Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
0
Helpful
2
Replies

Cisco ASA configuration

andy shutcha
Level 1
Level 1

‎04-03-2014 01:38 PM - edited ‎03-11-2019 09:01 PM

Hi everyone,

I have a problem configuring a cisco ASA 5510 - 8.4 :

I have attached a picture of the network :

Could you help me with the configuration needed to have the host within the DMZ subnet talk to the PI server and vice versa.

at the moment I can only ping from both subnet from the firewall.

End to end devices canot go through.

 

Thank you very much.

Labels:
Preview file
69 KB
0 Helpful
2 Replies 2

jmeggers
Level 1
Level 1

‎04-03-2014 02:04 PM

If NAT is configured properly, the default traffic flow policies will work. You'll configure the outside interface as security level 0 (least trusted interface) and the inside interface is typically security level 100. A DMZ will typically be somewhere in between, like 50. By default, the ASA allows traffic from more-trusted interfaces out less-trusted interfaces, and the state tracking on the ASA will allow return traffic. In this case, even though the DMZ is not a "trusted" interface, it's more trusted than the outside interface, so traffic from the DMZ will be allowed out the outside interface. (Traffic from the DMZ would NOT be allowed out the inside interface unless specifically allowed by an access list.)

For the NAT configuration, you'll want an object group that represents the DMZ subnet or host, and then configure:

object network <object-group_name>
 nat (<dmz_interface_name>,<outside_interface_name>) dynamic interface

That will allow the PI server to know where to send the response without having to have a route to the DMZ subnet.

That's the very basics. There's a lot more you need to know to configure other features (management access, SNMP traps, etc.) that that should get you started.

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎04-04-2014 06:05 AM

just for clarification, is the PI server directly connected (on the same subnet) as the outside interface? Reason I ask is that you have the PI server at A.B.C.80 while the ASA is on A.B.C.250.  I so then the address E.F.G.1 and E.F.G.35 are management IPs?

Also, which host is considered to be in the DMZ, the H.I.J.1 or K.L.M.37?

Please clarify these points so we can help you further.  Also please post a full running config of the ASA (sanitised) so we can see what you have configured so far.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card