Basic setup for cisco 5510

okoroji80 · ‎11-28-2012

Dear All,

kindly assist with the basic configuration for setting up cisco ASA 5510 for NAT and DMZ.

Riyasat Ali · ‎11-28-2012

@@
Nat to. Provide internet access if u have 8.2 and below r

Nat(inside) 1 0 0
Nat (dmz) 1 0 0
Global (outside ) 1 interface

Let. Me know. If u need any specific thing for specific senario

Sent from Cisco Technical Support iPhone App

okoroji80 · ‎11-29-2012

I CAN HARDLY GET TO THE INTERNET

okoroji80 · ‎11-29-2012

Below is my config:

ciscoasa> EN

Password:

ciscoasa# SH RUN

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 41.206.22.86 MTN-Link

!

interface Ethernet0/0

description 16mbps link

nameif outside

security-level 0

ip address MTN-Link 255.255.255.252

!

interface Ethernet0/1

description Inside

nameif inside

security-level 0

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 0

ip address 10.10.10.1 255.255.255.

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone WAT 1

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 41.206.22.84 255.255.255.252

nat (inside) 1 192.168.10.0 255.255.255.0

route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statist

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

<--- More --->

julomban · ‎11-29-2012

Jude,

The security level protects higher security networks from lower security networks by imposing additional protection between the two. By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface.

In your case you have the "inside" and "DMZ" set to "0" which should only be your outside interface, please change the security level to 100 or something higher than 0.

Example:

confi t

interface Ethernet0/1

security-level 100

interface Ethernet0/2

nameif DMZ

security-level 50

Moving on you need to add the following NAT for your DMZ and remove the current NAT rule for the outside interface:

no nat (outside) 1 41.206.22.84 255.255.255.252

nat (DMZ) 1 10.10.10.0 255.255.255.0

Finally, you need to set the default gateway to get out to the Internet. To enter a default route, set ip_address and netmask to 0.0.0.0. Type the IP address of the gateway router (the next-hop address for this route). Which is the device directly connected to your outside interface (ISP router).

The following example shows how to specify one default route command for an outside interface:

route outside 0.0.0.0 0.0.0.0

Remove the line you already have:

no route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1

I hope it helps,

Juan Lombana

Please rate helpful posts.

okoroji80 · ‎11-29-2012

Thanks Julomban.

What ports do i need to open for this config to work.

As decribed in the network diagram above, i intend to have the following setup:

1. One interface on the ASA5510 connected to the Internet

2. The second interface will be made the DMZ ( to house the video conference equipment) to keep the servers on this subnet from public and unathorized users.

3. The third interface is to e connected to the Core switch in my design

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

Finally there will be need to allow some key network users access to the DMZ through the core switch.

thanks

Jude.

skype:judeokoroji

okoroji80 · ‎11-29-2012

Hello Riyasat Ali,

Below is my config. that did not work.

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 41.206.22.86 MTN-Link

!

interface Ethernet0/0

description 16mbps link

nameif outside

security-level 0

ip address MTN-Link 255.255.255.252

!

interface Ethernet0/1

description Inside

nameif inside

security-level 0

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

nameif DMZ

security-level 0

ip address 10.10.10.1 255.255.255.

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone WAT 1

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu DMZ 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 41.206.22.84 255.255.255.252

nat (inside) 1 192.168.10.0 255.255.255.0

route DMZ 10.10.10.0 255.255.255.0 MTN-Link 1

WHAT I WANT TO ACHIEVE IS THIS:

As decribed in the network diagram above, i intend to have the following setup:

1. One interface on the ASA5510 connected to the Internet

2. The second interface will be made the DMZ ( to house the video conference equipment) to keep the servers on this subnet from public and unathorized users.

3. The third interface is to e connected to the Core switch in my design

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

Finally there will be need to allow some key network users access to the DMZ through the core switch.

thanks

Jude.

skype:judeokoroji

julomban · ‎11-29-2012

Jude,

I dont see any changes on the lastest config you publish. Security levels, NAT and routes are exactly the same as the original config. With the configuration changes i suggested you should be able to get out to the Internet from inside and DMZ.

For the video traffic you need to allow inbound traffic using static NAT translation and ACL's opening the video ports that you need. I am not sure if you require traffic from inside to access the DMZ server, if thats the case you may need to add the following line as well:

global (dmz) 1 interface

Regards,

Juan Lombana

Please rate helpful posts.

okoroji80 · ‎11-30-2012

This is my final setup

ciscoasa> en

Password:

ciscoasa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 41.206.22.x 255.255.255.x

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.254 255.255.255.0

!

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

no nameif

no security-level

ip address 192.168.1.1 255.255.255.0

!

ftp mode passive

access-list 101 extended permit icmp any any echo-reply

access-list 101 extended permit icmp any any source-quench

access-list 101 extended permit icmp any any unreachable

access-list 101 extended permit icmp any any time-exceeded

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1

global (dmz) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (dmz) 1 0.0.0.0 0.0.0.0

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 41.206.22.85 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.10.10.2-10.10.10.254 dmz

dhcpd dns 192.168.1.25 4.2.2.2 interface dmz

dhcpd lease 86400 interface dmz

dhcpd enable dmz

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DD

CEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:74451a247b3a4e0d94b4d329509e3510

: end

julomban · ‎11-30-2012

Jude,

With the lat config provided you should be able to get out to the Internet from inside and DMZ using your outside interface, also from the inside interface you should be able to reach servers on the DMZ network.

4. there is also neet to open up ports to allow video traffic in and out how can i get this done

From where you need to allow the video traffic? From outside (Internet) to the DMZ or inside?

If it is from the outside coming in you need to allow the packets via NAT and ACL's, example:

static (dmz,outside) 41.206.22.x 10.10.10.15

access-list 101 permit tcp any host 41.206.22.x eq 6666

Regards,

Juan Lombana

Please rate helpful posts.