Networks Training

How to Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial

This Cisco ASA Tutorial gets back to the basics regarding Cisco ASA firewalls. I’m offering you here a basic configuration tutorial for the Cisco ASA 5510 security appliance but the configuration applies also to the other ASA models as well (see also this Cisco ASA 5505 Basic Configuration).

The 5510 ASA device is the second model in the ASA series (ASA 5505, 5510, 5520 etc) and is fairly popular since it is intended for small to medium enterprises. Like the smallest ASA 5505 model, the 5510 comes with two license options: The Base license and the Security Plus license. The second one (security plus) provides some performance and hardware enhancements over the base license, such as 130,000 Maximum firewall connections (instead of 50,000), 100 Maximum VLANs (instead of 50), Failover Redundancy, etc. Also, the security plus license enables two of the five firewall network ports to work as 10/100/1000 instead of only 10/100.

Next we will see a simple Internet Access scenario which will help us to understand the basic steps needed to setup an ASA 5510. Assume that we are assigned a static public IP address 100.100.100.1 from our ISP. Also, the internal LAN network belongs to subnet 192.168.10.0/24. Interface Ethernet0/0 will be connected to the outside (towards the ISP), and Ethernet0/1 will be connected to the Inside LAN switch. Refer to the diagram below for our example scenario.

MORE READING:  Configure Cisco ASA 5505 to allow Remote Desktop access from Internet

The firewall will be configured to supply IP addresses dynamically (using DHCP) to the internal hosts. All outbound communication (from inside to outside) will be translated using Port Address Translation (PAT) on the outside public interface. Let’s see a snippet of the required configuration steps for this basic scenario:

Step1: Configure a privileged level password (enable password)

By default there is no password for accessing the ASA firewall, so the first step before doing anything else is to configure a privileged level password, which will be needed to allow subsequent access to the appliance. Configure this under Configuration Mode:

ASA5510(config)# enable password mysecretpassword

Step2: Configure the public outside interface

ASA5510(config)# interface Ethernet0/0
ASA5510(config-if)# nameif outside
ASA5510(config-if)# security-level 0
ASA5510(config-if)# ip address 100.100.100.1 255.255.255.252
ASA5510(config-if)# no shut

Step3: Configure the trusted internal interface

ASA5510(config)# interface Ethernet0/1
ASA5510(config-if)# nameif inside
ASA5510(config-if)# security-level 100
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# no shut

Step 4: Configure PAT on the outside interface

ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0

UPDATE for ASA Version 8.3 and later (including ASA 9.x)

From March 2010, Cisco announced the new Cisco ASA software version 8.3. This version introduced several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

MORE READING:  Cisco ASA 5506-X Configuration Tutorial - Guide

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface

Step 5: Configure Default Route towards the ISP (assume default gateway is 100.100.100.2)

ASA5510(config)# route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

Step 6: Configure the firewall to assign internal IP and DNS address to hosts using DHCP

ASA5510(config)# dhcpd dns 200.200.200.10
ASA5510(config)# dhcpd address 192.168.10.10-192.168.10.200 inside
ASA5510(config)# dhcpd enable inside

The above basic configuration is just the beginning for making the appliance operational. There are many more configuration features that you need to implement to increase the security of your network, such as Static and Dynamic NAT, Access Control Lists to control traffic flow, DMZ zones, VPN etc. I just tried to offer you a starting point for a basic configuration from where you can build your knowledge further. For a more complete practical guide about Cisco ASA Firewall configuration I suggest you to read the “Cisco ASA Firewall Fundamentals – 3rd Edition” ebook at the link HERE.

Filed Under: Cisco ASA Firewall Configuration, Cisco ASA Firewall ebook Tagged With: , , , , ,

Download Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls


By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.












Comments

  1. Hi, Congratulations to the site owner for this marvelous work you’ve done. It has lots of useful and interesting data.

  2. Thanks for sharing your knowledge. I just downloaded your ebook, legally of course :), and I can’t wait to try out all the scenarios contained in the book. One question that I have so far is how I can use my current Linksys router with my firewall. What I would like to do is just plug my firewall behind my current router instead of directly connect it to the internet (ISP) as show in your diagrams. I guess all I would have to do is configure default gateway (my router) on the firewall. Any comment regarding this set up would be appreciated.

    Thanks again for a great guide.

  3. Well, why don’t you connect your ASA directly to the ISP? Anyway, if for any reason you need to have the Linksys connected to the ISP, then configure a static IP address on the outside interface of the ASA and assign as default gateway the internal IP of the Linksys router. Assume that your linksys has internal LAN IP 192.168.1.1. Assign an IP address for the outside of ASA 192.168.1.10 and then configure a default route (gateway) for the ASA as following:
    asa(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.1

    Also, if the Linksys does the NAT translation, then you can avoid using NAT on the ASA firewall.

    I hope I clarified your question.

    Regards

    Harris

  4. thanks for your response. Just to answer your question, about why I am not using my ASA as an edge device, I currently have a couple of people using the linksys for wireless connection and I have a voip phone hooked up to it as well…so I felt hesitant about having to deal with that right off the bat.

  6. I have my ASA connected directly to my ISP’s cable box. The ASA keeps dropping the ip on the outside interface. I had to call the ISP several times to refresh my ip and it would work until I reboot the cable box or the ASA and then the on the outside interface of the ASA is gone. “show ip” shows “unassigned” for outside interface. I googled around to see if anybody else has experienced this but nothing so far. Anybody has any idea why this might happen? Thanks.

  7. One suggestion would be to fix the speed and duplex settings on your ASA outside interface. Maybe its a hardware speed negotiation problem between the ASA and the cable box. If the cable box is 100Mbps full duplex, then make the ASA interface the same:

    hostname(config)# interface Ethernet0/1
    hostname(config-if)# speed 100
    hostname(config-if)# duplex full

  8. Hello, I was looking around for a while searching for operational security training and I happened upon this site and your post regarding Configure a Cisco ASA 5510 Firewall – Basic Configuration Tutorial | CiscoTips, I will definitely this to my operational security training bookmarks!

  9. Hi, I bought your books to setup my ASA-5505 for VPN access. The scenario that best fits my setup is static outside interface with 2 servers in the dmz. You state that this requires a Security Plus license. In my case, I don’t need any servers in the dmz, just the inside lan with vpn users connecting to access services on the inside lan. Would I still need a Security Plus license? Would I have to do anything different from your example or just leave out the dmz settings?

    Thanks in advance,
    Arif

  10. Hello Arif,
    The scenario you mention above requires Security Plus license because there is communication between the DMZ and Internal network. For such a communication to work, you need to have a Security Plus license for the ASA5505 firewall. Now, in your case you don’t need a security plus license. Just leave out the DMZ settings in the example and configure VPN on the ASA for your users. Please let me know if you need more clarifications.

    Harris

  11. Harris,
    Thank you! It worked once I configured it the way you had it in the book. Now I will see how to port forward ssh port to a box on the inside vlan.

    -arif

  12. Arif,

    I’m glad it worked. For the port redirection I have a specific section in the ebook which describes exactly what you need to do. Please let me know if you find any problems.

  13. Dear Friends,
    I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on doubt we the firewall directly connected to my thomson ADSl router(modem) and then we have one public ip wher i want configure,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X my thomson gateway is 192.168.1.254 by default, so what is my question is basically if we configure any router and firewall we should configure default to communicate out side network so how i want configure the default route.

  14. Dear Friends,
    I want to reload my ASA 5510 firewall.It was configure by ASDM so How to reload the firewall,kindly send it the procedure it is really help to me.I have on more doubt we connected the firewall directly to my Thomson ADSl router(modem) and then we have one public ip,what is my question here? where i want configure this ip address,I think it should configure in firewall e0 port,If we configure like this for example my ip address is 218.248.25.X by default my Thomson gateway is 192.168.1.254 , so what is my question here? basically if we configure any router and firewall we should configure default route to communicate out side network so how i want configure the default route in this scenario.

  15. There should be a link under the administration section for reloading. Regarding the scenario with the Thomson ADSL router, if I understand it correctly, the default route for the ASA will be 192.168.1.254. You should assign an IP address to the outside interface (eth0 port) of the ASA in the range 192.168.1.1 – 192.168.1.253.

  17. Thanks for this. As for the Step 6, I have an internal DNS to resolve internal addresses and DHCP assigning addresses internally. Do I still need to have ASA 5510 run DHCP? I also currently have ISA server 2006 on which I had a stub copy of DNS and forwards queries to external DNSs. I would like to continue using ISA server with ASA 5510, the latter will be at the perimeter. How can I accommodate both? Also, I have several global IPs and I do not know how to define sub-interfaces to assign several global IPs to a single physical interface. Please help!

  18. Andrew,

    If you have a dedicated DHCP server in your network, then you must not activate DHCP service on the ASA appliance. If you have an ISA server, you can connect the ISA server in the internal network (or preferably on a DMZ) and force all internal users to use the ISA as proxy for their HTTP traffic. You can configure an access-list which allows only the ISA server to access the internet for ports 80/443.

    Regarding the global IPs, you don’t need to configure sub-interfaces to assign them. With sub-interfaces you just create separate network security zones. If the global IPs are routed towards your outside interface, you can create static NAT commands and redirect those IP addresses to internal hosts for example.

  19. Blog Admin,

    Thanks. Regarding the access lists, well i have exchange server on the internal network as well and I am also planning to add an MS SQL 2008 internally. On the DMZ, I was thinking of putting up a web/ftp server. How do I treat this in access list as well? Excuse my ignorance, i am novice to Cisco.

    Thanks

  20. To allow communication between any two ASA interfaces (security zones) you need two things: 1) proper NAT 2)proper access lists.

    So, yes if you have the proper nat in place between DMZ and inside (provided that nat-control is enabled) then you just need to apply the correct access list on the DMZ interface to allow web server to communicate with the internal SQL server.

  21. Dear BlogAdmin,

    You say i do not need to have sub-interfaces to assign global IPs. I will have, say, global IP x.x.x.91 255.255.255.248 assigned to outside and on interface 0/0. Can I use the same interface to route traffic destined to other global IPs, say x.x.x.90 255.255.255.248 for web that I will place in DMZ etc without having to define them anywhere?

    Thanks

  22. Andrew,
    YES Absolutely you can do this. As long as these public IP addresses are routable on the outside interface (e.g you have a subnet x.x.x.88 255.255.255.248 assigned to you on the outside from your ISP) you can use any IP address within that subnet and do static NAT to redirect traffic from outside to an internal DMZ server via the ASA.

  23. I change the subnet mask to a computer ASA 5510.

    When you make a change before I lose all the policies configured.

    This is correct or am I doing something wrong.

    Would have some “how to” about it?

    Sorry my bad English, I am using a translator.

    Greetings!

  24. I did not understand fully what you mean. Before doing any changes, you must save the running configuration by using “wr mem”. Then you can make changes on the running configuration which are applied immediately. If the changes are successful, you save them again with the same command as above.

  25. I am trying to configure dmz so I can place our web server in the dmz network and have our users access out on my asa 5510, here is the current scenario;
    Ethernet0/0 (Outside)x.x.x.185
    Ethernet0/1 (Inside) 192.168.75.0/24
    Ethernet0/2 (DMZ) 192.168.10.0/24
    I can get it to work with a private ip but I would like to use one of our public ip addresses to access the server, I also need to access an sql server on the inside interface. How will i go about placing a web server in dmz and making it accessible via public ip? Any help will be greatly appreciated

  26. Justinian,

    You will have to configure static NAT for the DMZ web server to permanently map its private IP address to a public IP. Then you will have to allow HTTP from outside using an access control list applied on the outside interface.
    The configurarion depends on the ASA version you have. If its version 8.3 and up the config is different. Let me know the version to help you.

  27. Thank you for the prompt reply, the ASA 5510 is running version 8.2, I have following config for http;
    access-list inbound extended permit tcp any interface outside eq www
    static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
    (Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 interface, the static NAT will look something like this;
    Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
    I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
    mtu dmz 1500
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 0 access-list ACL_dmz outside
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group ACL_dmz_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
    I am by far not an expert when it comes to cisco,I greatly appreciate your help

  28. ***Correction*** (please ignore my earlier post I noticed an error in the information I provided)
    Thank you for the prompt reply, the ASA 5510 is running version 8.2. The server has not been placed in dmz yet, so I have following config for http;
    access-list inbound extended permit tcp any interface outside eq www
    static (inside,outside) tcp interface www 192.168.75.x www netmask 255.255.255.255
    (Assuming that I understand this correctly) If the dmz interface is on 192.168.10.x/24 subnet, the static NAT will look something like this;
    Static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
    I am also using an sql server that is on the Inside interface and the web server needs to connect to it via port 1433 for which I used;
    mtu dmz 1500
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 0 access-list ACL_dmz outside
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group ACL_dmz_in in interface dmz
    route outside 0.0.0.0 0.0.0.0 173.x.x.x 1
    I am by far not an expert when it comes to cisco,I greatly appreciate your help

  29. If the dmz interface is on 192.168.10.x, the static NAT will be exactly as you mention above:

    static (dmz,outside) tcp interface www 192.168.10.x www netmask 255.255.255.255
    you also need to apply the inbound ACL to the outside interface:

    access-group inbound in interface outside

  30. What about tying a public ip to the private address (lets say 192.168.10.6) of the server in dmz?

  31. Then you replace the “interface” command with the actual public address:

    static (dmz,outside) tcp 100.100.100.1 www 192.168.10.6 www netmask 255.255.255.255

  32. Thanks again for the responding, one last question;
    I have a block of 5 static ips 100.100.100.5 to 100.100.100.9 if the interface “outside” is configured to use 100.100.100.5 255.255.255.248 will it accept the following:
    static (dmz,outside) tcp 100.100.100.6 www 192.168.10.6 www netmask 255.255.255.255
    to tie 100.100.100.6 to the internal ip of the web server and accept connections?

  33. Justinian,

    Yes, what you say above is correct. You will need also to configure an access list which should be allowing traffic from outside to 100.100.100.6 on port 80. This access list must be applied on the outside interface.

  34. Thanks for the e-book, I download it legally of course. I have a question? I ran out of Public IP’s The only available IP that I can use is the IP assigned to the external interface, when I attempt to use it then I cannot ssh to my ASA510 version 7.0 firewall, internally or externally, I PAT the outside Interface to port http/https, Below is my NAT statements and access-list

    access-list acl_outside extended permit tcp any host X.X.X.213 eq www
    access-list acl_outside extended permit tcp any host X.X.X.213 eq https
    static (inside,outside) X.X.X.213 10.10.6.44 netmask 255.255.255.255

    I added “access-list acl_outside extended permit tcp any host X.X.X.213 eq ssh” and that still did not allow me ssh access,

    If I add “access-list acl_outside extended permit tcp any any” Then everything works, which means my firewall is wide open. I know I do not want to do so…

    Is what I’m trying to achive doable? Or is there some limitations?

    Thanks,

  35. Okay I figured it out what I need to do to fix the issue and still maintain ssh to the firewall without compromising security. I’m reposting just in case someone else had a similiar issue.

    Remove old Rules/NAT
    no access-list acl_outside permit tcp any host x.x.x.213 eq www
    no access-list acl_outside permit tcp any host x.x.x.213 eq https

    no static (inside,outside) x.x.x.213 10.10.6.44 netmask 255.255.255.255

    Add new rules/NAT
    static (inside,outside) tcp interface 80 10.10.6.44 80 netmask 255.255.255.255
    static (inside,outside) tcp interface 443 10.10.6.44 443netmask 255.255.255.255

    access-list acl_outside permit tcp any interface outside eq www
    access-list acl_outside permit tcp any interface outside eq https

    Thanks you guys….

  36. Mohammed,

    I was going to reply to your initial comment but I just saw that you’ve figured out the correct solution 🙂 Yeap, doing port redirection is the way to go. The way you had it at the beginning (full static NAT) was redirecting ALL traffic to your internal web server, including SSH traffic as well. Now, with port redirection you redirect only HTTP/HTTPs traffic.

  37. I’m trying to block GoToMyPC LogMeIn and GoToMeeting.

    I have tried using regex however whenever I apply the policy it somehow blocks a lot of http and IM (instant Messaging) traffic:

    FW01(config)#show running-config regex
    FW01(config)# regex contenttype50 “Content-Type”
    FW01(config)# regex domainlist50 “\.gotomeeting\.com”
    FW01(config)# regex domainlist51 “\.logmein.\com”
    FW01(config)# regex domainlist52 “\.GoToMyPC.\com”
    FW01(config)#

    FW01(config)# show running-config class-map
    !
    class-map IPS
    match access-list TEM-F-IPS
    class-map type regex match-any DomainBlockList
    match regex domainlist51
    match regex domainlist50
    match regex domainlist52
    class-map type inspect http match-all BlockDomainsClass
    description This will block Access to GoToMeeting and LogMeIn
    match request header host regex class DomainBlockList
    class-map inspection_default
    match default-inspection-traffic
    class-map HttpTraffic
    match access-list inside_mpc
    class-map Netflow_class
    match any

    FW01(config)# show running-config policy-map type inspect http
    policy-map type inspect http Http_inspection_policy
    description Inspecting GoToMeeting and LogMeIn
    parameters
    protocol-violation action drop-connection log
    match request method connect
    drop-connection log
    class BlockDomainsClass
    reset log

    FW01(config)# show running-config policy-map
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
    inspect ils
    inspect ip-options
    class Netflow_class
    flow-export event-type all destination 10.13.50.48
    class IPS
    ips inline fail-open
    policy-map type inspect http Http_inspection_policy
    description Inspecting GoToMeeting and LogMeIn
    parameters
    protocol-violation action drop-connection log
    match request method connect
    drop-connection log
    class BlockDomainsClass
    reset log
    policy-map inside-policy
    description Policy created to Block GoToMeeting LogMeIn
    class HttpTraffic
    inspect http Http_inspection_policy

    show running-config service-policy
    FW01(config)# show running-config service-policy
    service-policy global_policy global
    service-policy inside-policy interface inside

    Would anyone have an Idea what I need to do to fix the issue? Or if you have a better way to block GoToMyPC, LogMeIn please let me know.

    Thanks,

  38. hmmm…..your configuration needs some careful consideration. Let me see if I find some time to check it out. 🙂

  39. Blog Admin,

    If I want to up-grade my ASA image file and ASDM image file, and I use Cisco.com Wizard to automatically upgrade these files, will it keep my Configuration Firewall Access Rules?

    Or will I have to reload these rules after up-graded to the next ASA images?

  40. Reed,

    Yes, the configuration access rules will be retained on the firewall. The ASA image upgrade affects the OS image and not the ASA configuration.

  41. Hello,
    How would I go about having a failover internet connection for our asa? We have a connection coming in from a Comcast and anther from CenturyLink in case Comcast goes down (which is happening very frequently nowadays) My asa has an open port that I could use for it but not sure how I would go about setting it up, any help will be greatly appreciated.

  43. Thank you for responding and the article is VERY helpful, forgive my ignorance but I would like to know how I would configure the translations for static ips from ISP-1 on ISP-2 interface. For example currently for email I have
    static (Inside,Outside) 100.100.100.186 192.168.20.8 netmask 255.255.255.255
    how would this work with ISP#2 since the public address belongs to ISP-1?

  44. Lets say the interface to the second ISP is named outside2:

    you will have another public IP address from that ISP, lets say 200.200.200.1 assigned for your mail server:

    static (Inside,outside2) 200.200.200.1 192.168.20.8 netmask 255.255.255.255

  45. Awesome! I didn’t think one ip (192.168.20.8 in this case) could be bound to different public addresses. I will test and post the results 🙂 Thanks again

  46. Cuurently I ran out of public IP’s on my ASA5510, I was able to aquire a new block /24 however this block is not on the same subnet as my existing /28 block. Is there a way that I can use this new block on my ASA5510 to NAT to internal IP’s? If yes what do I need to get use this new Block?

  47. Mohammed,

    yes you can use a different /24 block. Your ISP must route this new block towards your ASA external IP. Then you can use normal static commands on the ASA to assign the new IP addresses to internal hosts.

  48. So do I have to assign an ip address from the new block to one of my interfaces on the ASA. Would it be possible to show an example of how the config would look like?

    Thanks,

  49. No you don’t have to assign an ip address from the new block to the ASA interface. You will keep the old IP address that you had. Just use static nat commands to statically map the new outside public IP addresses to inside addresses.

  50. So based on what would the firewall accept the traffic? It only know’s about the IP’s since they are used in the static nat commands!!! Is this secure??

  51. Hi,
    Thanks for sharing the wealth of information on this blog. Since I’m new to firewalls, a new task I found in my basket this week, I’m trying not to drown in the information. However, Is there a way, one can create a virtual ASA5510, to test the set of rules, prior to posting them to the firewall? The firewall is not in-house, but on another continent, so flying up and down all the time until all settings are correct, is not my favourite occupation. Thanks for the help.

    Regards,

    Paul

  52. Paul,
    I would suggest to rent a ccie security rack and get actual access to real asa devices where you can test anything you want. Its pretty cheap. search for ccie security rank rentals on Google.

  53. in addition to the static nat, you will also configure access-list rules to control what traffic will be allowed from internet to the public IP. the access list will be applied on the outside interface

  54. I am trying to follow your example to get basic internet connectivity on my asa5510.

    I have my DSL modem set to automatically push my static IP to my asa’s Ethernet0/0 port.

    When I try and configure the port with my 1.1.1.1 IP and my subnet mask of 255.255.255.255 I get bad mask for address 1.1.1.1.

    I don’t want the asa to do the pppoe when I can get my modem to do it. I will also be changing my IP in the future (I’m using a backup IP for deploying this asa on my lan).

    Thanks.

  55. Thomas,

    You can use a subnet mask of 255.255.255.0 for the outside interface. You need to find out what the default gateway will be (i.e the router gateway of your ISP provider) and make sure that the outside ASA address falls in the same subnet as your default gateway. You will achieve this by choosing the correct subnet mask.

  56. Hi,
    I’m in the process of implementing Active/Standby redundancy on my ASA5510 firewall. all interfaces are of the speed 10/100. I would like to use the management interface 0/0 as the failover link, do you see any problems/issues or disadvantages of using the management interface?

  57. Mohammed,

    I have not seen such a configuration before. I have seen the “management” interface to be used as normal data interface, but not as failover. Just try it and let us know how it goes. Run the command “no management-only” under the management interface configuration and then configure it as failover. If it works then I don’t see any disadvantages.

  58. I am trying to access the web server on the DMZ segment from the inside segment by using the public URL. When looking at the log I see:

    =========
    TCP access denied by ACL from 192.168.1.5/57320 to inside:94.255.161.102/80
    TCP request discarded from 192.168.1.5/57320 to inside:93.255.163.XXX/80
    ==========

    192.168.1.5 is the host on the inside network and “93.255.163.XXX/80” is the IP address on the outside interface (dynamic) even when the log says “inside”.

    What I am doing wrong/missing? Please advice.

  59. Sorry, I paste wrong outside addresses above (comment #59). They show different but both are the same in fact.

  60. Okay another question is it best practice to use two interfaces for HA failover? I read somewhere online the ASA550x firewalls will continuously fail over if both the heartbeat traffic and the stateful traffic go through a single interface.

    This would only make since to me if you have a lot of traffic going through your firewall, and by a lot I mean having hundreds of IPSec tunnels and any other crazy traffic, then maybe. Since The heartbeat data needs to be of low latency and not a lot of packet loss due to a lot of traffic.

    Would like to get your thoughts on this?

  61. Mohammed,

    I always use just one interface for HA failover and everything works OK with no problems. Ofcourse I try to use a 10/100/1000 Mbps interface so that to utilize the gigabit speed. However, if your firewall’s traffic is not much, then 10/100 as failover will be fine.

  62. Tamadite,

    I assume that the actual IP address configured on the DMZ web server is not the public IP you mention here. I assume it is a private IP and then you do a NAT translation on the ASA to translate the dmz IP to a public one. If this is the case, then you must access the DMZ web server from inside using the private IP address of the web server (i.e the one configured on the network interface of the server).

  63. Blog Admin

    DMZ has 172.16.1.X, inside has 192.168.1.X and outside 94.255.161.102. I can access the web server in DMZ from inside if I use the DMZ host IP address. What I would like to do is to access the DMZ using the URL to my web server. The web server can be accessed from the Internet by Internet hosts without problems. So you say that I can not access the web server in the DMZ from inside using the URL but only using the DMZ IP address of the host (172.16.1.X).

  64. I get it to work:

    static (dmz,inside) netmask 255.255.255.255

    On 8.3 or above

    object network inside-dmz-web
    host
    nat (dmz,inside) static

    But one question remains: I want “nat (dmz,inside) static ” to use the dynamic ip address of the outside interface. How can I do this?

  65. Opps! it seems the blog does not accept some symbols. I repeat it here using another symbols:

    static (dmz,inside) [public.ip] [dmz.host.ip] netmask 255.255.255.255

    On 8.3 or above

    object network inside-dmz-web
    host [dmz.host.ip]
    nat (dmz,inside) static [public.ip]

    But one question remains: I want “nat (dmz,inside) static [public.ip]” to use the dynamic ip address of the outside interface. How can I do this?

  66. You can NOT access the translated public IP of the web server from inside of the ASA. You need to access the private IP. You can change the “host” file of your computer and make the URL domain point to the private IP.

    e.g

    webserverdomainname.com 172.16.1.1

  67. Well, somehow I get it to work. Don’t ask me why because I have read in many places that it is not possible. What I tried is DNS doctoring. With the solution given on comment #66 I can reach the web server in the DMZ from inside using the URL only, not via real IP (web server IP in the DMZ). Now with the solution I give below I can reach the web server in the DMZ from inside using both, the URL and the real web server IP in the DMZ.

    object network web_dmz_inside
    host 172.16.1.2
    nat (dmz,outside) static interface dns

    The strangest thing is that I am using PAT and for what I have read it should not work either.

    I thought about modifying the local host file on my inside clients but as last resource. Now, unless I am doing something really stupid, I will keep it like this.

    Please advice.

  68. Hi,

    Can anyone please help what went wrong in this config, webserver is accessible from outside but not from inside using FDQn, i can only access the webserver from inside using internal ip address but not with the public address. I tried with my old non cisco firewall and it works fine. Please help. thanks…

    User Access Verification

    Password:
    Type help or ‘?’ for a list of available commands.
    TID> en
    Password: ******
    TID# sh run
    : Saved
    :
    ASA Version 8.3(1)
    !
    hostname TID
    enable password hNoJA51JsYfVzHT6 encrypted
    passwd hNoJA51JsYfVzHT6 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.x 255.255.255.0
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.200 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    no ip address
    management-only
    !
    ftp mode passive
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network remote
    host 192.168.1.199
    object network https
    host 192.168.1.199
    object network http
    host 192.168.1.199
    object network smtp
    host 192.168.1.199
    object network pop3
    host 192.168.1.199
    object network imap
    host 192.168.1.199
    object network 81
    host 192.168.1.197
    object network 82
    host 192.168.1.197

    access-list internet_access_in extended permit icmp any any
    access-list lan_access_in extended permit icmp any any
    access-list 100 extended permit icmp any any echo-reply
    access-list Internal_access_in extended permit ip 192.168.1.0 255.255.255.0 any
    access-list External_access_in extended permit icmp any any echo-reply
    access-list External_access_in extended permit icmp any interface outside time-exceeded
    access-list External_access_in extended permit ip any 192.168.1.0 255.255.255.0
    access-list External_access_in extended permit tcp any interface outside eq https
    access-list External_access_in extended permit tcp any interface outside eq www
    access-list External_access_in extended permit tcp any interface outside eq imap4
    access-list External_access_in extended permit tcp any interface outside eq smtp
    access-list External_access_in extended permit tcp any interface outside eq pop3
    access-list outside_access_in extended permit tcp any eq 3389 host 192.168.1.199 eq 3389

    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any outside
    icmp permit any inside
    icmp permit any management
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400

    !
    object network obj_any
    nat (inside,outside) dynamic interface

    object network remote
    nat (inside,outside) static interface service tcp 3389 3389
    object network https
    nat (inside,outside) static interface service tcp https https
    object network http
    nat (inside,outside) static interface service tcp www www
    object network smtp
    nat (inside,outside) static interface service tcp smtp smtp
    object network pop3
    nat (inside,outside) static interface service tcp pop3 pop3
    object network imap
    nat (inside,outside) static interface service tcp imap4 imap4
    object network 81
    nat (inside,outside) static interface service tcp 81 81
    object network 82
    nat (inside,outside) static interface service tcp 82 82
    access-group External_access_in in interface outside
    access-group Internal_access_in in interface inside

    route outside 0.0.0.0 0.0.0.0 192.168.1.200 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 203.162.0.181
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username tidadmin password z.LOsU12wSFTyd4m encrypted privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:80467bad3c53ad2084876331274a7779
    : end

  69. Hi;
    Thank you so much for your continued efforts in responding to many ASA related questions.
    I actually bought your eBook about a year ago but has just started using it to configure our ASA5510.
    Now I ran into two separate problems with the Mgmt port IP assignment.
    First, Whenever I change the IP address from the default to anything else (from: 192.168.1.1 to 192.168.11.100), the ASDM will no longer connect to the unit using the newly changed IP. Even though I also changed my PC’s IP to correspond to the Mgmt’s.
    But once I change it back to the default, everything works again. Note that I am able to gain access thru the console to undo whatever changes I have made.
    Also, must the ASA Management port be separated from the rest of the LAN?
    2nd; I will like to have the Management port reside on the same subnet as the rest of my secure hosts. So far the ASA5510 is insisting that the two Cannot coexist on the same subnet.
    Example: 192.168.2.1=ASA-Mgmt-port ; 192.168.2.5-50=LAN-hosts; 192.168.1.1=outside-port-ISP-router.
    Am I missing something here? Please advise. Thanx

  70. @MDGeek,

    1st Problem: Have you also changed the subnet range allowed to use http?

    e.g:

    http server enabled
    http 192.168.11.0 255.255.255.0 management

    2nd Problem: The ASA management port is a different layer3 interface, so it MUST be on a separate layer3 subnet from the rest of the interfaces. So, yes, you must assign a different subnet for the management (which is better for security reasons as well)

  71. Thanks a million!
    http server was already enabled (used with the default ip), however, the 192.168.11.0 was not associated to the management interface.

    It now works with my set subnet. Also, i now understand the interface separation thing with the mgmt port.
    Thanks again.

  72. Please one quick question. How can i configure a Port-forwarding for Remote Desktop connection (RDP – port 3389) and http connection to Security camera?
    Both will have to translate standard tcp port from outside to custom tcp port inside-LAN.
    We already have both services working fine off of the broadband router and will like to maintain that when the ASA5510 is deployed.

    Thanks always

  73. This is called “port redirection” with Cisco ASA. Try Googling this and you will find several examples.

  74. Hi,
    I have purchased you ebook and have been using it to learn Cisco ASA. I have a ASA5505 and have setup a remote vpn worker. My problem is that the PC running VPN client connects OK and can ping to the ASA inside interface but not to the PC on the inside interface. The PC on the inside interface can ping the VPN client 🙁

    ping VPN Client – ASA Inside I/f 192.168.44.160 Yes
    ping VPN Client to PC on inside 192.168.44.82 NO
    ping PC on inside to VPN Client 192.168.50.1 Yes

    My config is below. Please are you able to tell me what I have done wrong?

    ASA Config

    : Saved
    : Written by cisco at 10:08:15.679 UTC Fri Dec 16 2011
    !
    ASA Version 8.4(2)
    !
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport access vlan 2
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.44.160 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 192.168.1.100 255.255.255.0
    !
    ftp mode passive
    object network internal_lan
    subnet 192.168.44.0 255.255.255.0
    object network support-vpn-subnet
    subnet 192.168.50.0 255.255.255.0
    description IP address assigned to Support VPN User
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended deny ip any any
    access-list global_access extended permit ip any any
    access-list global_access extended permit icmp any any echo
    access-list global_access extended permit icmp any any echo-reply
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool pool-support-vpn 192.168.50.0-192.168.50.10 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    nat (inside,outside) source static any any destination static support-vpn-subnet support-vpn-subnet no-proxy-arp route-lookup
    !
    object network internal_lan
    nat (inside,outside) dynamic interface
    access-group outside_access_in in interface outside
    access-group global_access global
    route outside 0.0.0.0 0.0.0.0 192.168.1.98 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    aaa authentication enable console LOCAL
    http server enable
    http 192.168.44.0 255.255.255.0 inside
    http 192.168.1.96 255.255.255.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication crack
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 20
    authentication rsa-sig
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 30
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 40
    authentication crack
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 50
    authentication rsa-sig
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 60
    authentication pre-share
    encryption aes-192
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 70
    authentication crack
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 80
    authentication rsa-sig
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 90
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 100
    authentication crack
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 110
    authentication rsa-sig
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 120
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 130
    authentication crack
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 140
    authentication rsa-sig
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto ikev1 policy 150
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet 192.168.44.0 255.255.255.0 inside
    telnet timeout 5
    ssh 192.168.1.96 255.255.255.0 outside
    ssh timeout 5
    console timeout 0
    management-access inside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy tg-vpn-support internal
    group-policy tg-vpn-support attributes
    wins-server value 192.168.44.1
    dns-server value 192.168.44.1
    vpn-tunnel-protocol ikev1
    default-domain value bhls.com
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    tunnel-group tg-vpn-support type remote-access
    tunnel-group tg-vpn-support general-attributes
    address-pool pool-support-vpn
    default-group-policy tg-vpn-support
    tunnel-group tg-vpn-support ipsec-attributes
    ikev1 pre-shared-key 1qazxsw2
    !
    !
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:488a018c60162a057b66a31071a38917
    : end

  75. Martin,

    It seems that the PC firewall maybe is blocking your pings. If the PC is windows, enable remote desktop access on the PC and try to connect with RDP from the VPN client to the PC. If you manage to connect, then VPN works fine. Pinging is not always the best way to test connectivity

  77. Hi,

    I want to connect to an CISCO ASA 5510 3 different routers (also CISCO equipment). All routers have different outside networks connected to them. But I want to the inside network to be same 10.10.0.xxx. Is it possible to have the ASA 5510 with an IP 10.10.0.xxx and the routers also with 10.10.0.xxx IPs? Or do I have to assign different network IPs for the routers for example for router 1 10.10.1.xxx?

    Many thanks,
    Adolfo

  78. Adolfo,

    Yes you can have all routers connected to the same inside network as the ASA (10.10.0.x). However, you should know that traffic between the three outside networks will be allowed to communicate with the other outside networks though the routers with no restrictions. If you want to control traffic flow between the three outside networks, then you must connect each router into a different inside subnet (you should create different inside vlans on the ASA).

  79. The book is excellent and was a great help in configuring my ASA 5505 and 5510 but I did have a problem with the examples for site-to-site VPN and Remote Access VPN. When you enter the access-list and nat commands as shown it wipes out any others that you have already you entered. Same with the crypto commands. I was able to get around by using the ASDM interface for those commands but is there something to the command that will allow you to add without wiping out previous commands?

  80. Steve,

    This is normal with Cisco configurations. There are some commands that if you execute the same command with different parameters then it overrides the existing one. On access-list commands, you need to enter the line number if you want to add additional entries without overriding existing entries.

    e.g:

    access-list access_list_name [line line_number] [extended] [permit/deny]

  81. Please help me out regarding this issue, this is my first project.

    my client send me these addresses

    IP: 173.68.176.210 – 215

    Default Gateway: 173.168.176.1

    Subnet Mask: 255.255.255.0

    Primary DNS: 68.237.161.12

    Secondary DNS: 71.243.0.12

    i will pick on of the public ip and set if to the e0 interface well i dont know if i have to set default gateway ip address to internal interface that will connect the firewall to switch, i am very confused and secondly how do i set the ip for doman.

    ip name-server and then the ip address

    Please help me out

  82. Muhammad,

    The default gateway is always pointing towards the Internet and NOT towards the inside network. So pick one of the available IP address for the outside ASA interface and set the default gateway to point to the ISP IP.

  83. First off I’m enjoying your ebook. Its great!

    I have the same setup instead I have a L3 3550 switch and I’m doing subinterfaces on my Pix 515 (unrestricted). Everything works fine as far as DHCP, internet, and ASDM. The only thing is I can’t seem to ping my internal clients from my ASA. I can ping my L3 switch vlan IP but not my internal client IP. My client PC’s can ping both L3 switch IP and ASA inside interface. Is there ACL that’s blocking? I did an packet tracer and it tells me it dropped due to an access list but I have them in place. I feel I’m missing something simple. Information below

    Internet Pix515 L3switch PC’s

    MYFIREWALL# sh run
    : Saved
    :
    PIX Version 8.0(4)28
    !
    hostname MYFIREWALL
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0
    speed 100
    duplex full
    nameif outside
    security-level 0
    ip address 173.14.214.114 255.255.255.248
    !
    interface Ethernet1
    speed 100
    duplex full
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet1.10
    vlan 10
    nameif inside
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet1.20
    vlan 20
    no nameif
    no security-level
    no ip address
    !
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    access-list 101 extended permit icmp any any echo
    access-list 101 extended permit icmp any any echo-reply
    access-list 101 extended permit icmp any any source-quench
    access-list 101 extended permit icmp any any unreachable
    access-list 101 extended permit icmp any any time-exceeded
    pager lines 24
    logging enable
    logging timestamp
    logging buffer-size 20000
    logging buffered debugging
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 101 in interface outside
    route outside 0.0.0.0 0.0.0.0 173.14.214.118 1
    timeout xlate 3:00:00
    timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 68.87.68.162 68.87.74.162
    dhcpd domain aejg.net
    !
    dhcpd address 10.10.10.105-10.10.10.150 inside
    dhcpd enable inside
    !
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    !
    !
    prompt hostname context
    Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f
    : end
    ————————
    MYFIREWALL# packet-tracer input inside icmp 10.10.10.1 8 0 10.10.10.105 detail$

    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0x4392f78, priority=1, domain=permit, deny=false
    hits=130328, user_data=0x0, cs_id=0x0, l3_type=0x8
    src mac=0000.0000.0000, mask=0000.0000.0000
    dst mac=0000.0000.0000, mask=0000.0000.0000

    Phase: 2
    Type: FLOW-LOOKUP
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Found no matching flow, creating a new flow

    Phase: 3
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in 10.10.10.0 255.255.255.0 inside

    Phase: 4
    Type: ACCESS-LIST
    Subtype:
    Result: DROP
    Config:
    Implicit Rule
    Additional Information:
    Forward Flow based lookup yields rule:
    in id=0x4397fb8, priority=500, domain=permit, deny=true
    hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip=10.10.10.1, mask=255.255.255.255, port=0
    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: inside
    output-status: up
    output-line-status: up
    Action: drop
    Drop-reason: (acl-drop) Flow is denied by configured rule

    ——————————–
    MYFIREWALL# ping 10.10.10.105
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.105, timeout is 2 seconds:
    ?????

    ——————————-

    MYSWITCH#sh run
    Building configuration…

    Current configuration : 2518 bytes
    !
    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname MYSWITCH
    !
    !
    no aaa new-model
    ip subnet-zero
    ip routing
    !
    !
    no file verify auto
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    !
    !
    vlan internal allocation policy ascending
    !
    !
    interface FastEthernet0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    duplex full
    speed 100
    !
    interface FastEthernet0/2
    switchport mode dynamic desirable
    !
    interface FastEthernet0/3
    switchport mode dynamic desirable
    !
    interface FastEthernet0/4
    switchport mode dynamic desirable
    !
    interface FastEthernet0/5
    switchport access vlan 10
    switchport mode access
    duplex full
    speed 100
    spanning-tree portfast
    !
    interface FastEthernet0/6
    switchport mode dynamic desirable
    !
    interface FastEthernet0/7
    switchport mode dynamic desirable
    !
    interface FastEthernet0/8
    switchport mode dynamic desirable
    !
    interface FastEthernet0/9
    switchport mode dynamic desirable
    !
    interface FastEthernet0/10
    switchport mode dynamic desirable
    !
    interface FastEthernet0/11
    switchport mode dynamic desirable
    !
    interface FastEthernet0/12
    switchport mode dynamic desirable
    !

    interface Vlan1
    no ip address
    shutdown
    !
    interface Vlan10
    ip address 10.10.10.100 255.255.255.0
    ip directed-broadcast
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.10.10.1
    ip http server
    —————————

  84. Edwin,

    Try the following command:

    icmp permit any inside

    Also, do your internal PCs have any windows firewall configured on them (maybe it blocks the ASA pings?)

  85. Thanks for your response. This is what I get.

    MYFIREWALL(config)# icmp permit any inside
    ERROR: entry for address/mask = 0.0.0.0/0.0.0.0 exists

    I also tried adding “same-security-traffic permit intra-interface” but no success.

  86. Also, I disabled my windows firewall service. Is it a rule that the Cisco pix doesn’t accept return pings that it sends out on its inside interface? Because I get the question marks when I ping my internal pc

  87. Problem resolved. It was the firewall on my Windows 7 pc. Weird, I stopped and disabled the firewall service and even restarted afterwards and it wasn’t getting ping responses. It wasn’t until I created an inbound rul on the firewall to allow all icmp is when it started working. Thanks for all your help and advice.

  88. How do you show if a ASA 5510 will fail-close or fail-open?
    Cisco ASA software Ver 7.0 (1)
    Device Manager Ver 5.0 (7)

  89. Nevermind…
    They do not have the IPS module (AIP-SSM) in the unit. It will stop forwarding traffic altogether. There is no fail-close/open function when that scenario occurs.

  90. Yeah Clint, the fail close/fail open concept is applicable to IPS devices, not on a Firewall.

  91. How can I configure 2 internal network
    Ethernet0/0 Public IP
    Ethernet0/1 192.168.2.1
    Ethernet0/0 192.168.0.1
    Is it possible ?

  92. Fen,

    Ofcourse its possible to configure two internal networks on the two Ethernet interfaces. Just configure an IP address, a nameif and security level on each interface and you are good to go.

  93. Hello,
    Just a question out of confusion.
    If I have a router then an ASA. The VPN should terminate on the ASA. So, where does my public IP resides for remote access VPN? ASA outside interface? or the router?
    If you have any configuration example please send it to me as I am really confused.
    Thank you.

  95. Hi Admin,

    After this configuration, can we ping 100.100.100.2 from machine 192.168.10.0/24 PC.

  96. bikramchowdhry,

    Yes you can ping address 100.100.100.2 (the default gateway) if you allow icmp echo-reply packets to pass from the outside interface inbound. You need to create an access control list as following:

    access-list OUT extended permit icmp any any echo-reply
    access-group OUT in interface outside

  97. Hi Admin,

    I have configured the same in GNS 3 as you said but still I am not able to ping 100.100.100.2 (ISP end IP address) from 192.168.10.2 which is the internal IP address of LAN.

    As I am new beginner, kindly can you post step-by-step so that we can ping from 192.168.10.0 /24 to 100.100.100.2 (ISP end IP address) for me one time. Its my kind request and hearty request to you.

    Thanks and regards,

    Bikram

  98. You need to allow icmp echo-reply packets on the outside interface in order to be able to ping external hosts:

    access-list OUT extended permit icmp any any echo-reply
    access-group OUT in interface outside

  100. Maybe your NAT doesn’t work. Try to telnet from inside PC to 200.200.200.2 and observe the xlate translations to see if they work:

    show xlate

    With the above command you will see if the private PC IP 192.168.10.x is translated on the outside IP of ASA.

  101. Hi Guys,

    Hope you guys can assist me with this endeavour;

    on a CISCO 515E

    I want to set-up a backup Application Server, currently I want eth3 to be a backup of my eth0 for redundancy. I have two application servers (eth0) being the primary and eth3 (redundant), ofcourse I can’t assign an ip address (public) within the same range as eth0 but is there any way i could do what I plan to do using only a single CISCO ASA 515E?

    Any help will be appreciated.

  102. Ronel,

    As I understand you want to provide server redundancy. The best way would be to connect both on the same subnet (maybe on the switch where PIX eth0 is connected) and then create a cluster or some sort of server load-balancing or failover. The two servers must will be represented by virtual IP address (VIP) so the PIX will know one IP to reach the server cluster. This is the classical way most people are doing.

    Harris

  103. hey guys, i hope you will assist me and i am very desparate and i need your help urgently. i am a student and i specialise in networking. so i have a problem in configuring the switch using VLANS.

  106. Hi

    I got a fresh ASA 5540. And at first I just want to access this ASA from LAN . For this I only put an ip say 192.168.80.104 with security level of 100. and given route inside to 192.168.80.1 as a gateway router of 192.168.80.104 ip . But issue is I am not getting ping from 192.168.80.XX ip block .

    can u please help me out.

  107. If you have a PC connected to 192.168.80.x network and the inside interface of ASA is “no shut” then you should get ping replies if you ping the ASA IP

  108. Dear Sir,

    i have configured Cisco 5500 Firewall configuration, i have given ip address and every thing but after reboot the firewall, this total configuration is deleted. not save this configuration to Cisco 5500 Firewall, What is this problem, Could you please give suggestion to me.
    Thanking you sir.

  109. To save the configuration run the following command:

    “wr mem”

    This will save the current running configuration to flash memory so that when you reboot it will not be lost.

  110. Dear Sir,
    I do have ASA5525 Firewall with a version of 8.4 my Outside interface is connected to Edge External Switch and Inside Interface is connected to Internal Switch for my LAN network. My question is, i do have another device which Ratitan. This device where i can plug in my other devices such ASA, Servers, etc. I plug in this Ratitan device into Edge External Switch where the Outside Interface of my ASA Firewalll is connected. This devise is outside the firewall and i did assigned an External IP address. From my internal network i can able to access this public ip address of Ratitan but not from the outside. It used to work for what ever reason stop working when i did put this statement deny ip any any going inbound for my outside interface of my firewall. Not sure what stopping me for accessing from the outside. which this Ratitan device is not behind the Firewall.
    Is there away you can help me out on this and what am i doing wrong. Please advise. Many thanks.

  111. Sorry but I have no idea what is this Ratitan device you said. Also I didn’t understand the exact problem here. Please describe in more details.

    Thanks

    Harris

  112. On First boot
    Do copy run start
    reload
    then exit GNS.

    Start GNS after that save config always with copy run start

  113. Above configuration I have configured in firewall and I’m trying ping from to wan interface but getting RTO. Please suggest

  115. Hey guys…..I would really like to thank Networkstraining.com for helping me nail down this thing.
    At last my client is connected to the internet and happy.
    Cheers guys

  118. dear, i create the interface, hostname and password .please your suggestion requirement what thing i missing to confiuration cisco firewall ASA 5510 series

  119. someone help me i create the interface, hostname, password in cisoc firewall ASA 5510 series.what thing , i missing, please give me your opinion as soon as possible.

  120. If you follow the commands exactly as shown on the post above, you will have the ASA5510 running with its basic configuration.

Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to amazon.com, amazon.co.uk , amazon.de, amazon.it, amazon.es and affiliated sites.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING