How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial

This Cisco ASA Tutorial gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance but the configuration applies also to the other ASA models as well (see also this Cisco ASA 5505 Basic Configuration).

The 5510 ASA device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since it is intended for small to medium enterprises.

Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license.

The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc.

Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510.

Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24.

Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.

MORE READING: Cisco ASA Master PassPhrase

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:

Step1: Configure a privileged level password (enable password)

By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword

Step2: Configure the public outside interface

ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

Step3: Configure the trusted internal interface

ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface

ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

UPDATE for ASA Version 8.3 and later (including ASA 9.x)

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism.

MORE READING: Cisco ASA and DNSSEC-Probable Issue with Packet Size

The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)

ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP

ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc.

I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration I suggest you to read the “Cisco ASA Firewall Fundamentals – 3rd Edition” ebook at the link HERE.

Comments

Shaskjithah says

June 6, 2009 at 3:28 am

Hi, Congratulations to the site owner for this marvelous work you’ve done. It has lots of useful and interesting data.
mnaim says

June 9, 2009 at 11:49 am

Thanks for sharing your knowledge. I just downloaded your ebook, legally of course :), and I can’t wait to try out all the scenarios contained in the book. One question that I have so far is how I can use my current Linksys router with my firewall. What I would like to do is just plug my firewall behind my current router instead of directly connect it to the internet (ISP) as show in your diagrams. I guess all I would have to do is configure default gateway (my router) on the firewall. Any comment regarding this set up would be appreciated.

Thanks again for a great guide.
BlogAdmin says

June 9, 2009 at 12:32 pm

Well, why don’t you connect your ASA directly to the ISP? Anyway, if for any reason you need to have the Linksys connected to the ISP, then configure a static IP address on the outside interface of the ASA and assign as default gateway the internal IP of the Linksys router. Assume that your linksys has internal LAN IP 192.168.1.1. Assign an IP address for the outside of ASA 192.168.1.10 and then configure a default route (gateway) for the ASA as following:
asa(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1

Also, if the Linksys does the NAT translation, then you can avoid using NAT on the ASA firewall.

I hope I clarified your question.

Regards

Harris
mnaim says

June 10, 2009 at 10:06 am

thanks for your response. Just to answer your question, about why I am not using my ASA as an edge device, I currently have a couple of people using the linksys for wireless connection and I have a voip phone hooked up to it as well…so I felt hesitant about having to deal with that right off the bat.
BlogAdmin says

June 10, 2009 at 10:48 am

OK, that makes sense then.
monaim says

July 13, 2009 at 4:38 am

I have my ASA connected directly to my ISP’s cable box. The ASA keeps dropping the ip on the outside interface. I had to call the ISP several times to refresh my ip and it would work until I reboot the cable box or the ASA and then the on the outside interface of the ASA is gone. “show ip” shows “unassigned” for outside interface. I googled around to see if anybody else has experienced this but nothing so far. Anybody has any idea why this might happen? Thanks.
BlogAdmin says

July 13, 2009 at 7:00 am

One suggestion would be to fix the speed and duplex settings on your ASA outside interface. Maybe its a hardware speed negotiation problem between the ASA and the cable box. If the cable box is 100Mbps full duplex, then make the ASA interface the same:

hostname(config)# interface Ethernet0/1
hostname(config-if)# speed 100
hostname(config-if)# duplex full
Daniel Craig says

July 31, 2009 at 7:59 pm

Hello, I was looking around for a while searching for operational security training and I happened upon this site and your post regarding Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial | CiscoTips, I will definitely this to my operational security training bookmarks!
Arif says

September 25, 2009 at 4:47 am

Hi, I bought your books to setup my ASA-5505 for VPN access. The scenario that best fits my setup is static outside interface with 2 servers in the dmz. You state that this requires a Security Plus license. In my case, I don’t need any servers in the dmz, just the inside lan with vpn users connecting to access services on the inside lan. Would I still need a Security Plus license? Would I have to do anything different from your example or just leave out the dmz settings?

Thanks in advance,
Arif
BlogAdmin says

September 25, 2009 at 6:31 am

Hello Arif,
The scenario you mention above requires Security Plus license because there is communication between the DMZ and Internal network. For such a communication to work, you need to have a Security Plus license for the ASA5505 firewall. Now, in your case you don’t need a security plus license. Just leave out the DMZ settings in the example and configure VPN on the ASA for your users. Please let me know if you need more clarifications.

Harris
Arif says

September 25, 2009 at 2:32 pm

Harris,
Thank you! It worked once I configured it the way you had it in the book. Now I will see how to port forward ssh port to a box on the inside vlan.

-arif
BlogAdmin says

September 25, 2009 at 3:17 pm

Arif,

I’m glad it worked. For the port redirection I have a specific section in the ebook which describes exactly what you need to do. Please let me know if you find any problems.
mohamedushama says

September 30, 2009 at 7:00 am

Dear Friends,
I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on doubt we the firewall directly connected to my thomson ADSl router(modem) and then we have one public ip wher i want configure,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X my thomson gateway is 192.168.1.254 by default, so what is my question is basically if we configure any router and firewall we should configure default to communicate out side network so how i want configure the default route.
mohamedushama says

September 30, 2009 at 7:37 am

Dear Friends,
I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on more doubt we connected the firewall directly to my Thomson ADSl router(modem) and then we have one public ip,what is my question here? where i want configure this ip address,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X by default my Thomson gateway is 192.168.1.254 , so what is my question here? basically if we configure any router and firewall we should configure default route to communicate out side network so how i want configure the default route in this scenario.
BlogAdmin says

October 1, 2009 at 9:22 am

There should be a link under the administration section for reloading. Regarding the scenario with the Thomson ADSL router, if I understand it correctly, the default route for the ASA will be 192.168.1.254. You should assign an IP address to the outside interface (eth0 port) of the ASA in the range 192.168.1.1 – 192.168.1.253.
Lysandro Inacio says

July 6, 2010 at 4:02 pm

Thanks for the update!!!!!
andrew says

August 18, 2010 at 5:00 am

Thanks for this. As for the Step 6, I have an internal DNS to resolve internal addresses and DHCP assigning addresses internally. Do I still need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on which I had a stub copy of DNS and forwards queries to external DNSs. I would like to continue using ISA server with ASA 5510, the latter will be at the perimeter. How can I accommodate both? Also, I have several global IPs and I do not know how to define sub-interfaces to assign several global IPs to a single physical interface. Please help!
Blog Admin says

August 18, 2010 at 10:28 am

Andrew,

If you have a dedicated DHCP server in your network, then you must not activate DHCP service on the ASA appliance. If you have an ISA server, you can connect the ISA server in the internal network (or preferably on a DMZ) and force all internal users to use the ISA as proxy for their HTTP traffic. You can configure an access-list which allows only the ISA server to access the internet for ports 80/443.

Regarding the global IPs, you don’t need to configure sub-interfaces to assign them. With sub-interfaces you just create separate network security zones. If the global IPs are routed towards your outside interface, you can create static NAT commands and redirect those IP addresses to internal hosts for example.
andrew says

September 1, 2010 at 1:12 pm

Blog Admin,

Thanks. Regarding the access lists, well i have exchange server on the internal network as well and I am also planning to add an MS SQL 2008 internally. On the DMZ, I was thinking of putting up a web/ftp server. How do I treat this in access list as well? Excuse my ignorance, i am novice to Cisco.

Thanks
Blog Admin says

September 2, 2010 at 6:01 am

To allow communication between any two ASA interfaces (security zones) you need two things: 1) proper NAT 2)proper access lists.

So, yes if you have the proper nat in place between DMZ and inside (provided that nat-control is enabled) then you just need to apply the correct access list on the DMZ interface to allow web server to communicate with the internal SQL server.
andrew says

September 3, 2010 at 5:10 am

Dear BlogAdmin,

You say i do not need to have sub-interfaces to assign global IPs. I will have, say, global IP x.x.x.91 255.255.255.248 assigned to outside and on interface 0/0. Can I use the same interface to route traffic destined to other global IPs, say x.x.x.90 255.255.255.248 for web that I will place in DMZ etc without having to define them anywhere?

Thanks
Blog Admin says

September 3, 2010 at 6:58 am

Andrew,
YES Absolutely you can do this. As long as these public IP addresses are routable on the outside interface (e.g you have a subnet x.x.x.88 255.255.255.248 assigned to you on the outside from your ISP) you can use any IP address within that subnet and do static NAT to redirect traffic from outside to an internal DMZ server via the ASA.
Facundo says

October 7, 2010 at 3:07 pm

I change the subnet mask to a computer ASA 5510.

When you make a change before I lose all the policies configured.

This is correct or am I doing something wrong.

Would have some “how to” about it?

Sorry my bad English, I am using a translator.

Greetings!
Blog Admin says

October 7, 2010 at 3:23 pm

I did not understand fully what you mean. Before doing any changes, you must save the running configuration by using “wr mem”. Then you can make changes on the running configuration which are applied immediately. If the changes are successful, you save them again with the same command as above.
Justinian says

December 21, 2010 at 3:09 am

I am trying to configure dmz so I can place our web server in the dmz network and have our users access out on my asa 5510, here is the current scenario;
Ethernet0/0 (Outside)x.x.x.185
Ethernet0/1 (Inside) 192.168.75.0/24
Ethernet0/2 (DMZ) 192.168.10.0/24
I can get it to work with a private ip but I would like to use one of our public ip addresses to access the server, I also need to access an sql server on the inside interface. How will i go about placing a web server in dmz and making it accessible via public ip? Any help will be greatly appreciated
Blog Admin says

December 21, 2010 at 3:20 pm

Justinian,

You will have to configure static NAT for the DMZ web server to permanently map its private IP address to a public IP. Then you will have to allow HTTP from outside using an access control list applied on the outside interface.
The configurarion depends on the ASA version you have. If its version 8.3 and up the config is different. Let me know the version to help you.
Justinian says

December 21, 2010 at 7:01 pm

Thank you for the prompt reply, the ASA 5510 is running version 8.2, I have following config for http;
access-list inbound extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
(Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 interface, the static NAT will look something like this;
Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
mtu dmz 1500
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list ACL_dmz outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
I am by far not an expert when it comes to cisco,I greatly appreciate your help
Justinian says

December 21, 2010 at 7:03 pm

***Correction*** (please ignore my earlier post I noticed an error in the information I provided)
Thank you for the prompt reply, the ASA 5510 is running version 8.2. The server has not been placed in dmz yet, so I have following config for http;
access-list inbound extended permit tcp any interface outside eq www
static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
(Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 subnet, the static NAT will look something like this;
Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
mtu dmz 1500
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 0 access-list ACL_dmz outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
I am by far not an expert when it comes to cisco,I greatly appreciate your help
Blog Admin says

December 22, 2010 at 12:04 pm

If the dmz interface is on 192.168.10.x, the static NAT will be exactly as you mention above:

static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
you also need to apply the inbound ACL to the outside interface:

access-group inbound in interface outside
Justinian says

December 22, 2010 at 3:48 pm

What about tying a public ip to the private address (lets say 192.168.10.6) of the server in dmz?
Blog Admin says

December 22, 2010 at 5:33 pm

Then you replace the “interface” command with the actual public address:

static (dmz,outside) tcp 100.100.100.1 www 192.168.10.6 www netmask 255.255.255.255
Justinian says

January 12, 2011 at 7:44 pm

Thanks again for the responding, one last question;
I have a block of 5 static ips 100.100.100.5 to 100.100.100.9 if the interface “outside” is configured to use 100.100.100.5 255.255.255.248 will it accept the following:
static (dmz,outside) tcp 100.100.100.6 www 192.168.10.6 www netmask 255.255.255.255
to tie 100.100.100.6 to the internal ip of the web server and accept connections?
Blog Admin says

January 12, 2011 at 7:50 pm

Justinian,

Yes, what you say above is correct. You will need also to configure an access list which should be allowing traffic from outside to 100.100.100.6 on port 80. This access list must be applied on the outside interface.
Mohammed S says

February 1, 2011 at 7:29 pm

Thanks for the e-book, I download it legally of course. I have a question? I ran out of Public IP’s The only available IP that I can use is the IP assigned to the external interface, when I attempt to use it then I cannot ssh to my ASA510 version 7.0 firewall, internally or externally, I PAT the outside Interface to port http/https, Below is my NAT statements and access-list

access-list acl_outside extended permit tcp any host X.X.X.213 eq www
access-list acl_outside extended permit tcp any host X.X.X.213 eq https
static (inside,outside) X.X.X.213 10.10.6.44 netmask 255.255.255.255

I added “access-list acl_outside extended permit tcp any host X.X.X.213 eq ssh” and that still did not allow me ssh access,

If I add “access-list acl_outside extended permit tcp any any” Then everything works, which means my firewall is wide open. I know I do not want to do so…

Is what I’m trying to achive doable? Or is there some limitations?

Thanks,
Mohammed S says

February 2, 2011 at 12:43 am

Okay I figured it out what I need to do to fix the issue and still maintain ssh to the firewall without compromising security. I’m reposting just in case someone else had a similiar issue.

Remove old Rules/NAT
no access-list acl_outside permit tcp any host x.x.x.213 eq www
no access-list acl_outside permit tcp any host x.x.x.213 eq https

no static (inside,outside) x.x.x.213 10.10.6.44 netmask 255.255.255.255

Add new rules/NAT
static (inside,outside) tcp interface 80 10.10.6.44 80 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.10.6.44 443netmask 255.255.255.255

access-list acl_outside permit tcp any interface outside eq www
access-list acl_outside permit tcp any interface outside eq https

Thanks you guys….
Blog Admin says

February 2, 2011 at 6:00 am

Mohammed,

I was going to reply to your initial comment but I just saw that you’ve figured out the correct solution 🙂 Yeap, doing port redirection is the way to go. The way you had it at the beginning (full static NAT) was redirecting ALL traffic to your internal web server, including SSH traffic as well. Now, with port redirection you redirect only HTTP/HTTPs traffic.
Mohammed S says

February 4, 2011 at 6:04 pm

I’m trying to block GoToMyPC LogMeIn and GoToMeeting.

I have tried using regex however whenever I apply the policy it somehow blocks a lot of http and IM (instant Messaging) traffic:

FW01(config)#show running-config regex
FW01(config)# regex contenttype50 “Content-Type”
FW01(config)# regex domainlist50 “\.gotomeeting\.com”
FW01(config)# regex domainlist51 “\.logmein.\com”
FW01(config)# regex domainlist52 “\.GoToMyPC.\com”
FW01(config)#

FW01(config)# show running-config class-map
!
class-map IPS
match access-list TEM-F-IPS
class-map type regex match-any DomainBlockList
match regex domainlist51
match regex domainlist50
match regex domainlist52
class-map type inspect http match-all BlockDomainsClass
description This will block Access to GoToMeeting and LogMeIn
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map HttpTraffic
match access-list inside_mpc
class-map Netflow_class
match any

FW01(config)# show running-config policy-map type inspect http
policy-map type inspect http Http_inspection_policy
description Inspecting GoToMeeting and LogMeIn
parameters
protocol-violation action drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log

FW01(config)# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect ils
inspect ip-options
class Netflow_class
flow-export event-type all destination 10.13.50.48
class IPS
ips inline fail-open
policy-map type inspect http Http_inspection_policy
description Inspecting GoToMeeting and LogMeIn
parameters
protocol-violation action drop-connection log
match request method connect
drop-connection log
class BlockDomainsClass
reset log
policy-map inside-policy
description Policy created to Block GoToMeeting LogMeIn
class HttpTraffic
inspect http Http_inspection_policy

show running-config service-policy
FW01(config)# show running-config service-policy
service-policy global_policy global
service-policy inside-policy interface inside

Would anyone have an Idea what I need to do to fix the issue? Or if you have a better way to block GoToMyPC, LogMeIn please let me know.

Thanks,
Blog Admin says

February 6, 2011 at 8:11 am

hmmm…..your configuration needs some careful consideration. Let me see if I find some time to check it out. 🙂
Reed says

February 9, 2011 at 11:11 pm

Blog Admin,

If I want to up-grade my ASA image file and ASDM image file, and I use Cisco.com Wizard to automatically upgrade these files, will it keep my Configuration Firewall Access Rules?

Or will I have to reload these rules after up-graded to the next ASA images?
Blog Admin says

February 10, 2011 at 6:36 pm

Reed,

Yes, the configuration access rules will be retained on the firewall. The ASA image upgrade affects the OS image and not the ASA configuration.
Justinian says

March 23, 2011 at 5:20 pm

Hello,
How would I go about having a failover internet connection for our asa? We have a connection coming in from a Comcast and anther from CenturyLink in case Comcast goes down (which is happening very frequently nowadays) My asa has an open port that I could use for it but not sure how I would go about setting it up, any help will be greatly appreciated.
Blog Admin says

March 23, 2011 at 6:25 pm

Hi ,

You can use the “sla monitor” feature to track the connections to the two ISPs. See the link below:

https://www.networkstraining.com/cisco-asa-5500-dual-isp-connection/
Justinian says

March 23, 2011 at 8:26 pm

Thank you for responding and the article is VERY helpful, forgive my ignorance but I would like to know how I would configure the translations for static ips from ISP-1 on ISP-2 interface. For example currently for email I have
static (Inside,Outside) 100.100.100.186 192.168.20.8 netmask 255.255.255.255
how would this work with ISP#2 since the public address belongs to ISP-1?
Blog Admin says

March 24, 2011 at 4:35 pm

Lets say the interface to the second ISP is named outside2:

you will have another public IP address from that ISP, lets say 200.200.200.1 assigned for your mail server:

static (Inside,outside2) 200.200.200.1 192.168.20.8 netmask 255.255.255.255
Justinian says

March 24, 2011 at 6:29 pm

Awesome! I didn’t think one ip (192.168.20.8 in this case) could be bound to different public addresses. I will test and post the results 🙂 Thanks again
Mohammed S says

April 6, 2011 at 1:30 am

Cuurently I ran out of public IP’s on my ASA5510, I was able to aquire a new block /24 however this block is not on the same subnet as my existing /28 block. Is there a way that I can use this new block on my ASA5510 to NAT to internal IP’s? If yes what do I need to get use this new Block?
Blog Admin says

April 6, 2011 at 1:51 pm

Mohammed,

yes you can use a different /24 block. Your ISP must route this new block towards your ASA external IP. Then you can use normal static commands on the ASA to assign the new IP addresses to internal hosts.
Mohammed S says

April 6, 2011 at 5:17 pm

So do I have to assign an ip address from the new block to one of my interfaces on the ASA. Would it be possible to show an example of how the config would look like?

Thanks,
Blog Admin says

April 6, 2011 at 6:20 pm

No you don’t have to assign an ip address from the new block to the ASA interface. You will keep the old IP address that you had. Just use static nat commands to statically map the new outside public IP addresses to inside addresses.
Mohammed S says

April 6, 2011 at 7:37 pm

So based on what would the firewall accept the traffic? It only know’s about the IP’s since they are used in the static nat commands!!! Is this secure??
Paulr says

April 7, 2011 at 9:57 am

Hi,
Thanks for sharing the wealth of information on this blog. Since I’m new to firewalls, a new task I found in my basket this week, I’m trying not to drown in the information. However, Is there a way, one can create a virtual ASA5510, to test the set of rules, prior to posting them to the firewall? The firewall is not in-house, but on another continent, so flying up and down all the time until all settings are correct, is not my favourite occupation. Thanks for the help.

Regards,

Paul
Blog Admin says

April 7, 2011 at 6:13 pm

Paul,
I would suggest to rent a ccie security rack and get actual access to real asa devices where you can test anything you want. Its pretty cheap. search for ccie security rank rentals on Google.
Blog Admin says

April 7, 2011 at 6:15 pm

in addition to the static nat, you will also configure access-list rules to control what traffic will be allowed from internet to the public IP. the access list will be applied on the outside interface
Thomas Paine says

May 21, 2011 at 10:04 pm

I am trying to follow your example to get basic internet connectivity on my asa5510.

I have my DSL modem set to automatically push my static IP to my asa’s Ethernet0/0 port.

When I try and configure the port with my 1.1.1.1 IP and my subnet mask of 255.255.255.255 I get bad mask for address 1.1.1.1.

I don’t want the asa to do the pppoe when I can get my modem to do it. I will also be changing my IP in the future (I’m using a backup IP for deploying this asa on my lan).

Thanks.
Blog Admin says

May 22, 2011 at 7:14 am

Thomas,

You can use a subnet mask of 255.255.255.0 for the outside interface. You need to find out what the default gateway will be (i.e the router gateway of your ISP provider) and make sure that the outside ASA address falls in the same subnet as your default gateway. You will achieve this by choosing the correct subnet mask.
Mohammed S says

June 10, 2011 at 9:43 pm

Hi,
I’m in the process of implementing Active/Standby redundancy on my ASA5510 firewall. all interfaces are of the speed 10/100. I would like to use the management interface 0/0 as the failover link, do you see any problems/issues or disadvantages of using the management interface?
Blog Admin says

June 11, 2011 at 8:13 am

Mohammed,

I have not seen such a configuration before. I have seen the “management” interface to be used as normal data interface, but not as failover. Just try it and let us know how it goes. Run the command “no management-only” under the management interface configuration and then configure it as failover. If it works then I don’t see any disadvantages.
Tamadite says

June 12, 2011 at 9:00 pm

I am trying to access the web server on the DMZ segment from the inside segment by using the public URL. When looking at the log I see:

=========
TCP access denied by ACL from 192.168.1.5/57320 to inside:94.255.161.102/80
TCP request discarded from 192.168.1.5/57320 to inside:93.255.163.XXX/80
==========

192.168.1.5 is the host on the inside network and “93.255.163.XXX/80” is the IP address on the outside interface (dynamic) even when the log says “inside”.

What I am doing wrong/missing? Please advice.
Tamadite says

June 12, 2011 at 9:43 pm

Sorry, I paste wrong outside addresses above (comment #59). They show different but both are the same in fact.
Mohammed S says

June 13, 2011 at 6:14 pm

Okay another question is it best practice to use two interfaces for HA failover? I read somewhere online the ASA550x firewalls will continuously fail over if both the heartbeat traffic and the stateful traffic go through a single interface.

This would only make since to me if you have a lot of traffic going through your firewall, and by a lot I mean having hundreds of IPSec tunnels and any other crazy traffic, then maybe. Since The heartbeat data needs to be of low latency and not a lot of packet loss due to a lot of traffic.

Would like to get your thoughts on this?
Blog Admin says

June 13, 2011 at 7:01 pm

Mohammed,

I always use just one interface for HA failover and everything works OK with no problems. Ofcourse I try to use a 10/100/1000 Mbps interface so that to utilize the gigabit speed. However, if your firewall’s traffic is not much, then 10/100 as failover will be fine.
Blog Admin says

June 13, 2011 at 7:04 pm

Tamadite,

I assume that the actual IP address configured on the DMZ web server is not the public IP you mention here. I assume it is a private IP and then you do a NAT translation on the ASA to translate the dmz IP to a public one. If this is the case, then you must access the DMZ web server from inside using the private IP address of the web server (i.e the one configured on the network interface of the server).
Tamadite says

June 13, 2011 at 7:26 pm

Blog Admin

DMZ has 172.16.1.X, inside has 192.168.1.X and outside 94.255.161.102. I can access the web server in DMZ from inside if I use the DMZ host IP address. What I would like to do is to access the DMZ using the URL to my web server. The web server can be accessed from the Internet by Internet hosts without problems. So you say that I can not access the web server in the DMZ from inside using the URL but only using the DMZ IP address of the host (172.16.1.X).
Tamadite says

June 13, 2011 at 7:50 pm

I get it to work:

static (dmz,inside) netmask 255.255.255.255

On 8.3 or above

object network inside-dmz-web
host
nat (dmz,inside) static

But one question remains: I want “nat (dmz,inside) static ” to use the dynamic ip address of the outside interface. How can I do this?
Tamadite says

June 13, 2011 at 7:54 pm

Opps! it seems the blog does not accept some symbols. I repeat it here using another symbols:

static (dmz,inside) [public.ip] [dmz.host.ip] netmask 255.255.255.255

On 8.3 or above

object network inside-dmz-web
host [dmz.host.ip]
nat (dmz,inside) static [public.ip]

But one question remains: I want “nat (dmz,inside) static [public.ip]” to use the dynamic ip address of the outside interface. How can I do this?
Blog Admin says

June 14, 2011 at 5:26 am

You can NOT access the translated public IP of the web server from inside of the ASA. You need to access the private IP. You can change the “host” file of your computer and make the URL domain point to the private IP.

e.g

webserverdomainname.com 172.16.1.1
Tamadite says

June 14, 2011 at 8:22 pm

Well, somehow I get it to work. Don’t ask me why because I have read in many places that it is not possible. What I tried is DNS doctoring. With the solution given on comment #66 I can reach the web server in the DMZ from inside using the URL only, not via real IP (web server IP in the DMZ). Now with the solution I give below I can reach the web server in the DMZ from inside using both, the URL and the real web server IP in the DMZ.

object network web_dmz_inside
host 172.16.1.2
nat (dmz,outside) static interface dns

The strangest thing is that I am using PAT and for what I have read it should not work either.

I thought about modifying the local host file on my inside clients but as last resource. Now, unless I am doing something really stupid, I will keep it like this.

Please advice.
April says

August 11, 2011 at 9:52 am

Hi,

Can anyone please help what went wrong in this config, webserver is accessible from outside but not from inside using FDQn, i can only access the webserver from inside using internal ip address but not with the public address. I tried with my old non cisco firewall and it works fine. Please help. thanks…

User Access Verification

Password:
Type help or ‘?’ for a list of available commands.
TID> en
Password: ******
TID# sh run
: Saved
:
ASA Version 8.3(1)
!
hostname TID
enable password hNoJA51JsYfVzHT6 encrypted
passwd hNoJA51JsYfVzHT6 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network remote
host 192.168.1.199
object network https
host 192.168.1.199
object network http
host 192.168.1.199
object network smtp
host 192.168.1.199
object network pop3
host 192.168.1.199
object network imap
host 192.168.1.199
object network 81
host 192.168.1.197
object network 82
host 192.168.1.197

access-list internet_access_in extended permit icmp any any
access-list lan_access_in extended permit icmp any any
access-list 100 extended permit icmp any any echo-reply
access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list External_access_in extended permit icmp any any echo-reply
access-list External_access_in extended permit icmp any interface outside time-exceeded
access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list External_access_in extended permit tcp any interface outside eq https
access-list External_access_in extended permit tcp any interface outside eq www
access-list External_access_in extended permit tcp any interface outside eq imap4
access-list External_access_in extended permit tcp any interface outside eq smtp
access-list External_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199 eq 3389

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
icmp permit any management
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400

!
object network obj_any
nat (inside,outside) dynamic interface

object network remote
nat (inside,outside) static interface service tcp 3389 3389
object network https
nat (inside,outside) static interface service tcp https https
object network http
nat (inside,outside) static interface service tcp www www
object network smtp
nat (inside,outside) static interface service tcp smtp smtp
object network pop3
nat (inside,outside) static interface service tcp pop3 pop3
object network imap
nat (inside,outside) static interface service tcp imap4 imap4
object network 81
nat (inside,outside) static interface service tcp 81 81
object network 82
nat (inside,outside) static interface service tcp 82 82
access-group External_access_in in interface outside
access-group Internal_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 203.162.0.181
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:80467bad3c53ad2084876331274a7779
: end
MDGeek says

September 28, 2011 at 4:50 am

Hi;
Thank you so much for your continued efforts in responding to many ASA related questions.
I actually bought your eBook about a year ago but has just started using it to configure our ASA5510.
Now I ran into two separate problems with the Mgmt port IP assignment.
First, Whenever I change the IP address from the default to anything else (from: 192.168.1.1 to 192.168.11.100), the ASDM will no longer connect to the unit using the newly changed IP. Even though I also changed my PC’s IP to correspond to the Mgmt’s.
But once I change it back to the default, everything works again. Note that I am able to gain access thru the console to undo whatever changes I have made.
Also, must the ASA Management port be separated from the rest of the LAN?
2nd; I will like to have the Management port reside on the same subnet as the rest of my secure hosts. So far the ASA5510 is insisting that the two Cannot coexist on the same subnet.
Example: 192.168.2.1=ASA-Mgmt-port ; 192.168.2.5-50=LAN-hosts; 192.168.1.1=outside-port-ISP-router.
Am I missing something here? Please advise. Thanx
Blog Admin says

September 28, 2011 at 5:04 am

@MDGeek,

1st Problem: Have you also changed the subnet range allowed to use http?

e.g:

http server enabled
http 192.168.11.0 255.255.255.0 management

2nd Problem: The ASA management port is a different layer3 interface, so it MUST be on a separate layer3 subnet from the rest of the interfaces. So, yes, you must assign a different subnet for the management (which is better for security reasons as well)
MDgeek says

September 30, 2011 at 11:18 am

Thanks a million!
http server was already enabled (used with the default ip), however, the 192.168.11.0 was not associated to the management interface.

It now works with my set subnet. Also, i now understand the interface separation thing with the mgmt port.
Thanks again.
MDgeek says

September 30, 2011 at 12:47 pm

Please one quick question. How can i configure a Port-forwarding for Remote Desktop connection (RDP – port 3389) and http connection to Security camera?
Both will have to translate standard tcp port from outside to custom tcp port inside-LAN.
We already have both services working fine off of the broadband router and will like to maintain that when the ASA5510 is deployed.

Thanks always
Blog Admin says

October 7, 2011 at 7:35 pm

This is called “port redirection” with Cisco ASA. Try Googling this and you will find several examples.
Mas says

December 16, 2011 at 12:09 pm

Hi,
I have purchased you ebook and have been using it to learn Cisco ASA. I have a ASA5505 and have setup a remote vpn worker. My problem is that the PC running VPN client connects OK and can ping to the ASA inside interface but not to the PC on the inside interface. The PC on the inside interface can ping the VPN client 🙁

ping VPN Client – ASA Inside I/f 192.168.44.160 Yes
ping VPN Client to PC on inside 192.168.44.82 NO
ping PC on inside to VPN Client 192.168.50.1 Yes

My config is below. Please are you able to tell me what I have done wrong?

ASA Config

: Saved
: Written by cisco at 10:08:15.679 UTC Fri Dec 16 2011
!
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.44.160 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.100 255.255.255.0
!
ftp mode passive
object network internal_lan
subnet 192.168.44.0 255.255.255.0
object network support-vpn-subnet
subnet 192.168.50.0 255.255.255.0
description IP address assigned to Support VPN User
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any any echo
access-list global_access extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool-support-vpn 192.168.50.0-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static support-vpn-subnet support-vpn-subnet no-proxy-arp route-lookup
!
object network internal_lan
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 192.168.1.98 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.44.0 255.255.255.0 inside
http 192.168.1.96 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.44.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.96 255.255.255.0 outside
ssh timeout 5
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy tg-vpn-support internal
group-policy tg-vpn-support attributes
wins-server value 192.168.44.1
dns-server value 192.168.44.1
vpn-tunnel-protocol ikev1
default-domain value bhls.com
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group tg-vpn-support type remote-access
tunnel-group tg-vpn-support general-attributes
address-pool pool-support-vpn
default-group-policy tg-vpn-support
tunnel-group tg-vpn-support ipsec-attributes
ikev1 pre-shared-key 1qazxsw2
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:488a018c60162a057b66a31071a38917
: end
Blog Admin says

December 16, 2011 at 2:36 pm

Martin,

It seems that the PC firewall maybe is blocking your pings. If the PC is windows, enable remote desktop access on the PC and try to connect with RDP from the VPN client to the PC. If you manage to connect, then VPN works fine. Pinging is not always the best way to test connectivity
raghunair says

January 10, 2012 at 5:00 am

hii…its working .. thanx
Adolfo says

February 14, 2012 at 11:15 pm

Hi,

I want to connect to an CISCO ASA 5510 3 different routers (also CISCO equipment). All routers have different outside networks connected to them. But I want to the inside network to be same 10.10.0.xxx. Is it possible to have the ASA 5510 with an IP 10.10.0.xxx and the routers also with 10.10.0.xxx IPs? Or do I have to assign different network IPs for the routers for example for router 1 10.10.1.xxx?

Many thanks,
Adolfo
Blog Admin says

February 15, 2012 at 3:37 pm

Adolfo,

Yes you can have all routers connected to the same inside network as the ASA (10.10.0.x). However, you should know that traffic between the three outside networks will be allowed to communicate with the other outside networks though the routers with no restrictions. If you want to control traffic flow between the three outside networks, then you must connect each router into a different inside subnet (you should create different inside vlans on the ASA).
Steve says

February 15, 2012 at 6:28 pm

The book is excellent and was a great help in configuring my ASA 5505 and 5510 but I did have a problem with the examples for site-to-site VPN and Remote Access VPN. When you enter the access-list and nat commands as shown it wipes out any others that you have already you entered. Same with the crypto commands. I was able to get around by using the ASDM interface for those commands but is there something to the command that will allow you to add without wiping out previous commands?
Blog Admin says

February 16, 2012 at 2:05 pm

Steve,

This is normal with Cisco configurations. There are some commands that if you execute the same command with different parameters then it overrides the existing one. On access-list commands, you need to enter the line number if you want to add additional entries without overriding existing entries.

e.g:

access-list access_list_name [line line_number] [extended] [permit/deny]
Muhammad says

March 26, 2012 at 7:09 pm

Please help me out regarding this issue, this is my first project.

my client send me these addresses

IP: 173.68.176.210 – 215

Default Gateway: 173.168.176.1

Subnet Mask: 255.255.255.0

Primary DNS: 68.237.161.12

Secondary DNS: 71.243.0.12

i will pick on of the public ip and set if to the e0 interface well i dont know if i have to set default gateway ip address to internal interface that will connect the firewall to switch, i am very confused and secondly how do i set the ip for doman.

ip name-server and then the ip address

Please help me out
Blog Admin says

March 30, 2012 at 2:26 pm

Muhammad,

The default gateway is always pointing towards the Internet and NOT towards the inside network. So pick one of the available IP address for the outside ASA interface and set the default gateway to point to the ISP IP.
Edwin says

April 2, 2012 at 2:43 pm

First off I’m enjoying your ebook. Its great!

I have the same setup instead I have a L3 3550 switch and I’m doing subinterfaces on my Pix 515 (unrestricted). Everything works fine as far as DHCP, internet, and ASDM. The only thing is I can’t seem to ping my internal clients from my ASA. I can ping my L3 switch vlan IP but not my internal client IP. My client PC’s can ping both L3 switch IP and ASA inside interface. Is there ACL that’s blocking? I did an packet tracer and it tells me it dropped due to an access list but I have them in place. I feel I’m missing something simple. Information below

Internet Pix515 L3switch PC’s

MYFIREWALL# sh run
: Saved
:
PIX Version 8.0(4)28
!
hostname MYFIREWALL
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0
speed 100
duplex full
nameif outside
security-level 0
ip address 173.14.214.114 255.255.255.248
!
interface Ethernet1
speed 100
duplex full
no nameif
no security-level
no ip address
!
interface Ethernet1.10
vlan 10
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet1.20
vlan 20
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging timestamp
logging buffer-size 20000
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 173.14.214.118 1
timeout xlate 3:00:00
timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.68.162 68.87.74.162
dhcpd domain aejg.net
!
dhcpd address 10.10.10.105-10.10.10.150 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
!
prompt hostname context
Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f
: end
————————
MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.105 detail$

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4392f78, priority=1, domain=permit, deny=false
hits=130328, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x4397fb8, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.10.10.1, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

——————————–
MYFIREWALL# ping 10.10.10.105
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.105, timeout is 2 seconds:
?????

——————————-

MYSWITCH#sh run
Building configuration…

Current configuration : 2518 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname MYSWITCH
!
!
no aaa new-model
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
duplex full
speed 100
!
interface FastEthernet0/2
switchport mode dynamic desirable
!
interface FastEthernet0/3
switchport mode dynamic desirable
!
interface FastEthernet0/4
switchport mode dynamic desirable
!
interface FastEthernet0/5
switchport access vlan 10
switchport mode access
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet0/6
switchport mode dynamic desirable
!
interface FastEthernet0/7
switchport mode dynamic desirable
!
interface FastEthernet0/8
switchport mode dynamic desirable
!
interface FastEthernet0/9
switchport mode dynamic desirable
!
interface FastEthernet0/10
switchport mode dynamic desirable
!
interface FastEthernet0/11
switchport mode dynamic desirable
!
interface FastEthernet0/12
switchport mode dynamic desirable
!

interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.10.10.100 255.255.255.0
ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
ip http server
—————————
Blog Admin says

April 2, 2012 at 4:47 pm

Edwin,

Try the following command:

icmp permit any inside

Also, do your internal PCs have any windows firewall configured on them (maybe it blocks the ASA pings?)
Edwin says

April 2, 2012 at 7:49 pm

Thanks for your response. This is what I get.

MYFIREWALL(config)# icmp permit any inside
ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists

I also tried adding “same-security-traffic permit intra-interface” but no success.
Edwin says

April 4, 2012 at 3:23 pm

Also, I disabled my windows firewall service. Is it a rule that the Cisco pix doesn’t accept return pings that it sends out on its inside interface? Because I get the question marks when I ping my internal pc
Edwin says

April 5, 2012 at 12:53 pm

Problem resolved. It was the firewall on my Windows 7 pc. Weird, I stopped and disabled the firewall service and even restarted afterwards and it wasn’t getting ping responses. It wasn’t until I created an inbound rul on the firewall to allow all icmp is when it started working. Thanks for all your help and advice.
Clint says

May 16, 2012 at 7:28 pm

How do you show if a ASA 5510 will fail-close or fail-open?
Cisco ASA software Ver 7.0 (1)
Device Manager Ver 5.0 (7)
Clint says

May 17, 2012 at 7:47 pm

Nevermind…
They do not have the IPS module (AIP-SSM) in the unit. It will stop forwarding traffic altogether. There is no fail-close/open function when that scenario occurs.
Blog Admin says

May 18, 2012 at 2:50 pm

Yeah Clint, the fail close/fail open concept is applicable to IPS devices, not on a Firewall.
Fen says

June 28, 2012 at 8:45 pm

How can I configure 2 internal network
Ethernet0/0 Public IP
Ethernet0/1 192.168.2.1
Ethernet0/0 192.168.0.1
Is it possible ?
Blog Admin says

July 1, 2012 at 3:16 pm

Fen,

Ofcourse its possible to configure two internal networks on the two Ethernet interfaces. Just configure an IP address, a nameif and security level on each interface and you are good to go.
Sara Amir says

August 16, 2012 at 11:22 am

Hello,
Just a question out of confusion.
If I have a router then an ASA. The VPN should terminate on the ASA. So, where does my public IP resides for remote access VPN? ASA outside interface? or the router?
If you have any configuration example please send it to me as I am really confused.
Thank you.
Blog Admin says

August 16, 2012 at 4:05 pm

Hi Sara,

If the public IP resides on the WAN interface of router, you can configure static NAT on the router and send all traffic to the outside interface of the ASA. See the following example:

http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/
bikramchowdhry says

September 9, 2012 at 9:59 am

Hi Admin,

After this configuration, can we ping 100.100.100.2 from machine 192.168.10.0/24 PC.
Blog Admin says

September 9, 2012 at 6:07 pm

bikramchowdhry,

Yes you can ping address 100.100.100.2 (the default gateway) if you allow icmp echo-reply packets to pass from the outside interface inbound. You need to create an access control list as following:

access-list OUT extended permit icmp any any echo-reply
access-group OUT in interface outside
bikramchowdhry says

September 17, 2012 at 2:02 pm

Hi Admin,

I have configured the same in GNS 3 as you said but still I am not able to ping 100.100.100.2 (ISP end IP address) from 192.168.10.2 which is the internal IP address of LAN.

As I am new beginner, kindly can you post step-by-step so that we can ping from 192.168.10.0 /24 to 100.100.100.2 (ISP end IP address) for me one time. Its my kind request and hearty request to you.

Thanks and regards,

Bikram
Blog Admin says

September 17, 2012 at 3:27 pm

You need to allow icmp echo-reply packets on the outside interface in order to be able to ping external hosts:

access-list OUT extended permit icmp any any echo-reply
access-group OUT in interface outside
bikramchowdhry says

October 20, 2012 at 10:55 am

Hi Admin,

I am extremly sorry, still I am not able to ping.
Blog Admin says

October 20, 2012 at 1:18 pm

Maybe your NAT doesn’t work. Try to telnet from inside PC to 200.200.200.2 and observe the xlate translations to see if they work:

show xlate

With the above command you will see if the private PC IP 192.168.10.x is translated on the outside IP of ASA.
Ronel Caranog says

January 11, 2013 at 4:54 pm

Hi Guys,

Hope you guys can assist me with this endeavour;

on a CISCO 515E

I want to set-up a backup Application Server, currently I want eth3 to be a backup of my eth0 for redundancy. I have two application servers (eth0) being the primary and eth3 (redundant), ofcourse I can’t assign an ip address (public) within the same range as eth0 but is there any way i could do what I plan to do using only a single CISCO ASA 515E?

Any help will be appreciated.
Blog Admin says

January 12, 2013 at 9:44 am

Ronel,

As I understand you want to provide server redundancy. The best way would be to connect both on the same subnet (maybe on the switch where PIX eth0 is connected) and then create a cluster or some sort of server load-balancing or failover. The two servers must will be represented by virtual IP address (VIP) so the PIX will know one IP to reach the server cluster. This is the classical way most people are doing.

Harris
Mkhweli Ntfombitakhona says

March 6, 2013 at 11:38 am

hey guys, i hope you will assist me and i am very desparate and i need your help urgently. i am a student and i specialise in networking. so i have a problem in configuring the switch using VLANS.
Mkhweli Ntfombitakhona says

March 6, 2013 at 11:41 am

please help me in configuring the switch using VLANS
Blog Admin says

March 6, 2013 at 12:18 pm

Check out this post here:

https://www.networkstraining.com/how-to-configure-vlans-on-a-cisco-switch/
Subrun says

July 17, 2013 at 7:30 pm

Hi

I got a fresh ASA 5540. And at first I just want to access this ASA from LAN . For this I only put an ip say 192.168.80.104 with security level of 100. and given route inside to 192.168.80.1 as a gateway router of 192.168.80.104 ip . But issue is I am not getting ping from 192.168.80.XX ip block .

can u please help me out.
Blog Admin says

July 18, 2013 at 3:34 pm

If you have a PC connected to 192.168.80.x network and the inside interface of ASA is “no shut” then you should get ping replies if you ping the ASA IP
sadanandam.gaddi says

August 4, 2014 at 11:41 am

Dear Sir,

i have configured Cisco 5500 Firewall configuration, i have given ip address and every thing but after reboot the firewall, this total configuration is deleted. not save this configuration to Cisco 5500 Firewall, What is this problem, Could you please give suggestion to me.
Thanking you sir.
BlogAdmin says

August 6, 2014 at 8:18 pm

To save the configuration run the following command:

“wr mem”

This will save the current running configuration to flash memory so that when you reboot it will not be lost.
Tony Lopez says

October 11, 2014 at 4:16 am

Dear Sir,
I do have ASA5525 Firewall with a version of 8.4 my Outside interface is connected to Edge External Switch and Inside Interface is connected to Internal Switch for my LAN network. My question is, i do have another device which Ratitan. This device where i can plug in my other devices such ASA, Servers, etc. I plug in this Ratitan device into Edge External Switch where the Outside Interface of my ASA Firewalll is connected. This devise is outside the firewall and i did assigned an External IP address. From my internal network i can able to access this public ip address of Ratitan but not from the outside. It used to work for what ever reason stop working when i did put this statement deny ip any any going inbound for my outside interface of my firewall. Not sure what stopping me for accessing from the outside. which this Ratitan device is not behind the Firewall.
Is there away you can help me out on this and what am i doing wrong. Please advise. Many thanks.
Harris Andrea says

October 11, 2014 at 12:46 pm

Sorry but I have no idea what is this Ratitan device you said. Also I didn’t understand the exact problem here. Please describe in more details.

Thanks

Harris
Alok says

December 4, 2014 at 7:45 am

On First boot
Do copy run start
reload
then exit GNS.

Start GNS after that save config always with copy run start
rakesh says

December 10, 2014 at 11:49 am

Above configuration I have configured in firewall and I’m trying ping from to wan interface but getting RTO. Please suggest
Harris Andrea says

December 10, 2014 at 2:14 pm

Rakesh,

The firewall does not allow you to ping its WAN interface from the inside.
Suleiman says

April 30, 2015 at 2:02 pm

Hey guys…..I would really like to thank Networkstraining.com for helping me nail down this thing.
At last my client is connected to the internet and happy.
Cheers guys
irfan Majeed says

October 10, 2015 at 8:50 am

Please help me creat the password in cisco firewall ASA 5510 series
Harris Andrea says

October 10, 2015 at 1:35 pm

run the following:

config t
enable password somestrongpassword
IRFAN MAJEED says

October 12, 2015 at 2:13 pm

dear, i create the interface, hostname and password .please your suggestion requirement what thing i missing to confiuration cisco firewall ASA 5510 series
IRFAN MAJEED says

October 12, 2015 at 2:18 pm

someone help me i create the interface, hostname, password in cisoc firewall ASA 5510 series.what thing , i missing, please give me your opinion as soon as possible.
Harris Andrea says

October 13, 2015 at 4:52 am

If you follow the commands exactly as shown on the post above, you will have the ASA5510 running with its basic configuration.

Trackbacks

Most Popular Blog Posts for 2009 | CiscoTips says:

December 27, 2009 at 12:20 pm

[…] is a Cisco ASA 5510 basic configuration tutorial. The ASA 5510 is one of the most popular ASA models since is mostly […]

How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial

DOWNLOAD THIS ARTICLE AS PDF FILE

Related Posts

Download Cisco Commands Cheat Sheets

Comments

Trackbacks

Leave a Reply Cancel reply

About Networks Training

Amazon Disclosure

Search

Suggested Cisco Training

Blogroll