cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
801
Views
0
Helpful
9
Replies

Basic setup for cisco 5510

okoroji80
Beginner
Beginner

Dear All,

kindly assist with the basic configuration for setting up cisco ASA 5510 for NAT and DMZ.

9 Replies 9

Riyasat Ali
Beginner
Beginner

@@
Nat to. Provide internet access if u have 8.2 and below r

Nat(inside) 1 0 0
Nat (dmz) 1 0 0
Global (outside ) 1 interface


Let. Me know. If u need any specific thing for specific senario

Sent from Cisco Technical Support iPhone App

I CAN HARDLY GET TO THE INTERNET

Below is my config:

ciscoasa> EN           

Password:        

ciscoasa# SH RUN               

: Saved      

:

ASA Version 8.2(5)                 

!

hostname ciscoasa                

enable password 8Ry2YjIyt7RRXU24 encrypted                                         

passwd 2KFQnbNIdI.2KYOU encrypted                                

names    

name 41.206.22.86 MTN-Link                         

!

interface Ethernet0/0                    

description 16mbps link                       

nameif outside              

security-level 0                

ip address MTN-Link 255.255.255.252                                   

!

interface Ethernet0/1                    

description Inside                  

nameif inside             

security-level 0                

ip address 192.168.10.254 255.255.255.0                                       

!

interface Ethernet0/2                    

nameif DMZ          

security-level 0                

ip address 10.10.10.1 255.255.255.                                

!

interface Ethernet0/3                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Management0/0                      

nameif management                 

security-level 100                  

ip address 192.168.1.1 255.255.255.0                                    

management-only               

!

ftp mode passive               

clock timezone WAT 1                   

pager lines 24             

logging asdm informational                         

mtu outside 1500               

mtu inside 1500              

mtu DMZ 1500           

mtu management 1500                  

icmp unreachable rate-limit 1 burst-size 1                                         

no asdm history enable                     

arp timeout 14400                

global (outside) 1 interface                           

nat (outside) 1 41.206.22.84 255.255.255.252                                           

nat (inside) 1 192.168.10.0 255.255.255.0                                        

route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1                                            

timeout xlate 3:00:00                    

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           

timeout tcp-proxy-reassembly 0:01:00                                   

timeout floating-conn 0:00:00                            

dynamic-access-policy-record DfltAccessPolicy                                            

http server enable                 

http 192.168.1.0 255.255.255.0 management                                        

no snmp-server location                      

no snmp-server contact                     

snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     

crypto ipsec security-association lifetime seconds 28800                                                       

crypto ipsec security-association lifetime kilobytes 4608000                                                           

telnet timeout 5               

ssh timeout 5            

console timeout 0                

dhcpd address 192.168.1.2-192.168.1.254 management                                                 

dhcpd enable management                      

!

threat-detection basic-threat                            

threat-detection statistics access-list                                      

no threat-detection statist                        

webvpn     

!

class-map inspection_default                           

match default-inspection-traffic                                

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

<--- More --->

Jude,

The security level protects higher security networks from lower security networks by imposing additional protection between the two. By default, there is an implicit permit from a higher security interface to a lower security interface (outbound).  Hosts on the higher security interface can access any host on a lower security interface.

In your case you have the "inside" and "DMZ" set to "0" which should only be your outside interface, please change the security level to 100 or something higher than 0.

Example:

confi t

interface Ethernet0/1                               

security-level 100                

interface Ethernet0/2                    

nameif DMZ          

security-level 50                 

Moving on you need to add the following NAT for your DMZ and remove the current NAT rule for the outside interface:

no nat (outside) 1 41.206.22.84 255.255.255.252

nat (DMZ) 1 10.10.10.0 255.255.255.0

Finally, you need to set the default gateway to get out to the Internet. To enter a default route, set ip_address and netmask to 0.0.0.0. Type the IP address of the gateway router (the next-hop address for this route). Which is the device directly connected to your outside interface (ISP router).

The following example shows how to specify one default route command for an outside interface: 

route outside 0.0.0.0 0.0.0.0

Remove the line you already have:

no route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1                 

I hope it helps,

Juan Lombana

Please rate helpful posts.

Thanks Julomban.

What ports do i need to open for this config to work.

As decribed in the network diagram above, i intend to have the following setup:

1. One interface on the ASA5510 connected to the Internet

2. The second interface will be made the DMZ ( to house the video conference equipment) to keep the servers on this subnet from public and unathorized users.

3. The third interface is to e connected to the  Core switch in my design

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

Finally there will be need to allow some key network users access to the DMZ  through the core switch.

thanks

Jude.

skype:judeokoroji

Hello Riyasat Ali,

Below is my config. that did not work.

hostname ciscoasa                

enable password 8Ry2YjIyt7RRXU24 encrypted                                         

passwd 2KFQnbNIdI.2KYOU encrypted                                

names    

name 41.206.22.86 MTN-Link                         

!

interface Ethernet0/0                    

description 16mbps link                       

nameif outside              

security-level 0                

ip address MTN-Link 255.255.255.252                                   

!

interface Ethernet0/1                    

description Inside                  

nameif inside             

security-level 0                

ip address 192.168.10.254 255.255.255.0                                       

!

interface Ethernet0/2                    

nameif DMZ          

security-level 0                

ip address 10.10.10.1 255.255.255.                                

!

interface Ethernet0/3                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Management0/0                      

nameif management                 

security-level 100                  

ip address 192.168.1.1 255.255.255.0                                    

management-only               

!

ftp mode passive               

clock timezone WAT 1                   

pager lines 24             

logging asdm informational                         

mtu outside 1500               

mtu inside 1500              

mtu DMZ 1500           

mtu management 1500                  

icmp unreachable rate-limit 1 burst-size 1                                         

no asdm history enable                     

arp timeout 14400                

global (outside) 1 interface                           

nat (outside) 1 41.206.22.84 255.255.255.252                                           

nat (inside) 1 192.168.10.0 255.255.255.0                                        

route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1    

  • WHAT I WANT TO ACHIEVE IS THIS:

As decribed in the network diagram above, i intend to have the following setup:

1. One interface on the ASA5510 connected to the Internet

2.  The second interface will be made the DMZ ( to house the video  conference equipment) to keep the servers on this subnet from public and  unathorized users.

3. The third interface is to e connected to the  Core switch in my design

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

Finally there will be need to allow some key network users access to the DMZ  through the core switch.

thanks

Jude.

skype:judeokoroji

Jude,

I dont see any changes on the lastest config you publish. Security levels, NAT and routes are exactly the same as the original config. With the configuration changes i suggested you should be able to get out to the Internet from inside and DMZ.

For the video traffic you need to allow inbound traffic using static NAT translation and ACL's opening the video ports that you need. I am not sure if you require traffic from inside to access the DMZ server, if thats the case you may need to add the following line as well:

global (dmz) 1 interface

Regards,

Juan Lombana

Please rate helpful posts.

This is my final setup

ciscoasa> en           

Password:        

ciscoasa# sh run               

: Saved      

:

ASA Version 8.2(5)                 

!

hostname ciscoasa                

enable password 8Ry2YjIyt7RRXU24 encrypted                                         

passwd 2KFQnbNIdI.2KYOU encrypted                                

names    

!

interface Ethernet0/0                    

nameif outside              

security-level 0                

ip address 41.206.22.x  255.255.255.x                                    

!

interface Ethernet0/1                    

nameif inside             

security-level 100                  

ip address 192.168.10.254 255.255.255.0                                       

!

interface Ethernet0/2                    

nameif dmz          

security-level 50                 

ip address 10.10.10.1 255.255.255.0                                   

!

interface Ethernet0/3                    

shutdown        

no nameif         

no security-level                 

no ip address             

!

interface Management0/0                      

no nameif         

no security-level                 

ip address 192.168.1.1 255.255.255.0                                    

!

ftp mode passive               

access-list 101 extended permit icmp any any echo-reply                                                      

access-list 101 extended permit icmp any any source-quench                                                         

access-list 101 extended permit icmp any any unreachable                                                       

access-list 101 extended permit icmp any any time-exceeded                                                         

pager lines 24             

mtu outside 1500               

mtu inside 1500              

mtu dmz 1500           

icmp unreachable rate-limit 1 burst-size 1                                         

no asdm history enable                     

arp timeout 14400                

global (outside) 1               

global (dmz) 1 interface                       

nat (inside) 1 0.0.0.0 0.0.0.0                             

nat (dmz) 1 10.10.10.0 255.255.255.0                                   

nat (dmz) 1 0.0.0.0 0.0.0.0                          

access-group 101 in interface outside                                    

route outside 0.0.0.0 0.0.0.0 41.206.22.85 1                                           

timeout xlate 3:00:00                    

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           

timeout tcp-proxy-reassembly 0:01:00                                   

timeout floating-conn 0:00:00                            

dynamic-access-policy-record DfltAccessPolicy                                            

no snmp-server location                      

no snmp-server contact                     

snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     

crypto ipsec security-association lifetime seconds 28800                                                       

crypto ipsec security-association lifetime kilobytes 4608000                                                           

telnet timeout 5               

ssh timeout 5            

console timeout 0                

dhcpd address 10.10.10.2-10.10.10.254 dmz                                        

dhcpd dns 192.168.1.25 4.2.2.2 interface dmz                                           

dhcpd lease 86400 interface dmz                              

dhcpd enable dmz               

!

threat-detection basic-threat                            

threat-detection statistics access-list                                      

no threat-detection statistics tcp-intercept                                           

!

class-map inspection_default                           

match default-inspection-traffic                                

!

!

policy-map type inspect dns preset_dns_map                                         

parameters          

  message-length maximum client auto                                   

  message-length maximum 512                           

policy-map global_policy                       

class inspection_default                        

  inspect dns preset_dns_map                           

  inspect ftp            

  inspect h323 h225                  

  inspect h323 ras                 

  inspect ip-options                   

  inspect netbios                

  inspect rsh            

  inspect rtsp           

  inspect skinny               

  inspect esmtp              

  inspect sqlnet               

  inspect sunrpc               

  inspect tftp             

  inspect sip            

  inspect xdmcp              

!

service-policy global_policy global                                  

prompt hostname context                      

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74451a247b3a4e0d94b4d329509e3510

: end

Jude,

With the lat config provided you should be able to get out to the Internet from inside and DMZ using your outside interface, also from the inside interface you should be able to reach servers on the DMZ network.

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

From where you need to allow the video traffic? From outside (Internet) to the DMZ or inside?

If it is from the outside coming in you need to allow the packets via NAT and ACL's, example:

static (dmz,outside) 41.206.22.x 10.10.10.15

access-list 101 permit tcp any host 41.206.22.x eq 6666

Regards,

Juan Lombana

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: