Solved

how to configure a cisco 5510

Posted on 2009-07-15
12
417 Views
Last Modified: 2012-05-07
Hi there,
I am having problem with one Cisco ASA 5510, here is the scenario, I would like to connect to the comporate network, they already assign me a subnet, the corporate network is 128.29.0.0 and my internal subnet is 10.130.0.0, I was able to to a basic configuration on the router, and I can see the corporate network, ping it, etc. but somehow I am not able to access my 10.130.0.0 from the outside to the inside.

outside 128.29.0.0  inside 10.130.0.0, both netmask 255.255.255.0  I'll attach the config file to this message.

I look forward to hear from you.

Thanks,
etlab-gw-config.txt
0
Comment
Question by:Islandr
  • 5
  • 5
  • 2
12 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24858635
Hi,

If you make nonat , and make security level 0 for interface Ethernet0/1 you able to reach it!

nat (0) 10.130.0.0 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



But, it is a big security hole, I advise you, to make access-list to minimalize the security hole!

I
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 200 total points
ID: 24858722
ok, you mean from outside network (ex: 128.29.0.1) you need to ping/access to inside(10.130.0.1) right?

in order to do so you need a static NAT/PAT to be done.

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_pass_traffic_without_NAT

let me know

0
 

Author Comment

by:Islandr
ID: 24859133
ikalmar/yashinchalad,

Thank you for your respond, but here is the situation, I do not want sacrifice security, and at the same time I do not need NAT since the subnet is register in the corporate network. I would like to know if you guys are able to provide an access-list configuration that allow me to see traffic in both way without downgrade the security-level on the inside Ethernet0/1.

Another question how do I remove the NAT in the inside since I am not going to use it?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24859480
Hi,

To disable nat use this:
no nat (inside) 1 0.0.0.0 0.0.0.0

for eaxmple to reach 10.130.0.25 from outside use this:
access-list OUTSIDE_IN_ACL extended permit  ip any host 10.130.0.25
0
 

Author Comment

by:Islandr
ID: 24859881
Ikalmar,

I greatly appreciated your help and responses, now, How may I ping and access the whole subnet?, how do I rdp and access to all my host?, I was able to ping to a specific host in the subnet based on your instructions, but I would like to access to the entire subnet 10.130.0.0 from 128.29.109.0.  I am dividing my subnet as follow:
from:
10.130.0.1-9 special devices and appliances
10.130.0.10-19  core infrastructure (such as domain controller, DNS, Application servers, etc.)
10.130.0.20-100 DHCP VM's
10.130.0.101-until the end any special VM's of physical servers/workstations/devices

I am not using NAT, I disable the nat function since I do not need it.  Finally, why the cursor jumps when I am typing/creating an access-list ? (I need to sync the subdomain in my subnet with the corporate domain)

Please, if you could provide all this answers I'll be greatly thankful to you.

Thanks,
0
 

Author Comment

by:Islandr
ID: 24860847
Ikalmar,

Sorry that I am asking you again, but did you look at my question?  Please let me know.

Thanks,
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861130
Hi,

the RDP is working on 3389 TCP, id you want to ping you enable icmp, and icmp-echo.
What type of ports do you want to enable to inside?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861178
ping:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Comment

by:Islandr
ID: 24862790
Ikalmar,

Thank you for replying, some of the access-list that you mentioned I already have it, except for:

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

But I was unable to run this one:
outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

This is the ERROR message:

access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0 10.130.
0.0 255.255.255.0 eq 3389
                  ^
ERROR: % Invalid input detected at '^' marker.
etlab-gw(config)# access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 2$

Please let me know how can I resolve this problem.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24867698
Sorry

I've mistyped:

outside full controll enable:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0
0
 
LVL 5

Assisted Solution

by:yashinchalad
yashinchalad earned 200 total points
ID: 24867959
change IP to tcp inorder to avoid error

access-list OUTSIDE_IN_ACL extended permit tcp 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Closing Comment

by:Islandr
ID: 31603681
Ikalmar,
First of all, thank you for your help, at the same time I would like to apologized if I press you insisting with the question, but I asked you a question in several occasion and did not get a reply, I think that you are a great professional, but I recommend to provide a faster response to the questions posted.
Yashinchalad,
Thank you for your links they were very helpful, the combination of you and Ikalmar, were just the perfect one.  Again, thank you for throwing some light in what I was looking for.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
A short film showing how OnPage and Connectwise integration works.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now