Solved

Setup and configure Cisco ASA 5512-x

Posted on 2014-11-04
28
1,862 Views
Last Modified: 2014-11-08
Hi Guys

I'm setting up ASA 5512, and having trouble trying to get to the internet. I've got all the configuration entered correctly, but still no good. I've also added the ACL and NAT, I believe they are correct.

Can anyone with ASA knowledge assist with my configuration?

Thanks
Goraek
0
Comment
Question by:goraek
  • 17
  • 10
28 Comments
 
LVL 24

Expert Comment

by:Mohammed Khawaja
ID: 40423402
Could you provide the following information:

1. Do you have static or dynamic Internet IPs
2. What IP range do you want to use
3. Do you need any connections from the Internet to a resource inside your network
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40423419
Do you have default route pointing to ISP?
Can you post your config (without passwords)?
0
 
LVL 2

Author Comment

by:goraek
ID: 40423423
Yes, we have static for internet. We have mutiple sites connected to one site for internet access.
Yes there is a default route to the ISP.

I dont have the config as I'm not at work. I can get it tomorrow.

However is there a standard config I can use to get the internet working?
We are using ASA 9.1 with ADSM 7.1
0
 
LVL 2

Author Comment

by:goraek
ID: 40423429
More info

ISP IP: 1.1.1.1/24
ISP Gateway: 1.1.1.254

LAN1: 2.2.2.2/24
LAN1 Gateway: 2.2.2.254

LAN2: 3.3.3.3/24
LAN2 Gateway: 3.3.3.254

LAN1 = Main Site
LAN2 = Secondary SIte

We are replacing an existing Firewall with the new ASA.

Basically, we want GigaEthernet 0/0 WAN and GigaEthernet 0/1 LAN1.

I hope that's enough info for now.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40423430
Can you ping default gateway from ASA?
0
 
LVL 2

Author Comment

by:goraek
ID: 40423432
That's the thing, if I reboot the ASA it pings, but after that it stops pinging for some reason.

I've also followed this guide - http://www.techrepublic.com/forums/questions/how-do-i-configure-a-cisco-asa-5510-for-internet-access/

But the command is different to the new firmware version 9.1.
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 500 total points
ID: 40423436
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 40423439
Also try Packet Tracer to check where it fails. Something like this:
ciscoasa# packet-tracer input inside tcp 192.168.0.125 12345 203.0.113.1 80
0
 
LVL 2

Author Comment

by:goraek
ID: 40423651
Do you mean put this?

object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) dynamic interface

I havent tried that yet, I usually do this in the GUI.

Also what does packet-tracer do? What IP should I use? My LAN?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40423665
This will add PAT translations for all inside hosts. You should put 2.2.2.0 255.255.255.0 instead of 192.168.0.0 255.255.255.0.
If it works, I will tell you how to add LAN2 also.

Packet tracer simulates packet flow through firewall, and it will show you where the packet is blocked.
Try with:
ciscoasa# packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
0
 
LVL 2

Author Comment

by:goraek
ID: 40423683
Can I add 0.0.0.0 0.0.0.0 insteadl of 2.2.2.0 255.255.255.0? I guess this adds all the LAN?

Does the firewall need to be connected to the internet to do packet-tracer?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40423688
You can try with 0.0.0.0/0.0.0.0. I will check if it is OK.

Firewall doesn't need to be connected to internet, but outside port should be up.
0
 
LVL 2

Author Comment

by:goraek
ID: 40423703
Ok cool. sounds good.
I will check tomorrow morning and see how I go.
0
 
LVL 2

Author Comment

by:goraek
ID: 40423723
By the way, what access list do I need to add?

I saw this config that you provided in that link:

ASA Version 9.1(1)
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver
 host 192.168.1.100
object network webserver-external-ip
 host 198.51.100.101
object network dns-server
 host 192.168.0.53

!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1

Is there something I need to do with the acl?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 2

Author Comment

by:goraek
ID: 40423735
Also with packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80

Does 2.2.2.2 need to be live (eg a PC with this address)? And also with 208.117.229.214, can this be any live WAN IP?
0
 
LVL 12

Assisted Solution

by:Fidelius
Fidelius earned 500 total points
ID: 40423791
Regarding 0.0.0.0 0.0.0.0 it is better to restrict only to your inside networks, so you can do it like:
object network inside-subnet
 subnet 2.2.2.0 255.255.255.0
 subnet 3.3.3.0 255.255.255.0
!

Regarding ACL, if you don't have any public services (web server, mail server,...) inside your network, you don't need any ACL, as ASA will block any attempt from outside to inside, except returning connections (as it is statefull firewall).

Regarding packet-tracer:
No, 2.2.2.2 doesn't need to be alive. Only your interfaces on firewall must be up.
Yes, 208.117.229.214 can be any public IP. I used one of www.google.com IP just for example.

Regards!
0
 
LVL 2

Author Comment

by:goraek
ID: 40425122
Thanks for the info.
Do i need to add aany ststic routes for other subnets to route?
0
 
LVL 2

Author Comment

by:goraek
ID: 40425208
I've configured them, did a packet-trace all came through success. However still not able to get to the internet. I can ping from the ASA, but not from a PC.
0
 
LVL 2

Author Comment

by:goraek
ID: 40425270
This is my packet tracer result, and still not getting internet.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
 nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 2.2.2.2/12345 to 1.1.1.1/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface description Inside-Subnet
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6238, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
0
 
LVL 2

Author Comment

by:goraek
ID: 40425295
Ok, I'm able to resolve the internet connection.
How do I add the remaining subnets? I cant add another subnet under the object, it will replace it.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40425335
Instead of object network, create object-group network.
Here is how: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_objects.html#wp1525264

object-group network inside-net
  network-object 2.2.2.0 255.255.255.0
  network-object 3.3.3.0 255.255.255.0
!

Replace all occurances of old object with this one.
0
 
LVL 2

Author Comment

by:goraek
ID: 40425344
Ok thanks i'll do that.

The problem I'm facing now is I cant get to LAN2 from LAN1 switch, but i can get to LAN2 from ASA.
I've set my LAN1 switch to route to the ASA (ip route 0.0.0.0 0.0.0.0 2.2.2.1).

Any ideas?
0
 
LVL 2

Author Comment

by:goraek
ID: 40425353
I've added the object-group, however it doesnt give me the option to add the nat (inside,outside) source dynamic interface

Is there another way to do this?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40425669
So for NAT, easiest way is as below (I will send you later version with ACL):

object network inside-subnet
 subnet 2.2.2.0 255.255.255.0
!
object network inside-subnet
 nat (inside,outside) dynamic interface
!
object network inside-subnet2
 subnet 3.3.3.0 255.255.255.0
!
object network inside-subnet2
 nat (inside,outside) dynamic interface
!

Regarding routing, how LAN2 network is connected to firewall?
Where is L3 interface in LAN2 network connected (3.3.3.254)?

Regards!
0
 
LVL 2

Author Comment

by:goraek
ID: 40425697
Great thanks.

I've figured everything out.

All seems to be ok now. We had to put static route on the L3 switch as well.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 40425700
Yes. Sorry, I wasn't aware of your L3 network topology to advise that earlier.
Does the NAT works now?
0
 
LVL 2

Author Comment

by:goraek
ID: 40430937
Yes its all working thanks.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 40430941
Thanks for the info.
With your advise and right direction, I was able to figure it out.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Route Summarization 2 32
Simple Guest VLAN Help 17 36
Advice on setting up a new network for a small business 3 46
cisco VIRL 3 13
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now