Solved

how to configure a cisco 5510

Posted on 2009-07-15
12
420 Views
Last Modified: 2012-05-07
Hi there,
I am having problem with one Cisco ASA 5510, here is the scenario, I would like to connect to the comporate network, they already assign me a subnet, the corporate network is 128.29.0.0 and my internal subnet is 10.130.0.0, I was able to to a basic configuration on the router, and I can see the corporate network, ping it, etc. but somehow I am not able to access my 10.130.0.0 from the outside to the inside.

outside 128.29.0.0  inside 10.130.0.0, both netmask 255.255.255.0  I'll attach the config file to this message.

I look forward to hear from you.

Thanks,
etlab-gw-config.txt
0
Comment
Question by:Islandr
  • 5
  • 5
  • 2
12 Comments
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24858635
Hi,

If you make nonat , and make security level 0 for interface Ethernet0/1 you able to reach it!

nat (0) 10.130.0.0 255.255.255.0
interface Ethernet0/1
 nameif inside
 security-level 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface



But, it is a big security hole, I advise you, to make access-list to minimalize the security hole!

I
0
 
LVL 5

Accepted Solution

by:
yashinchalad earned 200 total points
ID: 24858722
ok, you mean from outside network (ex: 128.29.0.1) you need to ping/access to inside(10.130.0.1) right?

in order to do so you need a static NAT/PAT to be done.

http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_Firewall_to_pass_traffic_without_NAT

let me know

0
 

Author Comment

by:Islandr
ID: 24859133
ikalmar/yashinchalad,

Thank you for your respond, but here is the situation, I do not want sacrifice security, and at the same time I do not need NAT since the subnet is register in the corporate network. I would like to know if you guys are able to provide an access-list configuration that allow me to see traffic in both way without downgrade the security-level on the inside Ethernet0/1.

Another question how do I remove the NAT in the inside since I am not going to use it?
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24859480
Hi,

To disable nat use this:
no nat (inside) 1 0.0.0.0 0.0.0.0

for eaxmple to reach 10.130.0.25 from outside use this:
access-list OUTSIDE_IN_ACL extended permit  ip any host 10.130.0.25
0
 

Author Comment

by:Islandr
ID: 24859881
Ikalmar,

I greatly appreciated your help and responses, now, How may I ping and access the whole subnet?, how do I rdp and access to all my host?, I was able to ping to a specific host in the subnet based on your instructions, but I would like to access to the entire subnet 10.130.0.0 from 128.29.109.0.  I am dividing my subnet as follow:
from:
10.130.0.1-9 special devices and appliances
10.130.0.10-19  core infrastructure (such as domain controller, DNS, Application servers, etc.)
10.130.0.20-100 DHCP VM's
10.130.0.101-until the end any special VM's of physical servers/workstations/devices

I am not using NAT, I disable the nat function since I do not need it.  Finally, why the cursor jumps when I am typing/creating an access-list ? (I need to sync the subdomain in my subnet with the corporate domain)

Please, if you could provide all this answers I'll be greatly thankful to you.

Thanks,
0
 

Author Comment

by:Islandr
ID: 24860847
Ikalmar,

Sorry that I am asking you again, but did you look at my question?  Please let me know.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861130
Hi,

the RDP is working on 3389 TCP, id you want to ping you enable icmp, and icmp-echo.
What type of ports do you want to enable to inside?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24861178
ping:
access-list OUTSIDE_IN_ACL extended permit icmp any any echo

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Comment

by:Islandr
ID: 24862790
Ikalmar,

Thank you for replying, some of the access-list that you mentioned I already have it, except for:

RDP:
access-list OUTSIDE_IN_ACL extended permit tcp any 10.3.0.0 255.255.255.0 eq 3389

outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

But I was unable to run this one:
outside:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389

This is the ERROR message:

access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0 10.130.
0.0 255.255.255.0 eq 3389
                  ^
ERROR: % Invalid input detected at '^' marker.
etlab-gw(config)# access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 2$

Please let me know how can I resolve this problem.

Thanks,
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24867698
Sorry

I've mistyped:

outside full controll enable:
access-list OUTSIDE_IN_ACL extended permit ip 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0
0
 
LVL 5

Assisted Solution

by:yashinchalad
yashinchalad earned 200 total points
ID: 24867959
change IP to tcp inorder to avoid error

access-list OUTSIDE_IN_ACL extended permit tcp 128.29.109.0 255.255.255.0  10.3.0.0 255.255.255.0 eq 3389
0
 

Author Closing Comment

by:Islandr
ID: 31603681
Ikalmar,
First of all, thank you for your help, at the same time I would like to apologized if I press you insisting with the question, but I asked you a question in several occasion and did not get a reply, I think that you are a great professional, but I recommend to provide a faster response to the questions posted.
Yashinchalad,
Thank you for your links they were very helpful, the combination of you and Ikalmar, were just the perfect one.  Again, thank you for throwing some light in what I was looking for.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question