Solved

Cisco ASA 5505 2 lans, 2 locations,  one internet out.

Posted on 2014-02-20
6
402 Views
Last Modified: 2014-03-05
Hi,
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.

The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.

The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.

We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.

Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.

Bob Coats
2-LAN-INTERNET.doc
0
Comment
Question by:RjCoats
  • 4
  • 2
6 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
ID: 39874361
ou can either add a rule in the 5505 to NAT the 192.168.5.x traffic the same as the 192.168.6.X traffic

or

You can have att nat all outbound 192.168.5.X traffic to a 192.168.6.x address at the .6.1 router

If you manage the 5505 and att has 192.168.5.0 default route pointed to the internet then I would say option 1 would be the better choice.
0
 

Author Comment

by:RjCoats
ID: 39874427
yes, I am the manager for the asa 5505, they handle the other router, and 5.1 is pointed to 6.1 then to 6.2. That's where it stops. at the firewall.

Can  you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.

If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
0
 
LVL 8

Accepted Solution

by:
Jeff Perry earned 500 total points
ID: 39875427
Don't make any changes until you have read this entire post.

You can see the information from the gui (asdm) by clicking tools>command line interface and typing the "show nat" command into the box. It should appear like this  (depending on the number of nat statements it may be buried in the list).

match ip inside 192.168.6.0 outside any
    dynamic translation to pool 1 (your public ip here)
    translate_hits = xxxxxx, untranslate_hits = xxxxxx
 

Open in new window


If your pool is a different number that is not a big deal just keep that in mind.

If you don't know which ip the 192.168.6.0 address are being natted to you can go back to tools>command line interface and issue "show xlate"

you should get a list that shows

PAT Global (your public ip(dynamicport#)) Local 192.168.6.xx(dyamicport#)

To nat all ips to the outside pool change the nat statement to display

match ip inside any outside a
    dynamic translation to pool 1 (your public ip)
    translate_hits = xxxxxxxx, untranslate_hits = xxxxxxxxx
 

Open in new window


To do this click on "Configuration" then on "Firewall" and "NAT Rules"

Scroll to the bottom or the section labeled "inside"

There should be a dynamic rule that looks something like

Dynamic 192.168.6.0 any (your public ip here)

Open in new window


edit this rule by changing 192.168.6.0 to any

dynamic any outside (your public ip here) 

Open in new window


If you are willing to attach a config or screenshots I can advise you further before you make any changes.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:RjCoats
ID: 39876720
Thanks Jeff, I appreciate it.
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
0
 

Author Comment

by:RjCoats
ID: 39876774
Here is a response I got back from the Engineer at AT&T,
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."

This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?

Thanks
bob
0
 

Author Comment

by:RjCoats
ID: 39877542
It may be next week before I know if my changes. Thanks for the Help Jeff. I will get back to it.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now