The ASA 5510 DMZ configuration

I currently have an ASA 5510 with which I am configuring a HTTP/FTP host on a demilitarized zone. Currently the DMZ host is accessible outside but the hosts on the internal network can not access. I have a dedicated IP address for the host (1.1.1.228) DMZ and another IP for the PAT interface for internal clients (1.1.1.238). I know I'm missing a piece, either a statement nat() or a static(), please advise.

interface Ethernet0/0

Description Interface Outside

nameif outside

security-level 0

IP 1.1.1.238 255.255.255.240

interface Ethernet0/1

Inside the Interface Description

nameif inside

security-level 100

the IP 10.0.0.1 255.255.0.0

interface Ethernet0/2

DMZ Interface Description

nameif dmz

security-level 50

the IP 192.168.0.1 255.255.255.0

-partial outside the inbound ACL.

outside_access_in list extended access permit tcp any host 1.1.1.228 eq www

outside_access_in list extended access permit tcp any host 1.1.1.228 eq https

-ACL DMZ-

DMZ list extended access permit icmp any one

access-list extended DMZ permit tcp host 192.168.0.11 eq www everything

access-list extended DMZ permit tcp host 192.168.0.11 eq https all

access-list extended DMZ permit tcp host 192.168.0.11 eq ftp - data all

DMZ list extended access permit tcp host 192.168.0.11 eq ftp everything

Global 1 interface (outside)

NAT (inside) 0-list of access inside_outbound_nat0_acl

NAT (inside) 1 0.0.0.0 0.0.0.0

public static 1.1.1.231 (Interior, exterior) 10.0.0.85 netmask 255.255.255.255

static (dmz, outside) 1.1.1.228 192.168.0.11 netmask 255.255.255.255

Access-group outside_access_in in interface outside

Access-group interface dmz DMZ

Add:

static (inside, dmz) 10.0.0.0 mask 10.0.0.0 subnet 255.255.0.0

The statement above will allow the host to access DMZ hosts inside using DMZ devices own IPs and vice versa.

And, if necessary, use the ACL to restrict access to inside the DMZ, or DMZ inside.

See you soon!

Tags: Cisco Security

Similar Questions

Review of the ASA 5510 Config

Hi all, I'm about to replace an existing a new ASA 5510 firewall. The environment is pretty simple, just an external and internal interface. I put in correspondence configs as much as possible, but I'd like to see if there are obvious problems. I am concerned mainly with my NAT statements. Nothing in the following config (sterilized) seems out of place? Thank you!!

------------------------------------------------------------

ASA 4,0000 Version 5

!

ciscoasa hostname

enable the encrypted password xxxxxxxxxx

XXXXXXXXXX encrypted passwd

names of

!

interface Ethernet0/0

nameif outside

security-level 0

IP 40.100.2.2 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

IP 10.30.0.100 255.255.255.0

!

interface Ethernet0/2

Shutdown

No nameif

no level of security

no ip address

!

interface Ethernet0/3

Shutdown

No nameif

no level of security

no ip address

!

interface Management0/0

Shutdown

nameif management

security-level 100

IP 192.168.1.1 255.255.255.0

management only

!

boot system Disk0: / asa844-5 - k8.bin

passive FTP mode

permit same-security-traffic inter-interface

network of the 10.10.0.78 object

Home 10.10.0.78

Nospam description

network of the 10.10.0.39 object

Home 10.10.0.39

Description exch

network of the 55.100.20.109 object

Home 55.100.20.109

Description mail.oursite.com

network of the 10.10.0.156 object

Home 10.10.0.156

Description

www.oursite.com-Internal

network of the 55.100.20.101 object

Home 55.100.20.101

Description

www.oursite.com-External

network of the 10.10.0.155 object

Home 10.10.0.155

Ftp description

network of the 10.10.0.190 object

Home 10.10.0.190

farm www Description

network of the 10.10.0.191 object

Home 10.10.0.191

farm svc Description

network of the 10.10.0.28 object

Home 10.10.0.28

Vpn description

network of the 10.10.0.57 object

Home 10.10.0.57

Description cust.oursite.com

network of the 10.10.0.66 object

Home 10.10.0.66

Description spoint.oursite.com

network of the 55.100.20.102 object

Home 55.100.20.102

Description cust.oursite.com

network of the 55.100.20.103 object

Home 55.100.20.103

Ftp description

network of the 55.100.20.104 object

Home 55.100.20.104

Vpn description

network of the 55.100.20.105 object

Home 55.100.20.105

app www description

network of the 55.100.20.106 object

Home 55.100.20.106

app svc description

network of the 55.100.20.107 object

Home 55.100.20.107

Description spoint.oursite.com

network of the 55.100.20.108 object

Home 55.100.20.108

Description exchange.oursite.com

ICMP-type of object-group DM_INLINE_ICMP_1

response to echo ICMP-object

ICMP-object has exceeded the time

ICMP-unreachable object

Exchange_Inbound tcp service object-group

EQ port 587 object

port-object eq 993

port-object eq www

EQ object of the https port

port-object eq imap4

DM_INLINE_TCP_1 tcp service object-group

port-object eq www

EQ object of the https port

object-group service DM_INLINE_SERVICE_1

will the service object

the purpose of the tcp destination eq pptp service

the DM_INLINE_NETWORK_1 object-group network

network-object, object 10.10.0.190

network-object, object 10.10.0.191

the DM_INLINE_NETWORK_2 object-group network

network-object, object 10.10.0.156

network-object, object 10.10.0.57

DM_INLINE_TCP_2 tcp service object-group

port-object eq www

EQ object of the https port

object-group service sharepoint tcp

port-object eq 9255

port-object eq www

EQ object of the https port

outside_access_in list extended access permit icmp any any DM_INLINE_ICMP_1 object-group

outside_access_in list extended access permit tcp any object 10.10.0.78 eq smtp

outside_access_in list extended access permit tcp any object object 10.10.0.39 - Exchange_Inbound group

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_2-group of objects DM_INLINE_TCP_1

outside_access_in list extended access permit tcp any object 10.10.0.155 eq ftp

outside_access_in list extended access allowed object-group DM_INLINE_SERVICE_1 any object 10.10.0.28

outside_access_in list extended access permit tcp any object-group DM_INLINE_NETWORK_1-group of objects DM_INLINE_TCP_2

outside_access_in list extended access permit tcp any object 10.10.0.66 object-group Sharepoint

pager lines 24

Enable logging

asdm of logging of information

Outside 1500 MTU

Within 1500 MTU

management of MTU 1500

ICMP unreachable rate-limit 1 burst-size 1

ASDM image disk0: / asdm-649 - 103.bin

don't allow no asdm history

ARP timeout 14400

no permit-nonconnected arp

NAT (exterior, Interior) static source everything any static destination 55.100.20.109 10.10.0.78

NAT (exterior, Interior) static source everything any static destination 55.100.20.108 one-way 10.10.0.39

NAT (inside, outside) static source 10.10.0.39 one-way 55.100.20.109

NAT (exterior, Interior) static source everything any static destination 55.100.20.101 10.10.0.156

NAT (exterior, Interior) static source everything any static destination 55.100.20.102 10.10.0.57

NAT (exterior, Interior) static source everything any static destination 55.100.20.103 10.10.0.155

NAT (exterior, Interior) static source everything any static destination 55.100.20.104 10.10.0.28

NAT (exterior, Interior) static source everything any static destination 55.100.20.105 10.10.0.190

NAT (exterior, Interior) static source everything any static destination 55.100.20.106 10.10.0.191

NAT (exterior, Interior) static source everything any static destination 55.100.20.107 10.10.0.66

Access-group outside_access_in in interface outside

Route outside 0.0.0.0 0.0.0.0 40.100.2.1 1

Route inside 10.10.0.0 255.255.255.0 10.30.0.1 1

Timeout xlate 03:00

Pat-xlate timeout 0:00:30

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

Floating conn timeout 0:00:00

dynamic-access-policy-registration DfltAccessPolicy

identity of the user by default-domain LOCAL

Enable http server

http 192.168.1.0 255.255.255.0 management

http 10.10.0.0 255.255.255.0 inside

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown cold start

Telnet timeout 5

SSH 10.10.0.0 255.255.255.0 inside

SSH timeout 5

SSH group dh-Group1-sha1 key exchange

Console timeout 0

!

a basic threat threat detection

Statistics-list of access threat detection

no statistical threat detection tcp-interception

source of NTP server outside xxxxxxxxxx

WebVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

inspect the rsh

inspect the rtsp

inspect esmtp

inspect sqlnet

inspect the skinny

inspect sunrpc

inspect xdmcp

inspect the sip

inspect the netbios

inspect the tftp

Review the ip options

inspect the pptp

!

global service-policy global_policy

context of prompt hostname

no remote anonymous reporting call

Cryptochecksum:40cee3a773d380834b10195ffc63a02f

: end

Hello

You do nat (exterior, Interior), I'm going to do inside, outside but the configuration is always good.

The ACL configuration is fine, Nat is fine, so you should have problems,

Kind regards

Julio

The ASA 5510 IOS version

Hi.I have a small question. I just got an ASA 5510 7.0 update and on the accompanying CD, there is what is called an ASA 7.2 update but it's only 5 large Mbs while on the SAA is also great 5 Mbs.

As I've never worked with a firewall which is a valid version of IOS and if so how can I upgrade ASA with her? Thanks in advance for any help.

Igor

It is likely that it is a valid version of the image for the SAA. I have an image for 7.1.2 is slightly more than 6 MB and an image for 7.2.2 who is a little more than 8 MB. To upgrade the image you put the image of the CD on a TFTP server TFTP image of the SAA. You may need to configure a start-up on the SAA statement to point to the new image. Save the config and reload. He should come to run the new image.

HTH

Rick

VPN on ASA-5510 with Configure a dynamic encryption card

Hi all

My name is ping, I have ASA-5510 for site to site VPN configuration, but am not clear with a few conifguration on ASA-5510 series, not sure on poin than, when I install on other sets of cisco router I can use

ASA2 (config) #crypto card outside-card 10 ipsec-isakmp

% NOTE: this new map encryption will remain disabled until a peer

and a valid access list have been configured.

........

but, when I configure ASA 5510 it as below:

mtelcoASA2 (config) # crypto?

set up the mode commands/options:

CA Certification Authority

dynamic-map set up a dynamic encryption card

IPSec transform-set set, life of the IPSec Security Association and fragmentation

ISAKMP configure ISAKMP

main activities key long-term

card to configure an encryption card

ASA2 (config) # map outside-map 10 ipsec-isakmp crypto ?

set up the mode commands/options:

Entry dynamic is a dynamic map

"Set up a dynamic crypto map" which uses for and why I can't use only "map outside-map 10 ipsec-isakmp crypto" and if not can't, can I skip this command or tell me the other way with explanation with nicely,

Thank you very much

hot topic,

Ping,

Just use crypto card outside-map 10 match/set without ipsec-isakmp key word and it will be fine.

How can I hold the public IP address on a specific profile on the asa 5510

Hi guys

How can I hold the public IP address on my session NAT VPN cisco customer for no one else can use it? I have a cisco ASA 5510

the Interior is 172.10.20.86

public 166.245.192.90

Need to call my ISP?

Thank you

Sorry to say but your qustion is not very clear. Can you please post what you are trying to achieve?

Thank you

Ajay

ASA 5510 CLI Configuration

Hello

Is it possible to perform all the system configuration and management functions through the CLI at the Terminal?

I think specifically to aspects such as the management of firewall rule configuration of the DHCP Service, VPN configuration, log review. etc etc.

I have already done some configuration of the interface of base if the CLI, but want to know what depth, I can go.

Thanks in advance.

Paul

The main thing that I know will have to be made through ASDM is manage bookmarks SSL VPN client and other pages. All the other stuff you mentioned can be done through CLI. I like to use a hybrid of CLI & ASDM when I managed firewalls. I prefer to see the logs on the ASDM so, real-time log buffer is an excellent tool.

Cisco's ASA 5510 VPN configuration suggestion

Hello

We have a cisco ASA5510 and our client has a device of Juniper. We already have a vpn tunnel between two locations and its working fine.

Now they have networks that are in a safer area, if we add these subnets of the current tunnel we are not able to access it.

so, what they suggest we can reconfigure the VPN to be a road based on VPN instead of policy based OR configure a second VPN tunnel.

not sure about cisco ASA supports route according to the tunnels? ... Can we create a 2nd tunnel between the same devices (asa5510 and thei Juniper device) as remainders IP that identical, only the internal remote networks will change for me. is this possible?

do I have to make changes to the current tunnel?

Thank you

Smail

Hello

Cisco ASA does not support database path tunnels.

You must add new networks to crypto ACL. They add new VPN policies.

Cisco ASA 5510 - restrictions of VPN (AnyConnect) based on the AD user or IP address

Hello

I want to test how to restrict access user on an ASA 5510 AnyConnect. In politics, I can define what networks will go through the VPN tunnel and which not (split tunneling). The ASA has a LDAP connection and only AD users with a special security group can connect over AnyConnect.
On the other hand I would like to restrict access for special users within a VPN policy.

So my question:
What are your recommendations to implement this szenario?

My two ideas would be:
1. the access rules based on the user of the AD.
2. special reserve IP addresses in the pool of addresses AnyConnect for some users, so I can limit access to the normal firewall rules base based on the source IP address.

What are your recommendations and is it possible to realize my ideas (and how)?

Thanks in advance

Best regards

Hello

I will suggest that you configure a second ad group in the server and another group strategy in the ASA, you can configure certain access on each group policy "the installer of the filters, assign different split political tunnel, different ACL' and in the ad server, you can assign users for example to the AD Group A and AD Group B based on the access you want to give them now , you must configure LDAP mapping to assign the user specific group policy that you want based on the AD group that they belong.

You can follow this documentation that will help you configure the LDAP Mapping:

http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

Best regards, please rate.

ASA 5510 - possible to fill the 2 interfaces in routed mode

Cisco ASA 5510 with security more license, version 9.1 (5) running in routed mode.

I want to fill two interfaces for example: eth0/2 and 3/eth0 and configure an IP address / network while leaving the ASA 5510 in routed mode. I know that this is possible in transparent mode, but I need to keep this in routed mode. I know I could configure a single interface and connect a switch but my client does not want to do.

Otherwise, my only thought would be to configure each interface eth0/2 and eth0/3 as a network traffic and the route of subnet separate between the two.

Any help would be appreciated!

Thank you

Andrew

Andrew

That would help us answer you better if we understood more about what your client and you want to accomplish. But to answer the specific question you asked, I don't think it is possible in an ASA5510 in routed mode configuration Eth2 and Eth3 to share a single IP address.

Linking to Eth2 and linking to Eth3 Are they really the same subnet?

HTH

Rick

Site to Site VPN ASA 5510

OK my forehead is painful to all keyboard strokes that I know that it must be something simple, but I am brand new to the SAA. I had a site to site VPN configuration via routers 1751 that worked very well, but we're looking to add some more remote field offices, and I felt that it would be easier to maintain several sites is on the ASA 5510. I have the VPN configured on the SAA and he said that the tunnel is up. I can telnet to the ASA and ping the remote gateway on the even side of VPN and it pings fine. If I try to ping on a local computer, I get a "Request timed out". If I makes no changes apart from go to the computer room and replace the network cable the 1751 and then through the 1751 I can now ping the remote door way to my computer. The remote router works obviously very well, my statement of route on my router for vpn push through the ASA (same ip address) IP traffic that has been used by the 1751 works obviously. It seems so just like ASA is not being pushed in the ethernet0/0 VPN traffic or at least it is not encrypted. I also noticed that the ACL for NAT seems to increase in number of access either it seems, there is really just one small thing missing to make the ASA except and encrypt incoming traffic on ethernet0/0:

My network is not configured with a DMZ is something like that, the ASA ethernet0/0 and my local network on the same subnet:

Router (Cisco 2811)

|

Layer switch 2 (ProCurve)

| |

ASA5510 LAN computers

I'm trying to except both sides of the VPN in and out on Ethernet0/0 traffic I saw there was a framework for this "permit communication between VPN peers connected to the same interface' and I've activated this option.

In short, I need to understand why the VPN tunnel shows that upward and I can ping the remote of the SAA, but peripheral gateway on my network can not ping to the remote gateway through the int Ethernet0/0 on the SAA.

From the console of the ASA, I get this:

ASA5510 # ping 192.52.128.1
Send 5, echoes ICMP 100 bytes to 192.52.128.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 100/108/120 ms

ASA5510 # show crypto ipsec his
Interface: *.
Tag crypto map: * _map, local addr: 10.52.120.23

local ident (addr, mask, prot, port): (10.52.120.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.52.128.0/255.255.255.0/0/0)
current_peer: x.x.x.204

program #pkts: 9, #pkts encrypt: 9, #pkts digest: 9
decaps #pkts: 9, #pkts decrypt: 9, #pkts check: 9
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 9, #pkts comp failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0

local crypto endpt. : 10.52.120.23, remote Start crypto. : x.x.x.204

Path mtu 1500, fresh ipsec generals 60, media, mtu 1500
current outbound SPI: C49EF75F

SAS of the esp on arrival:
SPI: 0x21FDBB9D (570276765)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3529)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC49EF75F (3298752351)
transform: esp-3des esp-md5-hmac
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 1, crypto-map: * _map
calendar of his: service life remaining (KB/s) key: (3824999/3527)
Size IV: 8 bytes
support for replay detection: Y

From my office on the 10.52.120.0 even the etherenet0/0 interface on the ASA network I get this:

C:\Users\***>ping 192.52.128.1

Ping 192.52.128.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.52.128.1:
Packets: Sent = 4, received = 0, lost = 4 (100% loss)

C:\Users\***>ping 10.52.120.23

Ping 10.52.120.23 with 32 bytes of data:
Reply from 10.52.120.23: bytes = 32 time = 5ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 3ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255
Reply from 10.52.120.23: bytes = 32 time = 1ms TTL = 255

Ping statistics for 10.52.120.23:
Packets: Sent = 4, received = 4, lost = 0 (0% loss),
Time approximate round trip in milli-seconds:
Minimum = 1ms, Maximum = 5ms, average = 2ms

Count on VPN Tunnel ACL does not increase when I try to ping the address of the remote gateway.

Here is the running of the ASA configuration:

ASA Version 7.0 (2)
names of
!
interface Ethernet0/0
nameif InsideNetwork
security-level 100
IP 10.52.120.23 255.255.255.0
!
interface Ethernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Shutdown
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
activate the encrypted password of XXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXXXXX
ciscoasa hostname
domain default.domain.invalid
passive FTP mode
permit same-security-traffic intra-interface
Access extensive list ip 10.52.120.0 InsideNetwork_nat0_outbound allow 255.255.25
5.0 192.52.128.0 255.255.255.0
Access extensive list ip 10.52.120.0 InsideNetwork_cryptomap_20 allow 255.255.255
.0 192.52.128.0 255.255.255.0
pager lines 24
asdm of logging of information
management of MTU 1500
MTU 1500 InsideNetwork
management of the interface of the monitor
the interface of the monitor InsideNetwork
ASDM image disk0: / asdm - 502.bin
don't allow no asdm history
ARP timeout 14400
NAT (InsideNetwork) 0-list of access InsideNetwork_nat0_outbound
Route InsideNetwork 0.0.0.0 0.0.0.0 10.52.120.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
Enable http server
http 192.168.1.0 255.255.255.0 management
http 10.52.120.0 255.255.255.0 InsideNetwork
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
card crypto InsideNetwork_map 20 corresponds to the address InsideNetwork_cryptomap_20
card crypto InsideNetwork_map 20 set peer x.x.x.204
InsideNetwork_map 20 transform-set ESP-3DES-MD5 crypto card game
InsideNetwork_map InsideNetwork crypto map interface
ISAKMP enable InsideNetwork
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 md5 hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
Telnet 10.52.120.0 255.255.255.0 InsideNetwork
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
dhcpd lease 3600
dhcpd ping_timeout 50
enable dhcpd management
tunnel-group x.x.x.204 type ipsec-l2l
x.x.x.204 group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class inspection_default
inspect the dns-length maximum 512
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
Cryptochecksum:7e478b60b3e406091de466675c52eaaa
: end

I haven't added anything to the config except what seemed necessary to get the job of VPN tunnel. It should be fairly clean.

Thanks in advance for any help... I really hope that it is something really simple as a recruit ASA just forgot

Strange, but good news. Thanks for the update. I'm glad everything is working.

THX

MS

Cisco ASA 5510 config with SSM

I was tasked to replace our old sonicwall tz170 firewall with an ASA 5510 and configure it (that I never did, only routers and switches) and I have a few questions. I'm inside the ASDM and I am trying to configure my external interface... The 5510 provided with a map of the SSM, and I assumed it would be my external interface, but I guess I'm wrong because it is not an option when running through the wizard. I know what the SSM card for, I do not understand why there is not an external interface. Whence this connect (just for my LAN?)?

Currently, I have implemented the management interface to our ip and the subnet and connected through that. I see the management interface and eth0 - eth 3.

It's as simple as it can get, I just need the external interface to our public ip address, configure access rules to match my sonicwall.

Also on the version, its operation ASA 8.2.1. Should I upgrade to 8.3.1? What is the ED after the version (not familiar with it).

Thank you!

These rules on the SAA are default rules, that is to say whatever it is initiated from the inside is allowed, but anything launched from outside is allowed in. Sorry, but I'm not familiar with SonicWall at all to give you advice on the rules, you will need installation. But what if all you have is an external interface and inside then will need you a nat.pat to ensure that internal addresses can go out and access list to restrict these internal if necessary networks. If you have incoming traffic is according to mail, web server, etc, then you will again be a nat and an access list to allow traffic.

The document attached (you can ignore the router configs) should hopefully give you a better idea of how incoming transport works and how to apply access lists to the interface.

Let me know if it helps.

Automatic update AIP-SSM-10 and ASA 5510 (Beginner)

I see that it is possible to automate the updates of the ASA 5510 and AIP SSM via FTP on my own server. Is it possible to automate the download directly from Cisco.com?

Thank you!

Jeremy

Jeremy, the answer to your question is correct, as far as the Cisco products are concerned. So I wrote a PERL app that does exactly that, and I published an article about it in the June 2007 issue of Sys Admin magazine. Here's the article online: http://www.samag.com/documents/s=10128/sam0706a/0706a.htm

And it is also on my site, with a tar of scripts to:

http://www.LHB-consulting.com/pages/apps/index.html

Good luck.

-Lisa

ASA 5510 Firewall ACLs HITCOUNT

I have a simple question, but I'm having a hard time getting a response. When you show command access-list on the ASA 5510 there are a number of access... .i know clearly but I want to knowis it a default timer which will clearly be the number of accesses? Or the number of access remains until I have clear the County? I'm trying to clean up ACLs and for future troubleshooting I would like to know that. I don't want to remove an ACL entry with hitcount 0 and then it is necessary.

The counters are there until one of two things will happen; you delete them manually or you restart the device. There is no timers to clear the counters. Usually, clear us the counters, let it run for a month or so to clean it up.

Hope that helps.

ASA 5510 worm. 8.2 (5) access through VPN without client management?

Hi all

I am completely new to networking Cisco and virtual private networks, I'm working on to the ASA 5510 8.2 (5) 46. Currently, the unit is set up very very little. Access to the administration are accessible from my home network to 192.168.2.1. I'm trying to enable management access remotely by VPN. I created a clientless SSL VPN, which, during the wizard process, access to the specified administration was the/admin adding to the VPN https url. Add the/admin in the url for VPN is not me the VPN connection, and by using the/admin url from the portal returns a message "not available". Also, from the portal I can't access the ASDM using inside IP network management, it also returns the message as "unavailable". Again, I'm new to this, any help would be greatly appreciated. Here is my config. and thank you!

: Saved : ASA Version 8.2(5)46 ! hostname ALP5510 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 99.66.203.148 255.255.255.248 ! interface Ethernet0/1 shutdown no nameif no security-level no ip address ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 nameif inside security-level 100 ip address 192.168.2.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! boot system disk0:/asa825-46-k8.bin ftp mode passive dns domain-lookup inside dns server-group DefaultDNS name-server 68.94.156.1 name-server 68.94.157.1 same-security-traffic permit inter-interface pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 ip local pool vpn 192.168.2.10 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 global (outside) 101 interface nat (inside) 101 0.0.0.0 0.0.0.0 nat (management) 101 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 99.66.203.150 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy http server enable http server session-timeout 20 http 192.168.1.0 255.255.255.0 management http 192.168.2.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 5 console timeout 0 management-access inside dhcpd address 192.168.2.3-192.168.2.10 inside dhcpd dns 68.94.156.1 68.94.157.1 interface inside dhcpd enable inside ! dhcpd address 192.168.1.3-192.168.1.10 management dhcpd dns 68.94.156.1 68.94.157.1 interface management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn enable outside enable inside group-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn webvpn   svc ask enable group-policy eng internal group-policy eng attributes vpn-tunnel-protocol webvpn webvpn   url-list value EngineerBookmarks username user1 password mbO2jYs13AXlIAGa encrypted privilege 15 username user1 attributes vpn-group-policy eng webvpn   url-list value EngineerBookmarks tunnel-group test type remote-access tunnel-group test general-attributes address-pool vpn tunnel-group Engineering type remote-access tunnel-group Engineering general-attributes default-group-policy eng ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum client auto   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options   inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:05f3afe3383542c8f62b1873421a7484 : end asdm image disk0:/asdm-714.bin asdm location 99.66.203.150 255.255.255.255 inside no asdm history enable

I'm TAC if you give me a number I can help you, I think we will extend that if we continue on the support forum

ASA 5510 Configuration. How to set up 2 outside the interface.

Hello

I have Cisco ASA 5510 and the desktop, I want to create a new route to another (external) router to my ISP.

The workstation I can Ping ASA E0/2 interface but I cannot ping the router ISP B inside and outside of the interface.

I based my setup on the existing configuration. which so far is working

interface Ethernet0/0
Outside of the interface description
nameif outside
security-level 0
IP 122.55.71.138 address 255.255.255.2
!
interface Ethernet0/1
Inside the interface description
nameif inside
security-level 100
IP 10.34.63.252 255.255.240.0
!
interface Ethernet0/2
Outside of the interface description
nameif outside
security-level 0
IP 121.97.64.178 255.255.255.240
!

Global 1 interface (outside)

global (outside) 2 interface (I created this for E0/2)
NAT (inside) 0 access-list sheep

NAT (inside) 1 10.34.48.11 255.255.255.255 (work: router ISP inside and outside interface E0/0)

NAT (inside) 2 10.34.48.32 255.255.255.255 (work: E0/2 router ISP on the inside interface only but cant outside ping).

Route outside 0.0.0.0 0.0.0.0 122.55.71.139 1 (work)

Route outside 10.34.48.32 255.255.255.255 121.97.64.179 1 (the new Road Test)

Router ISP, that a job can ping and I can access the internet

interface FastEthernet0/0
Description Connection to ASA5510
IP 122.55.71.139 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
the interface S0/0
IP 111.54.29.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 122.55.71.139 111.54.29.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 Serial0/0

FAI 2

interface FastEthernet0/0 (SAA can ping this interface)
Description Connection to ASA5510
IP 121.97.64.179 255.255.255.248
no ip redirection
no ip proxy-arp
IP nat inside
automatic duplex
automatic speed
!
interface E0/0 (ASA Can not ping this interface)
IP 121.97.69.122 255.255.255.252
no ip redirection
no ip proxy-arp
NAT outside IP
!
IP nat inside source static 121.97.64.179 121.97.69.122
IP http server
IP classless
IP route 0.0.0.0 0.0.0.0 E0/0

CABLES

ASA to router ISP B (straight cable)

Router ISP in the UDI (straight cable)

Hope you could give some advice and the solution for this kind of problem please

Hello

Are you able to ping the router IP of the interface of the device of the ASA? If so, try a trace of package on the device of the SAA for traffic to the IP address of the router.

Thank you and best regards,

Maryse Amrodia

The ASA 5510 DMZ configuration

Similar Questions

Maybe you are looking for