Solved

how to configure a cisco 5510

Posted on 2009-07-15
12
423 Views
Last Modified: 2012-05-07
Hi there,
I am having problem with one Cisco ASA 5510, here is the scenario, I would like to connect to the comporate network, they already assign me a subnet, the corporate network is 128.29.0.0 and my internal subnet is 10.130.0.0, I was able to to a basic configuration on the router, and I can see the corporate network, ping it, etc. but somehow I am not able to access my 10.130.0.0 from the outside to the inside.

outside 128.29.0.0  inside 10.130.0.0, both netmask 255.255.255.0  I'll attach the config file to this message.

I look forward to hear from you.

Thanks,
etlab-gw-config.txt
0
Comment
Question by:Islandr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24858635
Hi,

If you make nonat , and make security level 0 for interface Ethernet0/1 you able to reach it!

nat (0) 10.130.0.0 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



But, it is a big security hole, I advise you, to make access-list to minimalize the security hole!

I
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 200 total points
ID: 24858722
ok, you mean from outside network (ex: 128.29.0.1) you need to ping/access to inside(10.130.0.1) right?

in order to do so you need a static NAT/PAT to be done.

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_pass_traffic_without_NAT

let me know

0
 

Author Comment

by:Islandr
ID: 24859133
ikalmar/yashinchalad,

Thank you for your respond, but here is the situation, I do not want sacrifice security, and at the same time I do not need NAT since the subnet is register in the corporate network. I would like to know if you guys are able to provide an access-list configuration that allow me to see traffic in both way without downgrade the security-level on the inside Ethernet0/1.

Another question how do I remove the NAT in the inside since I am not going to use it?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24859480
Hi,

To disable nat use this:
no nat (inside) 1 0.0.0.0 0.0.0.0

for eaxmple to reach 10.130.0.25 from outside use this:
access-list OUTSIDE_IN_ACL extended permit  ip any host 10.130.0.25
0
 

Author Comment

by:Islandr
ID: 24859881
Ikalmar,

I greatly appreciated your help and responses, now, How may I ping and access the whole subnet?, how do I rdp and access to all my host?, I was able to ping to a specific host in the subnet based on your instructions, but I would like to access to the entire subnet 10.130.0.0 from 128.29.109.0.  I am dividing my subnet as follow:
from:
10.130.0.1-9 special devices and appliances
10.130.0.10-19  core infrastructure (such as domain controller, DNS, Application servers, etc.)
10.130.0.20-100 DHCP VM's
10.130.0.101-until the end any special VM's of physical servers/workstations/devices

I am not using NAT, I disable the nat function since I do not need it.  Finally, why the cursor jumps when I am typing/creating an access-list ? (I need to sync the subdomain in my subnet with the corporate domain)

Please, if you could provide all this answers I'll be greatly thankful to you.

Thanks,
0
 

Author Comment

by:Islandr
ID: 24860847
Ikalmar,

Sorry that I am asking you again, but did you look at my question?  Please let me know.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861130
Hi,

the RDP is working on 3389 TCP, id you want to ping you enable icmp, and icmp-echo.
What type of ports do you want to enable to inside?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861178
ping:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Comment

by:Islandr
ID: 24862790
Ikalmar,

Thank you for replying, some of the access-list that you mentioned I already have it, except for:

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

But I was unable to run this one:
outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

This is the ERROR message:

access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0 10.130.
0.0 255.255.255.0 eq 3389
                  ^
ERROR: % Invalid input detected at '^' marker.
etlab-gw(config)# access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 2$

Please let me know how can I resolve this problem.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24867698
Sorry

I've mistyped:

outside full controll enable:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0
0
 
LVL 5

Assisted Solution

by:yashinchalad
yashinchalad earned 200 total points
ID: 24867959
change IP to tcp inorder to avoid error

access-list OUTSIDE_IN_ACL extended permit tcp 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Closing Comment

by:Islandr
ID: 31603681
Ikalmar,
First of all, thank you for your help, at the same time I would like to apologized if I press you insisting with the question, but I asked you a question in several occasion and did not get a reply, I think that you are a great professional, but I recommend to provide a faster response to the questions posted.
Yashinchalad,
Thank you for your links they were very helpful, the combination of you and Ikalmar, were just the perfect one.  Again, thank you for throwing some light in what I was looking for.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question