Solved

Cisco ASA 5505 2 lans, 2 locations,  one internet out.

Posted on 2014-02-20
6
426 Views
Last Modified: 2014-03-05
Hi,
I need some help configuring an ASA 5505 for the internet.
I have 2 physical locations, that are AT&T managed Systems.

The first location has an At&T router, ip address 192.168.6.1, with ASA 5505 ip address 192.168.6.2.
These devices are at the same physical location. Internet and Intranet work great.

The second location has AT&T managed router that has ip address 192.168.5.1 and all internet traffic is being routed to 192.168.6.1 (other location) via AT&T network.

We can see internally with each other, but the 192.168.5.0 ip addresses cant access the internet when the AT&T router sends the internet traffic out to the firewall.
The at&t engineer stated I needed a route or rule in the firewall to allow that other ip traffic.

Attached is a file with a simple network diagram.
Can someone point me in the right direction of how to allow that internet traffic using Cisco ASDM launcher? 1.5(50)
Much appreciated.

Bob Coats
2-LAN-INTERNET.doc
0
Comment
Question by:RjCoats
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 8

Expert Comment

by:Jeff Perry
ID: 39874361
ou can either add a rule in the 5505 to NAT the 192.168.5.x traffic the same as the 192.168.6.X traffic

or

You can have att nat all outbound 192.168.5.X traffic to a 192.168.6.x address at the .6.1 router

If you manage the 5505 and att has 192.168.5.0 default route pointed to the internet then I would say option 1 would be the better choice.
0
 

Author Comment

by:RjCoats
ID: 39874427
yes, I am the manager for the asa 5505, they handle the other router, and 5.1 is pointed to 6.1 then to 6.2. That's where it stops. at the firewall.

Can  you give me the asdm steps to do that? that's where Im not sure what to do. Not sure to use Dynamic or Static Nat Rule.

If so I'd appreciate it. I am limited on what I can do on the ASA. Its new to me, and I have no cisco training.
Thanks
0
 
LVL 8

Accepted Solution

by:
Jeff Perry earned 500 total points
ID: 39875427
Don't make any changes until you have read this entire post.

You can see the information from the gui (asdm) by clicking tools>command line interface and typing the "show nat" command into the box. It should appear like this  (depending on the number of nat statements it may be buried in the list).

match ip inside 192.168.6.0 outside any
    dynamic translation to pool 1 (your public ip here)
    translate_hits = xxxxxx, untranslate_hits = xxxxxx
 

Open in new window


If your pool is a different number that is not a big deal just keep that in mind.

If you don't know which ip the 192.168.6.0 address are being natted to you can go back to tools>command line interface and issue "show xlate"

you should get a list that shows

PAT Global (your public ip(dynamicport#)) Local 192.168.6.xx(dyamicport#)

To nat all ips to the outside pool change the nat statement to display

match ip inside any outside a
    dynamic translation to pool 1 (your public ip)
    translate_hits = xxxxxxxx, untranslate_hits = xxxxxxxxx
 

Open in new window


To do this click on "Configuration" then on "Firewall" and "NAT Rules"

Scroll to the bottom or the section labeled "inside"

There should be a dynamic rule that looks something like

Dynamic 192.168.6.0 any (your public ip here)

Open in new window


edit this rule by changing 192.168.6.0 to any

dynamic any outside (your public ip here) 

Open in new window


If you are willing to attach a config or screenshots I can advise you further before you make any changes.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:RjCoats
ID: 39876720
Thanks Jeff, I appreciate it.
I will get back to you. Its at a remote location, and I'm going to print this and take it down.
Thanks again
Bob
0
 

Author Comment

by:RjCoats
ID: 39876774
Here is a response I got back from the Engineer at AT&T,
"In order to reach the internet you will need to add an ACL on the firewall permitting all your LAN networks to reach the internet.
An example would be access-list 1 permit 192.168.0.0 0.0.255.255 any
The default route to the firewall is now propagated to the BGP, so once you apply above mentioned configuration all your current and future sites should reach the internet."

This is what I am looking for I suppose.
Right now, I think its only allowing 192.168.6.0 traffic (true number) to go out.
I will go down and see what I have for access lists. Maybe I can just edit the current?

Thanks
bob
0
 

Author Comment

by:RjCoats
ID: 39877542
It may be next week before I know if my changes. Thanks for the Help Jeff. I will get back to it.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question