It seems that everyone but me is able to configure a basic ASA 5510 setup. Most of the questions I can find in the 'net pertain to more advanced topics or arcane incompatbilities...
Recently my company's old PIX firewall croaked, and being the only tech guy present (albeit a mere programmer), I had to fix it, of course. I've actually set up a temporary firewall/router (old linux server), but the PIX replacement (ASA 5510) finally arrived, and now I should set it up.
The old pix configuration is pretty huge, with lots of legacy rules, so I thought I'd first tackle the basics, and would probably call on some outside help for the complicated tasks (VPN etc.).
My network has three internal subnets, and in the end one of them should be able to talk to the internet, all three of them should be able to talk to each other.
None of that works right now. The ASA is able to ping each attached device, but the routing just doesn't work. I've looked at some configuration examples on this and other sites and thought my mix of global/nat/route and access-list looks similar enough, but I can't even get my main subnet to talk to the internet. It seems like the pings can get out, but I don't get a return -- which should be part of the NAT, right?
asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxx encrypted
passwd xxxxxxx.xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xxx.xxx.130 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.255.0
!
interface Ethernet0/2
nameif prod
security-level 80
ip address 172.16.6.1 255.255.255.0
!
interface Ethernet0/3
nameif print
security-level 60
ip address 192.168.57.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 40
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list inside extended permit icmp any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu prod 1500
mtu outside 1500
mtu print 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface prod
monitor-interface outside
monitor-interface print
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 172.16.4.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
established tcp 0 0
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.6.0 255.255.255.0 prod
http 172.16.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.6.140-172.16.6.200 prod
dhcpd address 172.16.4.140-172.16.4.200 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain edison.epac.com
dhcpd enable prod
dhcpd enable inside
: end
Recently my company's old PIX firewall croaked, and being the only tech guy present (albeit a mere programmer), I had to fix it, of course. I've actually set up a temporary firewall/router (old linux server), but the PIX replacement (ASA 5510) finally arrived, and now I should set it up.
The old pix configuration is pretty huge, with lots of legacy rules, so I thought I'd first tackle the basics, and would probably call on some outside help for the complicated tasks (VPN etc.).
My network has three internal subnets, and in the end one of them should be able to talk to the internet, all three of them should be able to talk to each other.
None of that works right now. The ASA is able to ping each attached device, but the routing just doesn't work. I've looked at some configuration examples on this and other sites and thought my mix of global/nat/route and access-list looks similar enough, but I can't even get my main subnet to talk to the internet. It seems like the pings can get out, but I don't get a return -- which should be part of the NAT, right?
asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxx encrypted
passwd xxxxxxx.xxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xx.xxx.xxx.130 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.4.1 255.255.255.0
!
interface Ethernet0/2
nameif prod
security-level 80
ip address 172.16.6.1 255.255.255.0
!
interface Ethernet0/3
nameif print
security-level 60
ip address 192.168.57.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 40
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list inside extended permit icmp any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu prod 1500
mtu outside 1500
mtu print 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface prod
monitor-interface outside
monitor-interface print
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 172.16.4.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
established tcp 0 0
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.6.0 255.255.255.0 prod
http 172.16.4.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.16.6.140-172.16.6.200 prod
dhcpd address 172.16.4.140-172.16.4.200 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain edison.epac.com
dhcpd enable prod
dhcpd enable inside
: end