goraek
asked on
Setup and configure Cisco ASA 5512-x
Hi Guys
I'm setting up ASA 5512, and having trouble trying to get to the internet. I've got all the configuration entered correctly, but still no good. I've also added the ACL and NAT, I believe they are correct.
Can anyone with ASA knowledge assist with my configuration?
Thanks
Goraek
I'm setting up ASA 5512, and having trouble trying to get to the internet. I've got all the configuration entered correctly, but still no good. I've also added the ACL and NAT, I believe they are correct.
Can anyone with ASA knowledge assist with my configuration?
Thanks
Goraek
Do you have default route pointing to ISP?
Can you post your config (without passwords)?
Can you post your config (without passwords)?
ASKER
Yes, we have static for internet. We have mutiple sites connected to one site for internet access.
Yes there is a default route to the ISP.
I dont have the config as I'm not at work. I can get it tomorrow.
However is there a standard config I can use to get the internet working?
We are using ASA 9.1 with ADSM 7.1
Yes there is a default route to the ISP.
I dont have the config as I'm not at work. I can get it tomorrow.
However is there a standard config I can use to get the internet working?
We are using ASA 9.1 with ADSM 7.1
ASKER
More info
ISP IP: 1.1.1.1/24
ISP Gateway: 1.1.1.254
LAN1: 2.2.2.2/24
LAN1 Gateway: 2.2.2.254
LAN2: 3.3.3.3/24
LAN2 Gateway: 3.3.3.254
LAN1 = Main Site
LAN2 = Secondary SIte
We are replacing an existing Firewall with the new ASA.
Basically, we want GigaEthernet 0/0 WAN and GigaEthernet 0/1 LAN1.
I hope that's enough info for now.
ISP IP: 1.1.1.1/24
ISP Gateway: 1.1.1.254
LAN1: 2.2.2.2/24
LAN1 Gateway: 2.2.2.254
LAN2: 3.3.3.3/24
LAN2 Gateway: 3.3.3.254
LAN1 = Main Site
LAN2 = Secondary SIte
We are replacing an existing Firewall with the new ASA.
Basically, we want GigaEthernet 0/0 WAN and GigaEthernet 0/1 LAN1.
I hope that's enough info for now.
Can you ping default gateway from ASA?
ASKER
That's the thing, if I reboot the ASA it pings, but after that it stops pinging for some reason.
I've also followed this guide - http://www.techrepublic.com/forums/questions/how-do-i-configure-a-cisco-asa-5510-for-internet-access/
But the command is different to the new firmware version 9.1.
I've also followed this guide - http://www.techrepublic.com/forums/questions/how-do-i-configure-a-cisco-asa-5510-for-internet-access/
But the command is different to the new firmware version 9.1.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you mean put this?
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
I havent tried that yet, I usually do this in the GUI.
Also what does packet-tracer do? What IP should I use? My LAN?
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
I havent tried that yet, I usually do this in the GUI.
Also what does packet-tracer do? What IP should I use? My LAN?
This will add PAT translations for all inside hosts. You should put 2.2.2.0 255.255.255.0 instead of 192.168.0.0 255.255.255.0.
If it works, I will tell you how to add LAN2 also.
Packet tracer simulates packet flow through firewall, and it will show you where the packet is blocked.
Try with:
ciscoasa# packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
If it works, I will tell you how to add LAN2 also.
Packet tracer simulates packet flow through firewall, and it will show you where the packet is blocked.
Try with:
ciscoasa# packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
ASKER
Can I add 0.0.0.0 0.0.0.0 insteadl of 2.2.2.0 255.255.255.0? I guess this adds all the LAN?
Does the firewall need to be connected to the internet to do packet-tracer?
Does the firewall need to be connected to the internet to do packet-tracer?
You can try with 0.0.0.0/0.0.0.0. I will check if it is OK.
Firewall doesn't need to be connected to internet, but outside port should be up.
Firewall doesn't need to be connected to internet, but outside port should be up.
ASKER
Ok cool. sounds good.
I will check tomorrow morning and see how I go.
I will check tomorrow morning and see how I go.
ASKER
By the way, what access list do I need to add?
I saw this config that you provided in that link:
ASA Version 9.1(1)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.1.0 255.255.255.0
object network webserver
host 192.168.1.100
object network webserver-external-ip
host 198.51.100.101
object network dns-server
host 192.168.0.53
!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network webserver
nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1
Is there something I need to do with the acl?
I saw this config that you provided in that link:
ASA Version 9.1(1)
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
subnet 192.168.1.0 255.255.255.0
object network webserver
host 192.168.1.100
object network webserver-external-ip
host 198.51.100.101
object network dns-server
host 192.168.0.53
!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network dmz-subnet
nat (dmz,outside) dynamic interface
object network webserver
nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1
Is there something I need to do with the acl?
ASKER
Also with packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
Does 2.2.2.2 need to be live (eg a PC with this address)? And also with 208.117.229.214, can this be any live WAN IP?
Does 2.2.2.2 need to be live (eg a PC with this address)? And also with 208.117.229.214, can this be any live WAN IP?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info.
Do i need to add aany ststic routes for other subnets to route?
Do i need to add aany ststic routes for other subnets to route?
ASKER
I've configured them, did a packet-trace all came through success. However still not able to get to the internet. I can ping from the ASA, but not from a PC.
ASKER
This is my packet tracer result, and still not getting internet.
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 2.2.2.2/12345 to 1.1.1.1/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface description Inside-Subnet
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6238, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 2.2.2.2/12345 to 1.1.1.1/12345
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface description Inside-Subnet
Additional Information:
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6238, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
ASKER
Ok, I'm able to resolve the internet connection.
How do I add the remaining subnets? I cant add another subnet under the object, it will replace it.
How do I add the remaining subnets? I cant add another subnet under the object, it will replace it.
Instead of object network, create object-group network.
Here is how: http://www.cisco.com/c/en/ us/td/docs /security/ asa/asa84/ configurat ion/guide/ asa_84_cli _config/ac l_objects. html#wp152 5264
object-group network inside-net
network-object 2.2.2.0 255.255.255.0
network-object 3.3.3.0 255.255.255.0
!
Replace all occurances of old object with this one.
Here is how: http://www.cisco.com/c/en/
object-group network inside-net
network-object 2.2.2.0 255.255.255.0
network-object 3.3.3.0 255.255.255.0
!
Replace all occurances of old object with this one.
ASKER
Ok thanks i'll do that.
The problem I'm facing now is I cant get to LAN2 from LAN1 switch, but i can get to LAN2 from ASA.
I've set my LAN1 switch to route to the ASA (ip route 0.0.0.0 0.0.0.0 2.2.2.1).
Any ideas?
The problem I'm facing now is I cant get to LAN2 from LAN1 switch, but i can get to LAN2 from ASA.
I've set my LAN1 switch to route to the ASA (ip route 0.0.0.0 0.0.0.0 2.2.2.1).
Any ideas?
ASKER
I've added the object-group, however it doesnt give me the option to add the nat (inside,outside) source dynamic interface
Is there another way to do this?
Is there another way to do this?
So for NAT, easiest way is as below (I will send you later version with ACL):
object network inside-subnet
subnet 2.2.2.0 255.255.255.0
!
object network inside-subnet
nat (inside,outside) dynamic interface
!
object network inside-subnet2
subnet 3.3.3.0 255.255.255.0
!
object network inside-subnet2
nat (inside,outside) dynamic interface
!
Regarding routing, how LAN2 network is connected to firewall?
Where is L3 interface in LAN2 network connected (3.3.3.254)?
Regards!
object network inside-subnet
subnet 2.2.2.0 255.255.255.0
!
object network inside-subnet
nat (inside,outside) dynamic interface
!
object network inside-subnet2
subnet 3.3.3.0 255.255.255.0
!
object network inside-subnet2
nat (inside,outside) dynamic interface
!
Regarding routing, how LAN2 network is connected to firewall?
Where is L3 interface in LAN2 network connected (3.3.3.254)?
Regards!
ASKER
Great thanks.
I've figured everything out.
All seems to be ok now. We had to put static route on the L3 switch as well.
I've figured everything out.
All seems to be ok now. We had to put static route on the L3 switch as well.
Yes. Sorry, I wasn't aware of your L3 network topology to advise that earlier.
Does the NAT works now?
Does the NAT works now?
ASKER
Yes its all working thanks.
ASKER
Thanks for the info.
With your advise and right direction, I was able to figure it out.
With your advise and right direction, I was able to figure it out.
1. Do you have static or dynamic Internet IPs
2. What IP range do you want to use
3. Do you need any connections from the Internet to a resource inside your network