Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
989
Views
0
Helpful
3
Replies

ASA 5510 basic setup help

Go to solution
Lon
Level 1
Level 1

‎10-20-2011 07:49 AM - edited ‎03-11-2019 02:40 PM

I have a ASA 5510 with asa8.4(2) and asdm6.4(5)205.  Have a new basic config, nothing special at this time.  I just cannot seem to get from the inside to the outside.  From the outside interface I can ping, so I have a good Internet connection.   

write term

: Saved

:

ASA Version 8.4(2)

!

hostname xxxxx

domain-name xxxxx

enable password xxxxx encrypted

passwd xxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 69.x.x.82 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 0

ip address 10.1.0.2 255.255.0.0

!

interface Ethernet0/2

nameif dmz

security-level 80

ip address 172.168.1.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name xxxxx

object network inside-network

subnet 10.1.0.0 255.255.0.0

access-list inside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-205.bin

no asdm history enable

arp timeout 14400

!

object network inside-network

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 69.x.x.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

  quit

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:xxxxx

: end

[OK] write term
: Saved
:
ASA Version 8.4(2)
!
hostname xxxxx
domain-name xxxxx
enable password xxxxx encrypted
passwd xxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 69.x.x.82 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 0
ip address 10.1.0.2 255.255.0.0
!
interface Ethernet0/2
nameif dmz
security-level 80
ip address 172.168.1.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa842-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xxxxx
object network inside-network
subnet 10.1.0.0 255.255.0.0
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-205.bin
no asdm history enable
arp timeout 14400
!
object network inside-network
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
  quit
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:xxxxx
: end
[OK]

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
varrao
Level 10
Level 10

‎10-20-2011 08:01 AM

Hi Lon,

Why do you have the inside interface on security-level 0?? It should be 100, otherwisde you need to add this command:

same-security-traffic permit inter-interface

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
3 Replies 3

Go to solution
varrao
Level 10
Level 10

‎10-20-2011 08:01 AM

Hi Lon,

Why do you have the inside interface on security-level 0?? It should be 100, otherwisde you need to add this command:

same-security-traffic permit inter-interface

Let me know how it goes.

Thanks,

Varun

Thanks,
Varun Rao
0 Helpful

Go to solution
Lon
Level 1
Level 1
In response to varrao

‎10-20-2011 11:06 AM

Thank you very much, I cannot believe I overlooked that being '0'.  I changed it and it works well now.  I really appreciate your assistance and value any advice anyone has to offer.

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to Lon

‎10-20-2011 11:18 AM

Hi Lon,

Glad I could help

Varun

Thanks,
Varun Rao
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card