Cisco Systems Network upgrade: ASA 5505 configuration

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Network upgrade: ASA 5505 configuration Andrew Hodgson 06-23-08
Posted by Andrew Hodgson on June 23, 2008, 5:48 pm
Please log in for more thread options
Hi,

I need to do some IP address rearanging on my Cisco ASA 5505 as I am
currently not using NAT and I want to get it to a configuration where
my external IP addresses are on the outside interface, and I can use
static NAT to map specific internal IP addresses to public IP
addresses.

I have a couple of questions:

- Should this be possible using the ASA 5505, and a Cisco 837 on the
outside network IP address block also?
- Does anyone have the default configuration file from the ASA 5505 as
shipped from Cisco? I think I can get the firewall back to default
state, but want to edit the file manually on my PC first.
- When I got the unit, I think I didn't have a license for a DMZ IP
segment. I had a lot of material with the unit, but couldn't remember
off hand whether I could get a free DMZ license from Cisco. Does
anyone know if this is possible? The packaging is not here at the
moment, but I will find it and try to recover the license if there is
one.

Thanks.
Andrew.

Posted by Legend on June 25, 2008, 6:20 pm
Please log in for more thread options
Hi

> Hi,
>
> I need to do some IP address rearanging on my Cisco ASA 5505 as I am
> currently not using NAT and I want to get it to a configuration where
> my external IP addresses are on the outside interface, and I can use
> static NAT to map specific internal IP addresses to public IP
> addresses.
>
> I have a couple of questions:
>
> - Should this be possible using the ASA 5505, and a Cisco 837 on the
> outside network IP address block also?
yes.
will it work ?
no
depending upon your router config ...
you can not have same IP subnet located twice or in two places in the same
internetwork.

> - Does anyone have the default configuration file from the ASA 5505 as
> shipped from Cisco? I think I can get the firewall back to default
> state, but want to edit the file manually on my PC first.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/start.html#wp1055130


> - When I got the unit, I think I didn't have a license for a DMZ IP
> segment. I had a lot of material with the unit, but couldn't remember
> off hand whether I could get a free DMZ license from Cisco. Does
> anyone know if this is possible? The packaging is not here at the
> moment, but I will find it and try to recover the license if there is
> one.

Show version will tell you what your license type is.
you need Security plus, for full DMZ. With Base lic you DMZ can not make
connection inbound
>
> Thanks.
> Andrew.

HTH
Martin



Posted by Andrew Hodgson on June 26, 2008, 6:46 pm
Please log in for more thread options
wrote:

>Hi
>
>> Hi,
>>
>> I need to do some IP address rearanging on my Cisco ASA 5505 as I am
>> currently not using NAT and I want to get it to a configuration where
>> my external IP addresses are on the outside interface, and I can use
>> static NAT to map specific internal IP addresses to public IP
>> addresses.
>>
>> I have a couple of questions:
>>
>> - Should this be possible using the ASA 5505, and a Cisco 837 on the
>> outside network IP address block also?
>yes.
>will it work ?
>no
>depending upon your router config ...
>you can not have same IP subnet located twice or in two places in the same
>internetwork.

This is what I was thinking of doing:

Router:
interface Ethernet0
ip address xx.xx.xx.209 255.255.255.240

interface Dialer0
ip address negotiated (receives WAN static)

Firewall:

interface vlan2
nameif outside
security-level 0
ip address xx.xx.xx.210 255.255.255.240

interface vlan1
nameif inside
ip address 192.168.1.1 255.255.255.0
security-level 100

global (outside) 1 interface
global (outside) 2 xx.xx.xx.11-xx.xx.xx.222 netmask 255.255.255.240
nat (inside) 1 0 0

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.209 1 (can this go in the
outside interface definition?)
access-group outside_access_in in interface outside

access-list outside_access_in extended permit tcp any host
192.168.1.10 eq 25

static (inside,outside) xx.xx.xx.211 192.168.1.10 netmask
255.255.255.240

What I want to achieve with this is the following:

- All outgoing connections from anything on 192.168.1.0/24 is
presented to the outside on xx.xx.xx.209.
- I have some server on 192.168.1.10 which I want presenting to the
outside world on xx.xx.xx.211.
- I want people to connect to the IP address xx.xx.xx.211 on port 25
and they will be connected to this server.

Will this do it?

Thanks.
Andrew.

Similar ThreadsPosted
Network upgrade: ASA 5505 configuration June 23, 2008, 5:48 pm
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated June 16, 2007, 8:21 am
New ASA 5505: To Upgrade OS and ASDM or Not? December 30, 2007, 9:11 pm
ASA 5505 Configuration Problems April 10, 2008, 1:45 pm
ASA 5505 Configuration Questions April 15, 2008, 5:32 pm
Cisco ASA 5505 configuration for PPPOE/BellSouth August 12, 2007, 1:25 pm
Can't See Internal Network: ASA 5505 January 19, 2008, 6:56 pm
Cisco ASA 5505 causing network down June 10, 2008, 11:04 pm
Challenging Network Upgrade April 3, 2007, 11:54 pm
How can i Upgrade my network to IPV6 December 3, 2007, 9:39 am
Network Upgrade: Replacement for 837 June 23, 2008, 5:49 pm
configuration of a router Cisco 1700 on ADSL max of a wide-area network February 10, 2006, 4:49 am
Configuration reverted to previous configuration after power loss March 3, 2006, 11:14 am
Network Engineer/Network Administrator/Information Technology Job Openings in USA March 3, 2008, 4:10 pm
Mapping A Network Drive On My Home Network From Another Location February 13, 2008, 8:49 pm