- Posts: 1
- Thank you received: 0
CISCO ASA 5520
- soldier_lorry
- Topic Author
- Offline
- New Member
-
Less
More
15 years 1 month ago #31526
by soldier_lorry
CISCO ASA 5520 was created by soldier_lorry
Guys urgent help will be welcome..............
I'm trying to accomplish this task. VPN for outside client, web access for inside client, email etc. Below are my devices and how they are connected.
ISP connect to - 1 x 2800 series Router connect to - 1 x 5520 Firewall outside interface. The Dmz interface connect to a dell power connect switch to the server. The inside interface connect to a power connect switch to my 8x cisco 881 series routers.
this is my running config so far.
interface gigabitethernet 0/0
nameif outside
security-level 0
ip address 209.165.201.3 255.255.255.224
no shutdown
interface gigabitethernet 0/1
nameif inside2
security-level 100
ip address 100.100.2.1 255.255.255.0
no shutdown
interface gigabitethernet 0/2
nameif
security-level 100
no ip address
shutdown
interface gigabitethernet 0/3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
no shutdown
passwd Password1
enable password Password1
hostname asawall
same-security-traffic permit inter-interface
route outside 0 0 209.165.201.1 1
nat (inside2) 1 100.100.2.0 255.255.255.0
! The inside1 and inside2 networks use PAT when accessing the outside
global (outside) 1 209.165.201.9 netmask 255.255.255.255
! Because we perform dynamic NAT on these addresses for outside access, we need to perform
! NAT on them for all other interface access. This identity static statement just
! translates the local address to the same address.
static (inside1,inside2) 100.100.1.0 100.100.1.0 netmask 255.255.255.0
static (inside2,inside1) 100.100.2.0 100.100.2.0 netmask 255.255.255.0
! The syslog server uses a static translation so the outside management host can access
! the server
static (dmz,outside) 209.165.201.5 192.168.1.0 netmask 255.255.255.255
access-list MANAGE remark Allows the management host to access the syslog server
access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnet
access-group MANAGE in interface outside
! Advertises the security appliance IP address as the default gateway for the downstream
! router. The security appliance does not advertise a default route to the router.
rip inside2 default version 2 authentication md5 scorpius 1
! Listens for RIP updates from the downstream router. The security appliance does not
! listen for RIP updates from the router because a default route to the router is all that
! is required.
rip inside2 passive version 2 authentication md5 scorpius 1
! The client uses a pre-shared key to connect to the security appliance over IPSec. The
! key is the password in the username command following.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 group 2
isakmp policy 1 hash sha
isakmp enable outside
crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
username admin password passw0rd
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map vpn_client 1 set transform-set vpn
crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
crypto map telnet_tunnel interface outside
ip local pool client_pool 10.1.1.2
access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 100.100.2.1
telnet 100.100.2.1 255.255.255.255 outside
telnet timeout 30
logging trap 5
! System messages are sent to the syslog server on the DMZ network
logging host dmz 192.168.1.1
logging on
I'm trying to accomplish this task. VPN for outside client, web access for inside client, email etc. Below are my devices and how they are connected.
ISP connect to - 1 x 2800 series Router connect to - 1 x 5520 Firewall outside interface. The Dmz interface connect to a dell power connect switch to the server. The inside interface connect to a power connect switch to my 8x cisco 881 series routers.
this is my running config so far.
interface gigabitethernet 0/0
nameif outside
security-level 0
ip address 209.165.201.3 255.255.255.224
no shutdown
interface gigabitethernet 0/1
nameif inside2
security-level 100
ip address 100.100.2.1 255.255.255.0
no shutdown
interface gigabitethernet 0/2
nameif
security-level 100
no ip address
shutdown
interface gigabitethernet 0/3
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
no shutdown
passwd Password1
enable password Password1
hostname asawall
same-security-traffic permit inter-interface
route outside 0 0 209.165.201.1 1
nat (inside2) 1 100.100.2.0 255.255.255.0
! The inside1 and inside2 networks use PAT when accessing the outside
global (outside) 1 209.165.201.9 netmask 255.255.255.255
! Because we perform dynamic NAT on these addresses for outside access, we need to perform
! NAT on them for all other interface access. This identity static statement just
! translates the local address to the same address.
static (inside1,inside2) 100.100.1.0 100.100.1.0 netmask 255.255.255.0
static (inside2,inside1) 100.100.2.0 100.100.2.0 netmask 255.255.255.0
! The syslog server uses a static translation so the outside management host can access
! the server
static (dmz,outside) 209.165.201.5 192.168.1.0 netmask 255.255.255.255
access-list MANAGE remark Allows the management host to access the syslog server
access-list MANAGE extended permit tcp host 209.165.200.225 host 209.165.201.5 eq telnet
access-group MANAGE in interface outside
! Advertises the security appliance IP address as the default gateway for the downstream
! router. The security appliance does not advertise a default route to the router.
rip inside2 default version 2 authentication md5 scorpius 1
! Listens for RIP updates from the downstream router. The security appliance does not
! listen for RIP updates from the router because a default route to the router is all that
! is required.
rip inside2 passive version 2 authentication md5 scorpius 1
! The client uses a pre-shared key to connect to the security appliance over IPSec. The
! key is the password in the username command following.
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 group 2
isakmp policy 1 hash sha
isakmp enable outside
crypto ipsec transform-set vpn_client esp-3des esp-sha-hmac
username admin password passw0rd
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
crypto dynamic-map vpn_client 1 set transform-set vpn
crypto map telnet_tunnel 1 ipsec-isakmp dynamic vpn_client
crypto map telnet_tunnel interface outside
ip local pool client_pool 10.1.1.2
access-list VPN_SPLIT extended permit ip host 209.165.201.3 host 100.100.2.1
telnet 100.100.2.1 255.255.255.255 outside
telnet timeout 30
logging trap 5
! System messages are sent to the syslog server on the DMZ network
logging host dmz 192.168.1.1
logging on
Time to create page: 0.107 seconds