https://community.cisco.com/t5/network-security/5510-config/m-p/679454#M1031149 <HTML><HEAD></HEAD><BODY><P>I pulled it off to clean addressing</P><P></P><P> </P><P></P></BODY></HTML> Mon, 12 Feb 2007 21:07:53 GMT woody48055 2007-02-12T21:07:53Z https://community.cisco.com/t5/network-security/5510-config/m-p/679452#M1031093 <P>Help</P><P>I have been hitting my head against this brick wall called an ASA5510. I was trying to configure it as a straight firewall with a DMZ interface and connecting a DNS server to that. But right now I would be happy with just passing HTTP between int 0/0 to 0/2</P><P>Current config is attached</P><P></P><P></P><P></P> Mon, 11 Mar 2019 09:32:25 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679452#M1031093 woody48055 2019-03-11T09:32:25Z https://community.cisco.com/t5/network-security/5510-config/m-p/679453#M1031116 <HTML><HEAD></HEAD><BODY><P>Config is missing ..</P></BODY></HTML> Mon, 12 Feb 2007 21:01:53 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679453#M1031116 vitripat 2007-02-12T21:01:53Z https://community.cisco.com/t5/network-security/5510-config/m-p/679454#M1031149 <HTML><HEAD></HEAD><BODY><P>I pulled it off to clean addressing</P><P></P><P> </P><P></P></BODY></HTML> Mon, 12 Feb 2007 21:07:53 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679454#M1031149 woody48055 2007-02-12T21:07:53Z https://community.cisco.com/t5/network-security/5510-config/m-p/679455#M1031180 <HTML><HEAD></HEAD><BODY><P>config is attached after edits</P><P></P><P> </P><P></P></BODY></HTML> Mon, 12 Feb 2007 21:15:47 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679455#M1031180 woody48055 2007-02-12T21:15:47Z https://community.cisco.com/t5/network-security/5510-config/m-p/679456#M1031203 <HTML><HEAD></HEAD><BODY><P>Setting all the 3 interfaces at same security-level will cause problems. Here is what is recommended:</P><P></P><P>Outside interface (security-level 0)</P><P>DMZ interface (security-level 50)</P><P>Inside interface (security-level 100), you can enter following commands to set interfaces accordingly-</P><P></P><P>interface Ethernet0/0</P><P> security 0</P><P>interface Ethernet0/1</P><P> security 100</P><P>interface Ethernet0/2</P><P> security 50</P><P></P><P>no nat (DMZ) 200 10.10.RRR.RRR 255.255.255.0</P><P>nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0</P><P>no global (DMZ) 200 10.30.RRR.RRR-10.30.RRR.RRR netmask 255.0.0.0</P><P>global (DMZ) 200 interface</P><P>nat (inside) 200 0 0</P><P></P><P>clear xlate</P><P></P><P>Please implement above commands.</P></BODY></HTML> Mon, 12 Feb 2007 21:18:27 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679456#M1031203 vitripat 2007-02-12T21:18:27Z https://community.cisco.com/t5/network-security/5510-config/m-p/679457#M1031219 <HTML><HEAD></HEAD><BODY><P>still not passing any traffic attached updated config</P><P></P><P> </P><P></P></BODY></HTML> Mon, 12 Feb 2007 21:42:41 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679457#M1031219 woody48055 2007-02-12T21:42:41Z https://community.cisco.com/t5/network-security/5510-config/m-p/679458#M1031233 <HTML><HEAD></HEAD><BODY><P>Hi still using security 50 for all the interfaces. You could use the below command to allow traffic to traverse the firewall but you really should change the secutity levels as recommended on previous posts.</P><P></P><P>same-security-traffic permit inter-interface</P><P></P><P>I hope it helps .. please rate it if it does !!!</P><P></P><P></P><P></P></BODY></HTML> Tue, 13 Feb 2007 00:38:41 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679458#M1031233 Fernando_Meza 2007-02-13T00:38:41Z https://community.cisco.com/t5/network-security/5510-config/m-p/679459#M1031242 <HTML><HEAD></HEAD><BODY><P>Could you also add following commands:</P><P></P><P>no service-policy outside-policy interface outside</P><P></P><P>I had mentioned these command also earlier:</P><P></P><P>nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0</P><P>global (DMZ) 200 interface</P><P></P><P>Then issue "clear xlate".</P><P></P><P>After these commands, let me know from 10.30.x.x (DMZ) network if you</P><P>are able to ping the default gateway of PIX.</P></BODY></HTML> Tue, 13 Feb 2007 00:41:24 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679459#M1031242 vitripat 2007-02-13T00:41:24Z https://community.cisco.com/t5/network-security/5510-config/m-p/679460#M1031248 <HTML><HEAD></HEAD><BODY><P>First off let me thank you for all your help it is greatly appreciated. I have attached the current config of the ASA5510 with the various commands highlighted; this is for my benefit, so that I am assured that they were entered correctly. As I have been working with this for 2+ weeks.</P><P></P><P>Some additional info this device is going in place of an old firewall that was on a NT4.0 server running gauntlet s/w. I have reused the addresses that are currently on the current FW and whenever testing of the ASA configuration it is inserted into the gauntlets place removing it from the circuit. None of our equipment filters MAC addresses so that cannot be an issue.</P><P></P><P></P><P> </P><P></P></BODY></HTML> Tue, 13 Feb 2007 14:05:07 GMT https://community.cisco.com/t5/network-security/5510-config/m-p/679460#M1031248 woody48055 2007-02-13T14:05:07Z