?
Solved

Cisco ASA 5505 2 lans, 2 locations,  one internet out.

Posted on 2014-02-20
6
Medium Priority
?
434 Views
Last Modified: 2014-03-05
Hi,
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.

The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.

The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.

We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.

Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.

Bob Coats
2-LAN-INTERNET.doc
0
Comment
Question by:RjCoats
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
ID: 39874361
ou can either add a rule in the 5505 to NAT the 192.168.5.x traffic the same as the 192.168.6.X traffic

or

You can have att nat all outbound 192.168.5.X traffic to a 192.168.6.x address at the .6.1 router

If you manage the 5505 and att has 192.168.5.0 default route pointed to the internet then I would say option 1 would be the better choice.
0
 

Author Comment

by:RjCoats
ID: 39874427
yes, I am the manager for the asa 5505, they handle the other router, and 5.1 is pointed to 6.1 then to 6.2. That's where it stops. at the firewall.

Can  you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.

If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
0
 
LVL 8

Accepted Solution

by:
Jeff Perry earned 2000 total points
ID: 39875427
Don't make any changes until you have read this entire post.

You can see the information from the gui (asdm) by clicking tools>command line interface and typing the "show nat" command into the box. It should appear like this  (depending on the number of nat statements it may be buried in the list).

match ip inside 192.168.6.0 outside any
    dynamic translation to pool 1 (your public ip here)
    translate_hits = xxxxxx, untranslate_hits = xxxxxx
 

Open in new window


If your pool is a different number that is not a big deal just keep that in mind.

If you don't know which ip the 192.168.6.0 address are being natted to you can go back to tools>command line interface and issue "show xlate"

you should get a list that shows

PAT Global (your public ip(dynamicport#)) Local 192.168.6.xx(dyamicport#)

To nat all ips to the outside pool change the nat statement to display

match ip inside any outside a
    dynamic translation to pool 1 (your public ip)
    translate_hits = xxxxxxxx, untranslate_hits = xxxxxxxxx
 

Open in new window


To do this click on "Configuration" then on "Firewall" and "NAT Rules"

Scroll to the bottom or the section labeled "inside"

There should be a dynamic rule that looks something like

Dynamic 192.168.6.0 any (your public ip here)

Open in new window


edit this rule by changing 192.168.6.0 to any

dynamic any outside (your public ip here) 

Open in new window


If you are willing to attach a config or screenshots I can advise you further before you make any changes.
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 

Author Comment

by:RjCoats
ID: 39876720
Thanks Jeff, I appreciate it.
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
0
 

Author Comment

by:RjCoats
ID: 39876774
Here is a response I got back from the Engineer at AT&T,
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."

This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?

Thanks
bob
0
 

Author Comment

by:RjCoats
ID: 39877542
It may be next week before I know if my changes. Thanks for the Help Jeff. I will get back to it.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question