• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 548
  • Last Modified:

Cisco ASA 5510 configuration questions

I recently purchased a Cisco ASA 5510. I have not worked with Cisco products since 2001 and have a few questions. First i will give you my current setup:

1 Domain Controller - DNS, File server standard network, .254 being the gateway or the router, .1 being the PDC.

I need all outgoing traffic enabled
I only need to allow port 3389 for one external user

I will also be setting up VPN with a few 5505 in the next couple of weeks, but for now, i really need to make sure the initial setup is correct on the 5510. I am using the ASDM because my command line is very rusty.

Any help is greatly appreciated. Thanks in advance.
  • 3
  • 3
1 Solution
What version of the ASA software are you using?

Plug a laptop into the management port of the asa and browse to (it is the default address, and has DHCP).

Download and install (or run Java) ASDM.

You can run through the startup wizard to configure the interfaces.  Sounds like you'll only need one access list, with one line allowing 3389/tcp in on the external interface.

Once you have your interfaces setup, configure a different IP range for the management interface, or just unplug it.  Make sure you can access ASDM from your internal range.  (device management, management access).

Let me know what step your at, and where you need more help.
neves7Author Commented:
thanks for the quick response

On the 5510 i have ASA Version 7.0(8) and ASDM Version 5.0(8). I have done a few configurations through the ASDM...here is what I have so far:

Interface ------Name ----- Enabled - Security Level ----- IP ------ Subnet -------- Management only - MTU
Ethernet0/2 disabled

I also setup to use PAT to point outgoing traffic to the WAN IP. I also am attaching a word document showing the two security policies setup, one by PAT and one by adding 3389.
It doesn't look quite right, but that ASDM is quite old, and I don't have access to one to see what it should look like.  

Can you paste the running config?  You should be able to do File, show running config in new window, or download running config.  

I'd also recommend upgrading to either 7.2(4) and ASDM 5.24 or ASA 8.0(4) and ASDM 6.2.1.  
We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

neves7Author Commented:
asdm image disk0:/asdm-508.bin
asdm location LAN0/1
no asdm history enable
: Saved
ASA Version 7.0(8)
hostname CiscoASA5510
domain-name xx.xxxxx.xxx
enable password ms0PCaGLH60KGsxp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Ethernet0/0
 nameif WAN0/0
 security-level 0
 ip address x.x.x.121
interface Ethernet0/1
 nameif LAN0/1
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
object-group service RemoteDesktop tcp
 port-object range 3389 3389
access-list WAN0/0_access_in extended permit tcp interface WAN0/0 object-group RemoteDesktop host object-group RemoteDesktop
pager lines 24
logging asdm informational
mtu WAN0/0 1500
mtu LAN0/1 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (WAN0/0) 10 interface
nat (management) 10
access-group WAN0/0_access_in in interface WAN0/0
route WAN0/0 x.x.x.126 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username xxxxxx password xxxxxxx encrypted privilege 15
http server enable
http LAN0/1
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
management-access LAN0/1
dhcpd address LAN0/1
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config LAN0/1
dhcpd enable LAN0/1
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
: end

Here is the running config, i only x'd out the username password and WAN ip. also, i downloaded the ASDM 6.2.1 bin file, how do I upload that to the 5510?

Also, I can only log in to the ASDM through the management port, i cannot login through the LAN0/1.
To upgrade, you need to copy both the new ASA os file, and the ASDM file.  (Each os has a corresponding asdm, you need BOTH or you won't be able to log into ASDM).  You should be able to upload them through the tools menu, Upgrade Software, or file management.   You can also copy them logged into the command line "copy tftp flash" and answer the prompts.  This requires you have the files stored in a TFTP server directory on a local machine.  Solar Winds offers a free TFTP server. (Like FTP, but no authentication/etc)

To log into the ASDM from your internal network, you need to add http access. In ASDM, look for 'device access' and 'https/asdm'.  You need to specify an IP allowed to connect, and an Interface. (internal IP address / LAN0/1)
You currently have: 'http LAN0/1'
It should be:              'http LAN0/1' s
This will allow asdm access from the internal network.  (or you can specify a single IP with
1 ip:             http LAN0/1

your access is: access-list WAN0/0_access_in extended permit tcp interface WAN0/0 object-group RemoteDesktop host

it should look something like this:
access-list WAN0/0_access_in extended permit tcp {external host IP} object-group RemoteDesktop host {terminal server Public IP}
neves7Author Commented:
sorry there hasn't been an update. The flash ended up being bad and I had to RMA the unit. As soon as the new one comes in, I will reconfigure it and post the running config.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now