Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: ASA5510 configuration

ASA5510 configuration 9 years 2 months ago #32755


I am a newbie and have very limited knowledge of firewall and router configuration. I was "forced" to setup a network for my school project and I am in deep shit :cry: :cry:

I am really appreciated if the experts here can give me some help

Refer to the attached draft diagram, how am I going to configure the access list and route.

1) FTP server is accessed from external network using IP

2) The PIX provide allow anonymous read/write access to the FTP server on the DMZ from both the outside and office networks. Wireless clients are not allowed access to the FTP server.

3) The PIX should allow only read access to the HTTP server for outside networks. All users of the network should also be able to access the HTTP server.

4) The PIX provides syslog information to asyslog server on the office network. A TFTP server is also set up on the office network to save the configuration settings of the PIX. Both the syslog and TFTP servers are not to be accessed by external networks or the DMZ.

Sorry the stupid and lengthy questions.

Thanks in advance

Re: ASA5510 configuration 9 years 2 months ago #32756

please help me thanks :cry: :cry: :cry: :

Re: ASA5510 configuration 9 years 2 months ago #32770

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7
alf6901, Welcome to :)

I will assume first that the physical topology has been setup, That IPs on the PCs and the servers has been already setup. If not, please tell and we'll try to help.

I can try to help with most of the requirements except for syslog which I almost don't know any thing about. Hope that others here do.

Before attacking the stated requirements, I would make sure that basic connectivity is established, IPs of Pix interfaces are setup and that NAT is setup to allow inside users to connect to the outside (internet). These are implicit requirements that really doesn't have to be said in the project description you provided. Your teacher will most probably expect that done.

1. Starting the Pix from scratch

I'm assuming here that you don't want to backup the Pix's configuration and that you want to start from scratch. Type the following on the Pixes CLI (Console Screen):

[code:1]Pix# write erase
Erase PIX configuration in flash memory? [confirm]

As you can see it asks you to confirm the erase of the current configuration. Press [Enter]. Then type:

Pix# reload
Proceed with reload? [confirm]

Press [Enter], this will reload the Pix. After it reloads, you will get a message like this:

[code:1]Pre-configure PIX Firewall now through interactive prompts [yes]?[/code:1]

Type n and press [Enter]. Now you are ready to configure the Pix

2. Naming the DMZ interface

Pix# conf t
Pix(config)# nameif ethernet2 dmz security10[/code:1]

This assigns interface ethernet2 to the dmz (as you need in the diagram). It also gives the interface a security level of 10. Security levels go from 0 to 100 (lower to higher security). By default, the ethernet0 and ethernet1 are already named outside and inside respectively. Also by default, inside has the highest security level of 100 and outside has the lowest level of 0.

3. Assigning IP addresses/masks for the Pix interfaces

Pix# conf t
Pix(config)# ip address inside
Pix(config)# ip address outside

Now to turn ON the interfaces:

[code:1]Pix(config)# interface ethernet0 auto
Pix(config)# interface ethernet1 auto
Pix(config)# interface ethernet2 auto

Now if you connect a PC to the inside interface (E1) you should be able to ping the Pix IP

Try to complete up to this point now. Then we'll try to help further.
Studying CCNP...

Ammar Muqaddas
Forum Moderator

Re: ASA5510 configuration 9 years 2 months ago #32771

Hi S0lo,

Thanks for your help. I have already configured the interface address and security level. The problem I am facing now is the access list and the route between the inside to DMZ, outside to DMZ and inside to outside

I only have a few lessons on the configuration and now I have to start with this project :roll:

I have tried to read and understand the configuration but......... :cry:

Re: ASA5510 configuration 9 years 2 months ago #32776

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1577
  • Karma: 3
  • Thank you received: 7
Then it's better if you post your current config here so we can see exactly where you have reached and help you better.
Studying CCNP...

Ammar Muqaddas
Forum Moderator

Re: ASA5510 configuration 9 years 2 months ago #32786


Thanks. Here is my config

ASA Version 7.0(8)
hostname asa2
domain-name pbil02.lab
enable password 2EYTZj.pkgTrWllb encrypted
passwd CbFQhu3ysddftY7L encrypted
interface Ethernet0/0
nameif outside
security-level 0
ip address
interface Ethernet0/1
nameif inside
security-level 100
ip address
interface Ethernet0/2
nameif dmz
security-level 50
ip address
interface Management0/0
no nameif
no security-level
no ip address
banner exec "No Illegal Login! ! !"
banner login "No Unauthorised Login ! ! !"
ftp mode passive
access-list fromoutside extended permit tcp any host eq ftp
access-list fromoutside extended permit tcp any host eq www
access-list fromoutside extended permit tcp any host eq domain
pager lines 24
logging enable
logging timestamp
logging buffered notifications
logging trap notifications
logging host inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
no asdm history enable
arp timeout 14400
global (outside) 1
global (outside) 1
nat (inside) 1
static (dmz,outside) netmask
static (dmz,outside) netmask
static (dmz,outside) netmask
access-group fromoutside in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 15
ssh timeout 15
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
: end
  • Page:
  • 1
  • 2
Time to create page: 0.112 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup