ASA 5510 configuration problem

junshah22 — Mon, 11 Mar 2019 15:27:28 GMT

Dear All,,

I am installing ASA 5510 security + but having some problems,, i.e.. inside is unable to communicate with DMZ and outside,

DMZ is unable to communicate with Outside (internet) and inside,

Outside is unable to access DMZ and inside,

Please see attached configuration of ASA

ASA Version 7.0(7)

hostname XXXXX

domain-name default.domain.invalid

enable password XXXXXXXXXXX encrypted

names

dns-guard

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.74.2 255.255.255.0

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.1.18 255.255.255.0

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

<--- More --->

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.16.1 255.255.255.0

management-only

passwd XXXXXXXXXXXXXXXX encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu DMZ 1500

mtu inside 1500

no failover

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

<--- More --->

nat-control

global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0

global (outside) 1 192.168.74.9 netmask 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.0.0

static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0

static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.74.1 1

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

route inside 192.168.6.0 255.255.255.0 192.168.20.2 1

route inside 192.168.5.0 255.255.255.0 192.168.20.2 1

route inside 192.168.4.0 255.255.255.0 192.168.20.2 1

route inside 192.168.3.0 255.255.255.0 192.168.20.2 1

route inside 192.168.2.0 255.255.255.0 192.168.20.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username Junaid password GmyIgt9p0qYot/Ks encrypted

http server enable

<--- More --->

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

<--- More --->

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

Cryptochecksum:4a349530616191826545b7d8e6574b48

: end

MTL-ASA#

I have a switch cisco 3560 connected with ASA ,, Vlans are configured on the switch,,so thats why i added routes for vlans 2- 11

Please check my configuration and advise if something needs to be add in configuration,,,

Regards,

Junaid

Re: ASA 5510 configuration problem

rjaaouan — Tue, 05 May 2009 08:38:15 GMT

Hi,

I'm not an expert, but I think it's a NAT issue:

nat-control

global (outside) 1 192.168.74.10-192.168.74.15 netmask 255.255.255.0

global (outside) 1 192.168.74.9 netmask 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.0.0

static (DMZ,outside) 192.168.1.0 192.168.74.0 netmask 255.255.255.0

static (outside,DMZ) 192.168.74.0 192.168.1.0 netmask 255.255.255.0

I don't see any NAT statement from Inside to outside (inside to DMZ). because with NatContol enable, this traic is denied with NAT don't allow it.

you need to review also Static command, because I think something is missing also. This output shows how a static statement is constructed. Note the order of the mapped and real IP addresses.

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml#t12

good luck.

Re: ASA 5510 configuration problem

junshah22 — Tue, 05 May 2009 12:06:42 GMT

I used these commands for inside,

route inside 192.168.11.0 255.255.255.0 192.168.20.2 1

route inside 192.168.10.0 255.255.255.0 192.168.20.2 1

route inside 192.168.9.0 255.255.255.0 192.168.20.2 1

route inside 192.168.8.0 255.255.255.0 192.168.20.2 1

route inside 192.168.7.0 255.255.255.0 192.168.20.2 1

you can see in my configurations,,,

I was trying to access outside from DMZ first,, thats why i didn't entered static commands for inside,, i.e. (inside,DMZ),, (inside,outside) etc etc..

Your referred link is looking same like my scenario, hopefully it will solve...

Thanks in advance,,,

Junaid

topic ASA 5510 configuration problem in Network Security

ASA 5510 configuration problem

Re: ASA 5510 configuration problem

Re: ASA 5510 configuration problem