07-24-2018 01:00 PM - edited 02-21-2020 08:00 AM
I have a legacy PC (XP) running legacy software that has to be on the same subnet , however we need to put it behind a firewall.
I put the ASA in transparent mode and assigned BVI1 an IP address.
I need ports 4000 966 and 950
as well as letting a device 10.xxx.xxx.002 access the PC
What are my next steps?
Solved! Go to Solution.
07-25-2018 08:04 AM
No. But you will need a few extra commands to get SSH and ASDM running.
For ASDM you have the right config you just need to make sure the "ASDM image" command is pointing to the right ASDM file and setup AAA with a username/password. ex.
aaa authentication http console LOCAL
For SSH you will need to configure:
- Crypto Key
- AAA with username/password. ex
aaa authentication ssh console LOCAL
- ssh 0.0.0.0 0.0.0.0 outside
You can find the complete configuration in this guide:
07-24-2018 01:41 PM - edited 07-24-2018 01:42 PM
1. Assign BVI1 group to interfaces "bridge-group 1"
2. Add "name-if" to the interfaces
3. Add security levels
4. Add ACL to the interface using "access-group" with the ports needed
Troy
07-24-2018 04:04 PM
interface GigabitEthernet1/1
bridge-group 1
nameif outside
security-level 0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside
security-level 100
ACL is next.
07-24-2018 07:50 PM
hostname(config)# access-list OUTSIDE extended permit ip host 10.13.31.2 host
any
hostname(config)# access-group OUTSIDE in interface outside
hostname(config)# access-list INSIDE permit tcp any host any eq 4001
hostname(config)# access-list INSIDE permit tcp any host any eq 950
hostname(config)# access-list INSIDE permit tcp any host any eq 966
hostname(config)# access-group INSIDE in interface outside
would that work for having the external IP address access the device behind the firewall
and the device behind the firewall access t other devices via those ports only?
07-24-2018 09:27 PM
If by external you mean IP addresses from the OUTSIDE interface then yes. The same goes for the INSIDE interface traffic. You will need to change the config a little. I put the changes below:
hostname(config)# access-list OUTSIDE extended permit ip host 10.13.31.2 any
hostname(config)# access-group OUTSIDE in interface outside
hostname(config)# access-list INSIDE permit tcp any any eq 4001
hostname(config)# access-list INSIDE permit tcp any any eq 950
hostname(config)# access-list INSIDE permit tcp any any eq 966
hostname(config)# access-group INSIDE in interface inside
07-25-2018 07:20 AM
Thanks, I got that.
I'm trying to get the Web GUI or SSH to work from the outside to the ASA
would that be another policy?
http server enable
http 0.0.0.0 0.0.0.0 outside
07-25-2018 08:04 AM
No. But you will need a few extra commands to get SSH and ASDM running.
For ASDM you have the right config you just need to make sure the "ASDM image" command is pointing to the right ASDM file and setup AAA with a username/password. ex.
aaa authentication http console LOCAL
For SSH you will need to configure:
- Crypto Key
- AAA with username/password. ex
aaa authentication ssh console LOCAL
- ssh 0.0.0.0 0.0.0.0 outside
You can find the complete configuration in this guide:
07-26-2018 07:53 AM
Thank you for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide