topic Re: ASA 5510 in Network Security

ASA 5510

prashantchandak7 — Mon, 11 Mar 2019 19:08:58 GMT

I have a ASA 5510 ASA version 7.0.8 and ASDM 5.2. I am not familiar with the CLI and am using the ASDM.

I have connected the ASA 5510 as folllows:

DSL Modem/Router(DHCP Server : 192.168.10.x)------->ASA 5510 Ethernet 0/0(DHCP configured, security level 0, subnet 255.255.255.0)

Ethernet 0/1 (Static IP 192.168.15.1,security level 100, subnet 255.255.255.0) and Management Port (DHCP Server : 192.168.1.x, security level 100, subnet 255.255.255.0)--------->Switch--------->PC

In the above scenario using the ASDM Ping I can ping 4.2.2.2, 192.168.15.1, 192.168.10.3 (Ethernet 0/0) but can not ping any using the command prompt. When connected using Ethernet 0/1 my computer shows limited connectivity and can not connect to the ASA. Please can you explain how should ethernet 0/1 be configured to establish connectivity with the ASA and then to have internet access. I tried to enable DHCP server to provide an IP to the computer on Ethernet 0/1 but the ASDM gives an error Ethernet 0/1 is a client and can not be a server.

After this I need to create a VPN between the ASA and a 3G router over IPSEC.

Re: ASA 5510

Kureli Sankar — Sat, 13 Nov 2010 15:15:22 GMT

Prashant,

Oh boy ! lot on your plate - all with asdm?

Hmm...

inside hosts--(192.168.1.x)-inside-(E0/1)ASA(E0/0)-outside-192.168.10.x---DSL modem--Internet

5 steps to configuring a firewall to provide internet access - vpn is a completely diff. issue. Let us not combine that with this.

1. configure inside interface

2. configure outside interface

3. configure nat/global

4. configure default route on the ASA

5. configure dhcp on the ASA

Why don't you just copy and paste these via CLI on the ASA.

(1)

conf t

int E0/1

ip address 192.168.1.1 255.255.255.0

nameif inside

sec 100

no shut

exit

(2)

int E0/0

ip add dhcp setroute

nameif outside

sec 0

no shut

exit

(3)

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside) 1 int

(4)

route outside 0 0 192.168.10.x (replace x with the last octet of the router IP address)

(5)

dhcpd dns 4.2.2.2 (you can replace 4.2.2.2 with your ISP provide dns server ip address)

dhcpd add 192.168.1.10-192.168.1.250 inside

dhcpd enable inside

That should do it. You should get IP address from the ASA for the inside computers. They should be able to reach the internet.

Now, if you need asdm help you should refer this link: http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/user.html

-KS

Re: ASA 5510

prashantchandak7 — Mon, 15 Nov 2010 07:48:22 GMT

Hello

Thank you for your response.

But I continue to have the same problem.

(1)

conf t

int E0/1

ip address 192.168.1.1 255.255.255.0

After this it reports an error that the E0/1 can not overlap with IP address and subnet of Management Port so I configured E0/1 to 192.168.12.1, subnet 255.255.255.0.

After this I completed the commands as you mentioned.

However when I connect my computer to the ASA (E0/1) via switch I can only ping 192.168.12.1 but can not ping 192.168.10.3 (E0/0) and 192.168.10.1 (DSL modem/router).

Any suggestions please.

Re: ASA 5510

apothula — Mon, 15 Nov 2010 13:09:09 GMT

Hi Prashant,

Where is the 192.168.12.1 IP address configured ? Is that the inside interface IP address.

You wouldn't be able to ping thw 192.168.10.3 IP address considering, it is the outside interface IP address and you are pinging from the inside.

Please provide us the NAT configuration on the ASA and also paste the output of show xlate command on the ASA here for us to understand the issue better.

Also provide us the output of show route.

Cheers.

Avinash.

Re: ASA 5510

prashantchandak7 — Mon, 15 Nov 2010 13:50:11 GMT

Hi Avinash

Yes 192.168.12.1 is the inside IP address.

The NAT configuration is as per the commands below:

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside) 1 int

route outside 0 0 192.168.10.1

Result of the command in ASDM CLI: "show xlate"

0 in use, 0 most used

Result of the command in ASDM CLI: "show route"

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.10.1, outside

C 192.168.1.0 255.255.255.0 is directly connected, management

C 192.168.10.0 255.255.255.0 is directly connected, outside

Regards

Prashant

Re: ASA 5510

apothula — Mon, 15 Nov 2010 15:46:08 GMT

Hi Prashant,

My guess was right.

The NAT statement is wrong.

Please add the following commands and

no nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 0 0

Also, i guess the inside interface is shutdown because i dont see a connected route for the inside interface.

Please check that as well and let me know how it goes.

Cheers,

Avinash.

Re: ASA 5510

prashantchandak7 — Mon, 15 Nov 2010 17:02:10 GMT

Hi Avinash

Thanks a lot you got it working.

Now I am to my next step of configuring a VPN. I will keep you updated.

Re: ASA 5510

prashantchandak7 — Wed, 17 Nov 2010 06:27:59 GMT

Hello

I was next trying to configure IPSEC VPN between ASA 5510 and a 3G router using the VPN wizard in ASDM.

However, I am not able to configure it.

1. Is it possible to put a DDNS address in Peer IP address because the 3G router has dynamic IP.

2. Please can you assist in configuration.

Regards

Prashant

Re: ASA 5510

apothula — Wed, 17 Nov 2010 08:16:44 GMT

Hi Prashant,

I think you opened a discussion in VPN section.

Let us continue there.

Cheers,

Avinash.