02-12-2007 12:52 PM - edited 03-11-2019 02:32 AM
Help
I have been hitting my head against this brick wall called an ASA5510. I was trying to configure it as a straight firewall with a DMZ interface and connecting a DNS server to that. But right now I would be happy with just passing HTTP between int 0/0 to 0/2
Current config is attached
02-12-2007 01:01 PM
Config is missing ..
02-12-2007 01:07 PM
02-12-2007 01:18 PM
Setting all the 3 interfaces at same security-level will cause problems. Here is what is recommended:
Outside interface (security-level 0)
DMZ interface (security-level 50)
Inside interface (security-level 100), you can enter following commands to set interfaces accordingly-
interface Ethernet0/0
security 0
interface Ethernet0/1
security 100
interface Ethernet0/2
security 50
no nat (DMZ) 200 10.10.RRR.RRR 255.255.255.0
nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0
no global (DMZ) 200 10.30.RRR.RRR-10.30.RRR.RRR netmask 255.0.0.0
global (DMZ) 200 interface
nat (inside) 200 0 0
clear xlate
Please implement above commands.
02-12-2007 01:42 PM
02-12-2007 01:15 PM
02-12-2007 04:38 PM
Hi still using security 50 for all the interfaces. You could use the below command to allow traffic to traverse the firewall but you really should change the secutity levels as recommended on previous posts.
same-security-traffic permit inter-interface
I hope it helps .. please rate it if it does !!!
02-12-2007 04:41 PM
Could you also add following commands:
no service-policy outside-policy interface outside
I had mentioned these command also earlier:
nat (DMZ) 200 10.30.xxx.xxx 255.255.255.0
global (DMZ) 200 interface
Then issue "clear xlate".
After these commands, let me know from 10.30.x.x (DMZ) network if you
are able to ping the default gateway of PIX.
02-13-2007 06:05 AM
First off let me thank you for all your help it is greatly appreciated. I have attached the current config of the ASA5510 with the various commands highlighted; this is for my benefit, so that I am assured that they were entered correctly. As I have been working with this for 2+ weeks.
Some additional info this device is going in place of an old firewall that was on a NT4.0 server running gauntlet s/w. I have reused the addresses that are currently on the current FW and whenever testing of the ASA configuration it is inserted into the gauntlets place removing it from the circuit. None of our equipment filters MAC addresses so that cannot be an issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide