Cisco ASA5550 Basic Setup for testing

Posted on 2012-08-15
Last Modified: 2012-08-16

I am attempting to configure a new (to us) Cisco ASA5550 Firewall to replace one of our old Enterasys Firewalls.  Right now I'm simply setting up a simple lab test where I assign an inbound port GigabitEthernet 0/0 to be an outside interface to the ISP.  It has a default static route to the ISP gateway and I've setup the basic DNS information for the interface.  My management interface MGMT 0/0 is using the out of the box with DHCP.  My test interface (called VCAccess) is GigabitEthernet 1/0 and is set to a address.

Presently I am able (using the ASDM GUI) to ping from the outside interface to the gateway and to public addresses like or  My next step was to assign a static 10.2.99.X (in this case address to a pc and connect via the inside interface.  That works, shows physical link and I can ping the assigned address from the Firewall and the Firewall from the device on  However, at this point I cannot access any outside addresses or the internet from a network connected device.  I understand that inbound traffic will require specific ACL's and NAT's but I thought that outbound (especially from a higher security [50] network to a lower security [0] network) traffic would/should be permitted.

Could someone please provide the proper basic setup for this configuration?  Basically, firewall out of the box 1 Inside port, 1 Outside port, 1 management port where inside devices can access the internet.  I've somehow managed to make this much harder than it should be, I'm sure.

Here's the current running config:

ASA Version 8.2(1)
hostname VirtualCommandASA1
domain-name windstream
enable password 98zu/sBczpieubcL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
interface GigabitEthernet1/0
 nameif VCAccess
 security-level 50
 ip address
interface GigabitEthernet1/1
 no nameif
 no security-level
 no ip address
interface GigabitEthernet1/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet1/3
 no nameif
 no security-level
 no ip address
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
 domain-name windstream
dns server-group VirtualCommand
 domain-name virtualcommand.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Access_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu VCAccess 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (VCAccess) 101
nat (management) 101
route Outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server source Outside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Question by:jdeliz
    LVL 18

    Accepted Solution

    No, you need to configure NAT first to connect to the Internet

    You already have this line

    nat (VCAccess) 101

    All you need is to add

    global (outside) 101 interface

    Author Closing Comment

    Thanks!  That worked and makes total sense.  I knew I was overlooking something  but didn't see it because I thought I had already NAT'd the inside.  I appreciate the help in ending my frustration.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
    This video discusses moving either the default database or any database to a new volume.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now