turtle1296
asked on
Cisco, ASA, 5505
Hi experts,
Am having a few problems configuring the Cisco ASA5505 firewall. Have configured many routers/PC's in the past, so didnt expect this to be a problem. Hope somebody out there can help.
Our current setup is as follows:
Linksys AG241 router connected to ISP (static IP of 85.189.xxx.xxx & subnet mask 255.255.255.255 on WAN side, static IP of 101.0.0.250 & subnet mask of 255.255.255.0 on LAN side).
This is then connected to the rest of the network via a Cisco switch. All PC's connected to this switch get IP addresses via DHCP from our server in the range 101.0.0.1 - 101.0.0.200.
I have just bought an ASA5505 and placed behind the router, in front of the switch. Have configured the inside interface with a static IP of 101.0.0.254/255.0.0.0 & can connect ADSM no problem. Have also tried to configure outside interface with static IP address 85.189.xxx.xxx/255.255.255
Also have tried to add the static route to the outside interface as suggested somewhere by 'slouko'. Is this the Gateway IP as listed on our router status page as its the only IP address I can find that I do not recognise? However this appears to change periodically.
When I have sorted the above, do I then change the default gateway on all connected equipment to point to the ASA?
Lastly, are there any changes I need to make to the router to make all this work!
Thanks for any help anybody can offer, im really starting to pull my hair out!
Am having a few problems configuring the Cisco ASA5505 firewall. Have configured many routers/PC's in the past, so didnt expect this to be a problem. Hope somebody out there can help.
Our current setup is as follows:
Linksys AG241 router connected to ISP (static IP of 85.189.xxx.xxx & subnet mask 255.255.255.255 on WAN side, static IP of 101.0.0.250 & subnet mask of 255.255.255.0 on LAN side).
This is then connected to the rest of the network via a Cisco switch. All PC's connected to this switch get IP addresses via DHCP from our server in the range 101.0.0.1 - 101.0.0.200.
I have just bought an ASA5505 and placed behind the router, in front of the switch. Have configured the inside interface with a static IP of 101.0.0.254/255.0.0.0 & can connect ADSM no problem. Have also tried to configure outside interface with static IP address 85.189.xxx.xxx/255.255.255
Also have tried to add the static route to the outside interface as suggested somewhere by 'slouko'. Is this the Gateway IP as listed on our router status page as its the only IP address I can find that I do not recognise? However this appears to change periodically.
When I have sorted the above, do I then change the default gateway on all connected equipment to point to the ASA?
Lastly, are there any changes I need to make to the router to make all this work!
Thanks for any help anybody can offer, im really starting to pull my hair out!
ASKER
Donnie,
Thanks for the quick response.
No, im not trying to replace the linksys with the ASA - the ASA has no ADSL port (ethernet only).
Have tried setting the outside interface of the ASA with inside subnet of router, no effect. Have also tried setting outside interface of ASA with internal IP address/subnet of linksys, but get error message that IP address (101.0.0.250/255.255.255.0
Any more ideas?
Thanks for the quick response.
No, im not trying to replace the linksys with the ASA - the ASA has no ADSL port (ethernet only).
Have tried setting the outside interface of the ASA with inside subnet of router, no effect. Have also tried setting outside interface of ASA with internal IP address/subnet of linksys, but get error message that IP address (101.0.0.250/255.255.255.0
Any more ideas?
it is difficult to understand what is going on here.
By the way, you cannot use 101.0.0.0 as an inside/private network.
http://tools.ietf.org/html/rfc1918
Consider the following; it is probably close to your situation.
1. Without the ASA everything works.
2. Without the ASA a test host computer on the inside say its IP address is 10.0.0.25/255.255.255.0
3. The inside host gateway is 10.0.0.1.
4. Verify that this host connects to the internet without problem.
5. The 10.0.0.1 address is the ip address of the inside interface on the linksys.
(forget the outside interface of the linksys (it will not change)
6. Leave the inside interface of the linksys as is (10.0.0.1/24)
7. (The inside interface of the linksys will not change)
To introduce the ASA I would setup a test PC
1. setup the outside interface, of the ASA, like this.
ip address: 10.0.0.2
mask: 255.255.255.0
(The Gateway of the ASA will be the inside interface of the Linksys (10.0.0.1))
2. setup the Inside interface, of the ASA, like this.
ip address: 10.1.1.2
mask: 255.255.255.0
3. Connect the outside interface of the ASA to the same network
with the inside interface of the linksys.
4. setup the Test PC interface like this.
ip address: 10.1.1.3
mask: 255.255.255.0
gateway: 10.1.1.2
5. Connect the Test PC interface to the same network
with the inside interface of the ASA.
6. Verify connection between test PC and ASA (ping 10.1.1.2)
7. From Test PC telnet to the ASA (telnet 10.1.1.2)
8. From telnet session ping the linksys (ping 10.0.0.1)
After you verify connection (step 6-8) your done.
Set up rules and so on.
Now, this direction means that all inside host will change IP addresses to the inside
network of the ASA. You must either change inside ip addresses or change the
linksys inside interface ip address.
Donnie
By the way, you cannot use 101.0.0.0 as an inside/private network.
http://tools.ietf.org/html/rfc1918
Consider the following; it is probably close to your situation.
1. Without the ASA everything works.
2. Without the ASA a test host computer on the inside say its IP address is 10.0.0.25/255.255.255.0
3. The inside host gateway is 10.0.0.1.
4. Verify that this host connects to the internet without problem.
5. The 10.0.0.1 address is the ip address of the inside interface on the linksys.
(forget the outside interface of the linksys (it will not change)
6. Leave the inside interface of the linksys as is (10.0.0.1/24)
7. (The inside interface of the linksys will not change)
To introduce the ASA I would setup a test PC
1. setup the outside interface, of the ASA, like this.
ip address: 10.0.0.2
mask: 255.255.255.0
(The Gateway of the ASA will be the inside interface of the Linksys (10.0.0.1))
2. setup the Inside interface, of the ASA, like this.
ip address: 10.1.1.2
mask: 255.255.255.0
3. Connect the outside interface of the ASA to the same network
with the inside interface of the linksys.
4. setup the Test PC interface like this.
ip address: 10.1.1.3
mask: 255.255.255.0
gateway: 10.1.1.2
5. Connect the Test PC interface to the same network
with the inside interface of the ASA.
6. Verify connection between test PC and ASA (ping 10.1.1.2)
7. From Test PC telnet to the ASA (telnet 10.1.1.2)
8. From telnet session ping the linksys (ping 10.0.0.1)
After you verify connection (step 6-8) your done.
Set up rules and so on.
Now, this direction means that all inside host will change IP addresses to the inside
network of the ASA. You must either change inside ip addresses or change the
linksys inside interface ip address.
Donnie
ASKER
Thanks for the tips.
Will try to sort tomorrow.
Will let you know how I get on.
Will try to sort tomorrow.
Will let you know how I get on.
ASKER
Have still not had a chance to try your suggestions.
Am now off on holiday for two weeks so wont be able to do anymore until I get back.
Will let you know the outcome ASAP.
Thanks.
Am now off on holiday for two weeks so wont be able to do anymore until I get back.
Will let you know the outcome ASAP.
Thanks.
wow, 2 week holiday?
I need a job like that!
I need a job like that!
ASKER
Donnie,
Now back from holiday & back on the CISCO case!
Have set up as described in your last post (slightly different IP addresses, but have followed the principles exactly).
Can now ping ASA from test machine, can telnet into the ASA & can also successfully ping the Linksys router from the telnet session.
However can still not get internet access from the test machine.
The gateway on the test PC is set to the internal IP of the CISCO, but have not set the gateway on the cisco as the linksys as I cannot see where the option is.
I feel im nearly there, but just need that last little bit of help.
Thanks for any assitiance you can offer.
Now back from holiday & back on the CISCO case!
Have set up as described in your last post (slightly different IP addresses, but have followed the principles exactly).
Can now ping ASA from test machine, can telnet into the ASA & can also successfully ping the Linksys router from the telnet session.
However can still not get internet access from the test machine.
The gateway on the test PC is set to the internal IP of the CISCO, but have not set the gateway on the cisco as the linksys as I cannot see where the option is.
I feel im nearly there, but just need that last little bit of help.
Thanks for any assitiance you can offer.
So from the ASA enable mode you should it is route outside 0.0.0.0 0.0.0.0 10.0.0.1
Like this (see attached)
Have you setup rules to allow http traffic out of the ASA?
If there is still a problem after you add the gateway to the ASA you could try running a "packet-trace" to find out if the ASA is droping the traffic.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Donnie
Like this (see attached)
Have you setup rules to allow http traffic out of the ASA?
If there is still a problem after you add the gateway to the ASA you could try running a "packet-trace" to find out if the ASA is droping the traffic.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
Donnie
User Access Verification
Password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ********
ciscoasa# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.0.0.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.1.1.0 255.255.255.0 is directly connected, inside
ciscoasa# config t
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1
ciscoasa(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
C 10.0.0.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.1.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
ciscoasa(config)# exit
ciscoasa# wr mem
Building configuration...
Cryptochecksum: 45528464 3ab15c9c 1e8e4d10 4a8415a3
4284 bytes copied in 1.560 secs (4284 bytes/sec)
[OK]
ciscoasa#ASKER
Donnie,
Ok, I now have internet access through the ASA!
One last question - we run our own smtp mail server. How do i get incoming mail traffic to our external IP address through the ASA to our mail server?
Have tried setting up NAT rule, but without success.
Thanks for all your time and effort.
Ok, I now have internet access through the ASA!
One last question - we run our own smtp mail server. How do i get incoming mail traffic to our external IP address through the ASA to our mail server?
Have tried setting up NAT rule, but without success.
Thanks for all your time and effort.
Do you have a static public address for the mail server to use?
if yse,
Assume your public IP is 200.200.200.200 and the inside ip of your mail server is 10.1.1.20
This will nat port 25 and 443 in to 10.1.1.20
ciscoasa#config t
ciscoasa(config)#static (inside,outside) tcp 200.200.200.200 smtp 10.1.1.20 smtp netmask 255.255.255.255
ciscoasa(config)#static (inside,outside) tcp 200.200.200.200 www 10.1.1.20 https netmask 255.255.255.255
ciscoasa# sh run | inc static
static (inside,outside) tcp 200.200.200.200 smtp 10.1.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp 200.200.200.200 www 10.1.1.20 www netmask 255.255.255.255
If you already have an access-list applied to the outside interface add to it otherwise use something like this.
ciscoasa#config t
ciscoasa(config)#access-li
ciscoasa(config)#access-li
ciscoasa(config)#access-gr
ciscoasa#wr mem
if yse,
Assume your public IP is 200.200.200.200 and the inside ip of your mail server is 10.1.1.20
This will nat port 25 and 443 in to 10.1.1.20
ciscoasa#config t
ciscoasa(config)#static (inside,outside) tcp 200.200.200.200 smtp 10.1.1.20 smtp netmask 255.255.255.255
ciscoasa(config)#static (inside,outside) tcp 200.200.200.200 www 10.1.1.20 https netmask 255.255.255.255
ciscoasa# sh run | inc static
static (inside,outside) tcp 200.200.200.200 smtp 10.1.1.20 smtp netmask 255.255.255.255
static (inside,outside) tcp 200.200.200.200 www 10.1.1.20 www netmask 255.255.255.255
If you already have an access-list applied to the outside interface add to it otherwise use something like this.
ciscoasa#config t
ciscoasa(config)#access-li
ciscoasa(config)#access-li
ciscoasa(config)#access-gr
ciscoasa#wr mem
ASKER
Donnie,
Cant get this to work.
Just to clarify the current setup.......
Linksys router connected to ADSL line (Public Ip of 85.189.XXX.XXX, internal IP of 10.1.1.250) - port 25 forwarded to 10.1.1.252 (outside interface of ASA).
ASA (outside interface 10.1.1.252, inside interface 10.0.0.253).
All PC's attached to inside interface of ASA with IP addresses 10.0.0.X, mail server 10.0.0.2
Have tried your previous suggestion, but still cant access mail server from a remote PC. Have tried packet tracer & it fails at NAT.
Cant get this to work.
Just to clarify the current setup.......
Linksys router connected to ADSL line (Public Ip of 85.189.XXX.XXX, internal IP of 10.1.1.250) - port 25 forwarded to 10.1.1.252 (outside interface of ASA).
ASA (outside interface 10.1.1.252, inside interface 10.0.0.253).
All PC's attached to inside interface of ASA with IP addresses 10.0.0.X, mail server 10.0.0.2
Have tried your previous suggestion, but still cant access mail server from a remote PC. Have tried packet tracer & it fails at NAT.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Donnie,
Thanks for the last post - now everything is working like clockwork!
Thanks for the last post - now everything is working like clockwork!
Are you trying to replace the linksys with the ASA?
You should probably setup the wan interface of the ASA with the inside subnet of the router.
for example connect the inside interface of the linksys to the outside interface of the ASA, same subnet.
connect the inside interface of the ASA to your inside switch.
The linksys gateway is your ISP router
The ASA gateway is the linksys
from inside your gate way would be the inside interface of the ASA or you could set the switch as your
inside gateway but only if it is layer3 switch.
Donnie