topic thanks it works, i also added in Network Security

config firewall 5512

macboy276 — Tue, 12 Mar 2019 06:10:19 GMT

Hi,

i am trying to configure my new firewall 5512. here is how i configure and not getting out to internet.

My internet service provider has also a cisco firewall place on premise which has the following configuration.

interface GigabitEthernet0/0
description Outside Interface
speed 100
duplex full
nameif outside
security-level 0
ip address 14.15.14.7 255.255.255.252
!
interface GigabitEthernet0/1
description Inside Interface
speed 100
duplex full
nameif inside
security-level 100
ip address 13.15.13.1 255.255.255.0
!

I have configure my local firewall with the following configuration.

!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 13.15.13.60 255.255.255.0 
!

route outside 13.15.13.0 255.255.255.0 13.15.13.1 1

i have configure a local computer with the following setting

192.168.10.32

255.255.255.0

192.168.10.1

what else is needed to get out to internet

object-group network
Jon Marshall — Tue, 23 Jun 2015 14:32:48 GMT

object-group network <OBJ-NAME>
network-object 192.168.10.0 255.255.255.0
nat (inside,outside) after-auto source dynamic <OBJ-NAME> interface
Jon

Just noticed that your route

Jon Marshall — Tue, 23 Jun 2015 15:27:42 GMT

Just noticed that your route needs changing ie. it should be -

route outside 0.0.0.0 0.0.0.0 <ISP next hop IP>

Also the previous post was to translate your private IPs to your public IP on the outside interface of your ASA.

Are you sure the ISP firewall is not doing the translations for you ?

If they are then you don't need the NAT setup.

Jon

thanks it works, i also added

macboy276 — Tue, 23 Jun 2015 15:27:43 GMT

thanks it works, i also added NAT because ISP was not doing NAT.

now i have DMZ

interface GigabitEthernet0/2
nameif DMZ
security-level 10
ip address 192.168.20.1 255.255.255.0

What should i do so it works. I have four to five server in DMZ.

Do i need to create a nat or route for this too?

You don't need a route but it

Jon Marshall — Tue, 23 Jun 2015 15:29:39 GMT

You don't need a route but it depends on what you want to do with those servers.

Are you wanting to provide access to the internet for these servers or do you want to allow internet access to them on certain ports ?

Jon

the following is the config

macboy276 — Tue, 23 Jun 2015 16:24:18 GMT

the following is the config from old firewall

we host webserver and we want to be available on internet

static (dmz,outside) 13.15.13.14 WEB netmask 255.255.255.255

static (inside,dmz) 192.168.2.73 Email_DNS netmask 255.255.255.255

static (inside,dmz) 192.168.2.77 serverex2 netmask 255.255.255.255

static (dmz,outside) 13.15.13.13 192.168.20.13 netmask 255.255.255.255

static (dmz,outside) 13.15.13.15 192.168.2.101 netmask 255.255.255.255

static (inside,dmz) 192.168.20.10 sIMS1 netmask 255.255.255.255

static (inside,dmz) 192.168.20.11 SEEX2 netmask 255.255.255.255

global (dmz) 1 192.168.20.21 netmask 255.255.255.255

global (dmz) 3 192.168.20.23 netmask 255.255.255.255

global (dmz) 4 192.168.20.24 netmask 255.255.255.255

global (dmz) 5 192.168.20.25 netmask 255.255.255.255

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 2 DMZ_Subnet 255.255.255.0