RjCoats
asked on
Cisco ASA 5505 2 lans, 2 locations, one internet out.
Hi,
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.
The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.
The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.
We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.
Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.
Bob Coats
2-LAN-INTERNET.doc
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.
The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.
The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.
We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.
Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.
Bob Coats
2-LAN-INTERNET.doc
ASKER
yes, I am the manager for the asa 5505, they handle the other router, and 5.1 is pointed to 6.1 then to 6.2. That's where it stops. at the firewall.
Can you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.
If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
Can you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.
If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Jeff, I appreciate it.
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
ASKER
Here is a response I got back from the Engineer at AT&T,
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."
This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?
Thanks
bob
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."
This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?
Thanks
bob
ASKER
It may be next week before I know if my changes. Thanks for the Help Jeff. I will get back to it.
or
You can have att nat all outbound 192.168.5.X traffic to a 192.168.6.x address at the .6.1 router
If you manage the 5505 and att has 192.168.5.0 default route pointed to the internet then I would say option 1 would be the better choice.