how to configure a cisco 5510

Hi there,
I am having problem with one Cisco ASA 5510, here is the scenario, I would like to connect to the comporate network, they already assign me a subnet, the corporate network is 128.29.0.0 and my internal subnet is 10.130.0.0, I was able to to a basic configuration on the router, and I can see the corporate network, ping it, etc. but somehow I am not able to access my 10.130.0.0 from the outside to the inside.

outside 128.29.0.0  inside 10.130.0.0, both netmask 255.255.255.0  I'll attach the config file to this message.

I look forward to hear from you.

Thanks,
etlab-gw-config.txt
IslandrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

If you make nonat , and make security level 0 for interface Ethernet0/1 you able to reach it!

nat (0) 10.130.0.0 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



But, it is a big security hole, I advise you, to make access-list to minimalize the security hole!

I
0
yashinchaladCommented:
ok, you mean from outside network (ex: 128.29.0.1) you need to ping/access to inside(10.130.0.1) right?

in order to do so you need a static NAT/PAT to be done.

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_pass_traffic_without_NAT

let me know

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
IslandrAuthor Commented:
ikalmar/yashinchalad,

Thank you for your respond, but here is the situation, I do not want sacrifice security, and at the same time I do not need NAT since the subnet is register in the corporate network. I would like to know if you guys are able to provide an access-list configuration that allow me to see traffic in both way without downgrade the security-level on the inside Ethernet0/1.

Another question how do I remove the NAT in the inside since I am not going to use it?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Istvan KalmarHead of IT Security Division Commented:
Hi,

To disable nat use this:
no nat (inside) 1 0.0.0.0 0.0.0.0

for eaxmple to reach 10.130.0.25 from outside use this:
access-list OUTSIDE_IN_ACL extended permit  ip any host 10.130.0.25
0
IslandrAuthor Commented:
Ikalmar,

I greatly appreciated your help and responses, now, How may I ping and access the whole subnet?, how do I rdp and access to all my host?, I was able to ping to a specific host in the subnet based on your instructions, but I would like to access to the entire subnet 10.130.0.0 from 128.29.109.0.  I am dividing my subnet as follow:
from:
10.130.0.1-9 special devices and appliances
10.130.0.10-19  core infrastructure (such as domain controller, DNS, Application servers, etc.)
10.130.0.20-100 DHCP VM's
10.130.0.101-until the end any special VM's of physical servers/workstations/devices

I am not using NAT, I disable the nat function since I do not need it.  Finally, why the cursor jumps when I am typing/creating an access-list ? (I need to sync the subdomain in my subnet with the corporate domain)

Please, if you could provide all this answers I'll be greatly thankful to you.

Thanks,
0
IslandrAuthor Commented:
Ikalmar,

Sorry that I am asking you again, but did you look at my question?  Please let me know.

Thanks,
0
Istvan KalmarHead of IT Security Division Commented:
Hi,

the RDP is working on 3389 TCP, id you want to ping you enable icmp, and icmp-echo.
What type of ports do you want to enable to inside?
0
Istvan KalmarHead of IT Security Division Commented:
ping:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
IslandrAuthor Commented:
Ikalmar,

Thank you for replying, some of the access-list that you mentioned I already have it, except for:

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

But I was unable to run this one:
outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

This is the ERROR message:

access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0 10.130.
0.0 255.255.255.0 eq 3389
                  ^
ERROR: % Invalid input detected at '^' marker.
etlab-gw(config)# access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 2$

Please let me know how can I resolve this problem.

Thanks,
0
Istvan KalmarHead of IT Security Division Commented:
Sorry

I've mistyped:

outside full controll enable:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0
0
yashinchaladCommented:
change IP to tcp inorder to avoid error

access-list OUTSIDE_IN_ACL extended permit tcp 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
IslandrAuthor Commented:
Ikalmar,
First of all, thank you for your help, at the same time I would like to apologized if I press you insisting with the question, but I asked you a question in several occasion and did not get a reply, I think that you are a great professional, but I recommend to provide a faster response to the questions posted.
Yashinchalad,
Thank you for your links they were very helpful, the combination of you and Ikalmar, were just the perfect one.  Again, thank you for throwing some light in what I was looking for.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.