Network upgrade: ASA 5505 configuration
in [Cisco]
|
From: Andrew Hodgson on 23 Jun 2008 17:48 Hi, I need to do some IP address rearanging on my Cisco ASA 5505 as I am currently not using NAT and I want to get it to a configuration where my external IP addresses are on the outside interface, and I can use static NAT to map specific internal IP addresses to public IP addresses. I have a couple of questions: - Should this be possible using the ASA 5505, and a Cisco 837 on the outside network IP address block also? - Does anyone have the default configuration file from the ASA 5505 as shipped from Cisco? I think I can get the firewall back to default state, but want to edit the file manually on my PC first. - When I got the unit, I think I didn't have a license for a DMZ IP segment. I had a lot of material with the unit, but couldn't remember off hand whether I could get a free DMZ license from Cisco. Does anyone know if this is possible? The packaging is not here at the moment, but I will find it and try to recover the license if there is one. Thanks. Andrew.
From: Legend on 25 Jun 2008 18:20 Hi "Andrew Hodgson" <me3(a)privacy.net> wrote in message news:ca6064hl753dvkt3gst10bnmf4mitpcreu(a)news.giganews.com... > Hi, > > I need to do some IP address rearanging on my Cisco ASA 5505 as I am > currently not using NAT and I want to get it to a configuration where > my external IP addresses are on the outside interface, and I can use > static NAT to map specific internal IP addresses to public IP > addresses. > > I have a couple of questions: > > - Should this be possible using the ASA 5505, and a Cisco 837 on the > outside network IP address block also? yes. will it work ? no depending upon your router config ... you can not have same IP subnet located twice or in two places in the same internetwork. > - Does anyone have the default configuration file from the ASA 5505 as > shipped from Cisco? I think I can get the firewall back to default > state, but want to edit the file manually on my PC first. http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/start.html#wp1055130 > - When I got the unit, I think I didn't have a license for a DMZ IP > segment. I had a lot of material with the unit, but couldn't remember > off hand whether I could get a free DMZ license from Cisco. Does > anyone know if this is possible? The packaging is not here at the > moment, but I will find it and try to recover the license if there is > one. Show version will tell you what your license type is. you need Security plus, for full DMZ. With Base lic you DMZ can not make connection inbound > > Thanks. > Andrew. HTH Martin
From: Andrew Hodgson on 26 Jun 2008 18:46 On Thu, 26 Jun 2008 00:20:48 +0200, "Legend" <inof(a)newshosting.com> wrote: >Hi > >"Andrew Hodgson" <me3(a)privacy.net> wrote in message >news:ca6064hl753dvkt3gst10bnmf4mitpcreu(a)news.giganews.com... >> Hi, >> >> I need to do some IP address rearanging on my Cisco ASA 5505 as I am >> currently not using NAT and I want to get it to a configuration where >> my external IP addresses are on the outside interface, and I can use >> static NAT to map specific internal IP addresses to public IP >> addresses. >> >> I have a couple of questions: >> >> - Should this be possible using the ASA 5505, and a Cisco 837 on the >> outside network IP address block also? >yes. >will it work ? >no >depending upon your router config ... >you can not have same IP subnet located twice or in two places in the same >internetwork. This is what I was thinking of doing: Router: interface Ethernet0 ip address xx.xx.xx.209 255.255.255.240 interface Dialer0 ip address negotiated (receives WAN static) Firewall: interface vlan2 nameif outside security-level 0 ip address xx.xx.xx.210 255.255.255.240 interface vlan1 nameif inside ip address 192.168.1.1 255.255.255.0 security-level 100 global (outside) 1 interface global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240 nat (inside) 1 0 0 route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the outside interface definition?) access-group outside_access_in in interface outside access-list outside_access_in extended permit tcp any host 192.168.1.10 eq 25 static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask 255.255.255.240 What I want to achieve with this is the following: - All outgoing connections from anything on 192.168.1.0/24 is presented to the outside on xx.xx.xx.209. - I have some server on 192.168.1.10 which I want presenting to the outside world on xx.xx.xx.211. - I want people to connect to the IP address xx.xx.xx.211 on port 25 and they will be connected to this server. Will this do it? Thanks. Andrew.
|
Pages: 1 Prev: ASA 5520 HTTP Slow Next: Network Upgrade: Replacement for 837 |