-list default extended permit icmp any any echo-reply 
pager lines 24
logging console debugging
logging asdm informational
mtu management 1500
mtu dcs_dmz 1500
mtu elg_sw1 1500
no failover   
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat (dcs_dmz) 0 10.0.10.0 255.255.255.0
nat (elg_sw1) 0 10.0.1.0 255.255.255.252
static (elg_sw1,dcs_dmz) 192.168.160.65 10.0.10.100 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.81 10.0.10.101 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.129 10.0.10.102 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.17 10.0.10.103 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.1 10.0.10.104 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.33 10.0.10.105 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.49 10.0.10.106 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.145 10.0.10.107 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.146 10.0.10.108 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.183.129 10.0.10.109 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.209 10.0.10.110 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.210 10.0.10.111 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.113 10.0.10.112 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.97 10.0.10.113 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.3 10.0.10.114 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.251 10.0.10.115 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.65 10.0.10.116 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.210.2 10.0.10.117 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.1 10.0.10.118 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.17 10.0.10.119 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.191.33 10.0.10.120 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.1 10.0.10.121 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.17 10.0.10.122 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.182.1 10.0.10.123 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.33 10.0.10.124 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.34 10.0.10.125 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.97 10.0.10.126 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.98 10.0.10.127 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.167 10.0.10.128 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.160.161 10.0.10.129 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.150.161 10.0.10.130 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.161.167 10.0.10.131 netmask 255.255.255.255 
static (elg_sw1,dcs_dmz) 192.168.170.2 10.0.10.132 netmask 255.255.255.255 
static (dcs_dmz,elg_sw1) 10.0.10.0 10.0.10.0 netmask 255.255.255.0 
static (elg_sw1,dcs_dmz) 10.0.1.0 10.0.1.0 netmask 255.255.255.252 
access-group default in interface dcs_dmz
access-group default in interface elg_sw1
route dcs_dmz 172.17.16.0 255.255.252.0 10.0.10.1 1
route dcs_dmz 172.17.60.0 255.255.255.0 10.0.10.1 1
route elg_sw1 192.168.0.0 255.255.0.0 10.0.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:10d5ca946cea81c79e2ee6d7107b337f
: end

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of JFrederick29
JFrederick29
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of wmcdon666
wmcdon666

ASKER

Yup totally worked!