[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 2 lans, 2 locations,  one internet out.

Posted on 2014-02-20
6
Medium Priority
?
446 Views
Last Modified: 2014-03-05
Hi,
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.

The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.

The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.

We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.

Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.

Bob Coats
2-LAN-INTERNET.doc
0
Comment
Question by:RjCoats
  • 4
  • 2
6 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
ID: 39874361
ou can either add a rule in the 5505 to NAT the 192.168.5.x traffic the same as the 192.168.6.X traffic

or

You can have att nat all outbound 192.168.5.X traffic to a 192.168.6.x address at the .6.1 router

If you manage the 5505 and att has 192.168.5.0 default route pointed to the internet then I would say option 1 would be the better choice.
0
 

Author Comment

by:RjCoats
ID: 39874427
yes, I am the manager for the asa 5505, they handle the other router, and 5.1 is pointed to 6.1 then to 6.2. That's where it stops. at the firewall.

Can  you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.

If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
0
 
LVL 8

Accepted Solution

by:
Jeff Perry earned 2000 total points
ID: 39875427
Don't make any changes until you have read this entire post.

You can see the information from the gui (asdm) by clicking tools>command line interface and typing the "show nat" command into the box. It should appear like this  (depending on the number of nat statements it may be buried in the list).

match ip inside 192.168.6.0 outside any
    dynamic translation to pool 1 (your public ip here)
    translate_hits = xxxxxx, untranslate_hits = xxxxxx
 

Open in new window


If your pool is a different number that is not a big deal just keep that in mind.

If you don't know which ip the 192.168.6.0 address are being natted to you can go back to tools>command line interface and issue "show xlate"

you should get a list that shows

PAT Global (your public ip(dynamicport#)) Local 192.168.6.xx(dyamicport#)

To nat all ips to the outside pool change the nat statement to display

match ip inside any outside a
    dynamic translation to pool 1 (your public ip)
    translate_hits = xxxxxxxx, untranslate_hits = xxxxxxxxx
 

Open in new window


To do this click on "Configuration" then on "Firewall" and "NAT Rules"

Scroll to the bottom or the section labeled "inside"

There should be a dynamic rule that looks something like

Dynamic 192.168.6.0 any (your public ip here)

Open in new window


edit this rule by changing 192.168.6.0 to any

dynamic any outside (your public ip here) 

Open in new window


If you are willing to attach a config or screenshots I can advise you further before you make any changes.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:RjCoats
ID: 39876720
Thanks Jeff, I appreciate it.
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
0
 

Author Comment

by:RjCoats
ID: 39876774
Here is a response I got back from the Engineer at AT&T,
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."

This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?

Thanks
bob
0
 

Author Comment

by:RjCoats
ID: 39877542
It may be next week before I know if my changes. Thanks for the Help Jeff. I will get back to it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question