topic Re: ASA 5520 configuration in Network Security

ASA 5520 configuration

ict — Mon, 11 Mar 2019 12:03:22 GMT

Hello,

We just bought an ASA 5520 firewall. We configured two interfaces in different subnets. Because the 5520 is a router it must be possible two ping interfaces in different subnets. I cannot get it to work in our ASA 5520. Anybody knows how to configure this?

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Sun, 17 Feb 2008 00:26:44 GMT

Can you provide more details on the interfaces configuration, are they trusted inside interfaces? 1st thing comes to mind is if the interfaces are configured with same security level and are to be trusted meaning you do not want acls between them, if this is the case try adding this statement.

same-security-traffic permit inter-interface

Rgds

Jorge

Re: ASA 5520 configuration

srue — Sun, 17 Feb 2008 12:47:50 GMT

the ASA5520 is *not* a router. And it is *not* possible to ping an ASA interface other than the one which is closest to you.

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Sun, 17 Feb 2008 18:20:36 GMT

Hi Steven, I disagree with you on " it is *not* possible to ping an ASA interface other than the one which is closest to you".

Perhaps I am missunderstanding it.

For instance, you may have two same security level interaces under two difference subnets and be able to ping accross each other including their respective physical interfaces in the case of implementing same-security-traffic permit inter-interface.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1289167

Re: ASA 5520 configuration

ict — Mon, 18 Feb 2008 10:26:36 GMT

Thank you very much for your input. I have configured the ASA with two interfaces. I have set the interfaces within the same trusted level (100). And I checked the radiobutton that the firewall can accept traffic through interfaces that have the same security level. The configuration of the interfaces is:

Interface 1:

IP: 192.168.1.1

Mask: 255.255.255.0

Interface 2:

IP: 172.16.1.1

Mask: 255.255.240.0

This is my test environment. I only configured the interfaces, not rules or anything like that. A ping command within the same subnet is possible but from one interface to the other is not possible. I want to create a DMZ with the ASA as frontend firewall and an ISA server as backend firewall. This means that the interfaces must communicate in order to send traffic from the internet to DMZ to LAN and the other way around.

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Mon, 18 Feb 2008 19:41:33 GMT

Lets put aside for a minute pinging interfaces accross, do you have vlans for each of these networks configured on your inside switch? can a host from 192.168.1.x net freely ping another host on 172.16.1.x network and vice versa?

Re: ASA 5520 configuration

ict — Tue, 19 Feb 2008 13:17:10 GMT

I haven't configured vlans. Is that a requirement to ping from one interface to the other? At the moment it is not possible to ping from one host in 192.168.1.x to a host on 172.16.1.x and vice versa. Thanks.

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Wed, 20 Feb 2008 04:12:22 GMT

you need to separate the networks with respective VLANS.. where does your ASA interfaces currently connects to in respect to your inside interfaces.

e.g

ASA_firewall

Interface ethernet2-or-gigabit

nameif VLAN2

security-level 0

ip address 192.168.1.1 255.255.255.0

Interface ethernet3-or-gigabit

nameif VLAN3

security-level 0

ip address 172.16.1.1 255.255.240.0

same-security-traffic permit inter-interface

global (outside) 1 interface

nat(VLAN2) 1 192.168.1.0 255.255.255.0

nat(VLAN3) 1 172.16.1. 255.255.255.240

e.g on switch similar config

Switch:

vlan database

vtp transparent

vtp domain test_lab

vtp password cisco

vlan 2 name net_192.168.1.0/24

vlan 3 name net_172.16.1.0/28

interface fastethernet0/1

Description ASA_Ethernet2_Connection

switchport access vlan 2

interface fastethernet0/2

Description ASA_Ethernet3_Connection

switchport access vlan 3

interface fastethernet0/4

Description HOST_192.168.1.100

switchport access vlan 2

interface fastethernet0/5

Description HOST_172.16.1.10

switchport access vlan 3

with this simple config you should be able to ping/reach hosts without acls, if you cannot please look at asa logs to see what the problem could be, post results.

Re: ASA 5520 configuration

ict — Wed, 20 Feb 2008 13:43:12 GMT

Thank you very much. I will try this configuration. I will let you know if this configuration has worked for me.

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Thu, 21 Feb 2008 17:18:45 GMT

Hi, have your test being successfull let me know what the update is.

Rgds

Jorge

Re: ASA 5520 configuration

ict — Fri, 22 Feb 2008 15:03:37 GMT

Hi,

Me and my colleague are gonna start monday with the initial installation. I will let you know somewhere next week if the configuration has worked. Thank you very much!

Regards

Martijn

Re: ASA 5520 configuration

JORGE RODRIGUEZ — Fri, 22 Feb 2008 23:45:17 GMT

Martijn, not problem we are here to help you in this issue , I'll keep my eyes opened.

Rgds

Jorge