Solved

how to configure a cisco 5510

Posted on 2009-07-15
12
413 Views
Last Modified: 2012-05-07
Hi there,
I am having problem with one Cisco ASA 5510, here is the scenario, I would like to connect to the comporate network, they already assign me a subnet, the corporate network is 128.29.0.0 and my internal subnet is 10.130.0.0, I was able to to a basic configuration on the router, and I can see the corporate network, ping it, etc. but somehow I am not able to access my 10.130.0.0 from the outside to the inside.

outside 128.29.0.0  inside 10.130.0.0, both netmask 255.255.255.0  I'll attach the config file to this message.

I look forward to hear from you.

Thanks,
etlab-gw-config.txt
0
Comment
Question by:Islandr
  • 5
  • 5
  • 2
12 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24858635
Hi,

If you make nonat , and make security level 0 for interface Ethernet0/1 you able to reach it!

nat (0) 10.130.0.0 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



But, it is a big security hole, I advise you, to make access-list to minimalize the security hole!

I
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 200 total points
ID: 24858722
ok, you mean from outside network (ex: 128.29.0.1) you need to ping/access to inside(10.130.0.1) right?

in order to do so you need a static NAT/PAT to be done.

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_pass_traffic_without_NAT

let me know

0
 

Author Comment

by:Islandr
ID: 24859133
ikalmar/yashinchalad,

Thank you for your respond, but here is the situation, I do not want sacrifice security, and at the same time I do not need NAT since the subnet is register in the corporate network. I would like to know if you guys are able to provide an access-list configuration that allow me to see traffic in both way without downgrade the security-level on the inside Ethernet0/1.

Another question how do I remove the NAT in the inside since I am not going to use it?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24859480
Hi,

To disable nat use this:
no nat (inside) 1 0.0.0.0 0.0.0.0

for eaxmple to reach 10.130.0.25 from outside use this:
access-list OUTSIDE_IN_ACL extended permit  ip any host 10.130.0.25
0
 

Author Comment

by:Islandr
ID: 24859881
Ikalmar,

I greatly appreciated your help and responses, now, How may I ping and access the whole subnet?, how do I rdp and access to all my host?, I was able to ping to a specific host in the subnet based on your instructions, but I would like to access to the entire subnet 10.130.0.0 from 128.29.109.0.  I am dividing my subnet as follow:
from:
10.130.0.1-9 special devices and appliances
10.130.0.10-19  core infrastructure (such as domain controller, DNS, Application servers, etc.)
10.130.0.20-100 DHCP VM's
10.130.0.101-until the end any special VM's of physical servers/workstations/devices

I am not using NAT, I disable the nat function since I do not need it.  Finally, why the cursor jumps when I am typing/creating an access-list ? (I need to sync the subdomain in my subnet with the corporate domain)

Please, if you could provide all this answers I'll be greatly thankful to you.

Thanks,
0
 

Author Comment

by:Islandr
ID: 24860847
Ikalmar,

Sorry that I am asking you again, but did you look at my question?  Please let me know.

Thanks,
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861130
Hi,

the RDP is working on 3389 TCP, id you want to ping you enable icmp, and icmp-echo.
What type of ports do you want to enable to inside?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861178
ping:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Comment

by:Islandr
ID: 24862790
Ikalmar,

Thank you for replying, some of the access-list that you mentioned I already have it, except for:

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

But I was unable to run this one:
outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

This is the ERROR message:

access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0 10.130.
0.0 255.255.255.0 eq 3389
                  ^
ERROR: % Invalid input detected at '^' marker.
etlab-gw(config)# access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 2$

Please let me know how can I resolve this problem.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24867698
Sorry

I've mistyped:

outside full controll enable:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0
0
 
LVL 5

Assisted Solution

by:yashinchalad
yashinchalad earned 200 total points
ID: 24867959
change IP to tcp inorder to avoid error

access-list OUTSIDE_IN_ACL extended permit tcp 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Closing Comment

by:Islandr
ID: 31603681
Ikalmar,
First of all, thank you for your help, at the same time I would like to apologized if I press you insisting with the question, but I asked you a question in several occasion and did not get a reply, I think that you are a great professional, but I recommend to provide a faster response to the questions posted.
Yashinchalad,
Thank you for your links they were very helpful, the combination of you and Ikalmar, were just the perfect one.  Again, thank you for throwing some light in what I was looking for.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now