[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1343
  • Last Modified:

Cisco ASA5550 Basic Setup for testing

Greetings,

I am attempting to configure a new (to us) Cisco ASA5550 Firewall to replace one of our old Enterasys Firewalls.  Right now I'm simply setting up a simple lab test where I assign an inbound port GigabitEthernet 0/0 to be an outside interface to the ISP.  It has a default static route to the ISP gateway and I've setup the basic DNS information for the interface.  My management interface MGMT 0/0 is using the out of the box 192.168.1.1 with DHCP.  My test interface (called VCAccess) is GigabitEthernet 1/0 and is set to a 10.2.99.1 address.

Presently I am able (using the ASDM GUI) to ping from the outside interface to the gateway and to public addresses like 4.2.2.2 or 8.8.8.8.  My next step was to assign a static 10.2.99.X (in this case 10.2.99.10) address to a pc and connect via the inside interface.  That works, shows physical link and I can ping the assigned address from the Firewall and the Firewall from the device on 10.2.99.1.  However, at this point I cannot access any outside addresses or the internet from a 10.2.99.0 network connected device.  I understand that inbound traffic will require specific ACL's and NAT's but I thought that outbound (especially from a higher security [50] network to a lower security [0] network) traffic would/should be permitted.

Could someone please provide the proper basic setup for this configuration?  Basically, firewall out of the box 1 Inside port, 1 Outside port, 1 management port where inside devices can access the internet.  I've somehow managed to make this much harder than it should be, I'm sure.

Here's the current running config:

-------------------------------------------------------------------------------------------------------------
ASA Version 8.2(1)
!
hostname VirtualCommandASA1
domain-name windstream
enable password 98zu/sBczpieubcL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 nameif Outside
 security-level 0
 ip address 66.64.236.22 255.255.255.248
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
interface GigabitEthernet1/0
 nameif VCAccess
 security-level 50
 ip address 10.2.99.1 255.255.255.0
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Outside
dns server-group DefaultDNS
 name-server 66.240.67.234
 name-server 216.199.0.132
 domain-name windstream
dns server-group VirtualCommand
 name-server 10.2.99.1
 domain-name virtualcommand.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Access_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu Outside 1500
mtu VCAccess 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (VCAccess) 101 10.2.99.0 255.255.255.0
nat (management) 101 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 64.66.236.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 64.90.182.55 source Outside
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8fd26ae5a3aecfe8e2de86344d7acc00
: end

-------------------------------------------------------------------------------------------------------------
0
jdeliz
Asked:
jdeliz
1 Solution
 
fgasimzadeCommented:
No, you need to configure NAT first to connect to the Internet

You already have this line

nat (VCAccess) 101 10.2.99.0 255.255.255.0

All you need is to add

global (outside) 101 interface
0
 
jdelizAuthor Commented:
Thanks!  That worked and makes total sense.  I knew I was overlooking something  but didn't see it because I thought I had already NAT'd the inside.  I appreciate the help in ending my frustration.
0

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now