Setup and configure Cisco ASA 5512-x

Hi Guys

I'm setting up ASA 5512, and having trouble trying to get to the internet. I've got all the configuration entered correctly, but still no good. I've also added the ACL and NAT, I believe they are correct.

Can anyone with ASA knowledge assist with my configuration?

Thanks
Goraek
LVL 2
goraekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Could you provide the following information:

1. Do you have static or dynamic Internet IPs
2. What IP range do you want to use
3. Do you need any connections from the Internet to a resource inside your network
0
FideliusCommented:
Do you have default route pointing to ISP?
Can you post your config (without passwords)?
0
goraekAuthor Commented:
Yes, we have static for internet. We have mutiple sites connected to one site for internet access.
Yes there is a default route to the ISP.

I dont have the config as I'm not at work. I can get it tomorrow.

However is there a standard config I can use to get the internet working?
We are using ASA 9.1 with ADSM 7.1
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

goraekAuthor Commented:
More info

ISP IP: 1.1.1.1/24
ISP Gateway: 1.1.1.254

LAN1: 2.2.2.2/24
LAN1 Gateway: 2.2.2.254

LAN2: 3.3.3.3/24
LAN2 Gateway: 3.3.3.254

LAN1 = Main Site
LAN2 = Secondary SIte

We are replacing an existing Firewall with the new ASA.

Basically, we want GigaEthernet 0/0 WAN and GigaEthernet 0/1 LAN1.

I hope that's enough info for now.
0
FideliusCommented:
Can you ping default gateway from ASA?
0
goraekAuthor Commented:
That's the thing, if I reboot the ASA it pings, but after that it stops pinging for some reason.

I've also followed this guide - http://www.techrepublic.com/forums/questions/how-do-i-configure-a-cisco-asa-5510-for-internet-access/

But the command is different to the new firmware version 9.1.
0
FideliusCommented:
Also try Packet Tracer to check where it fails. Something like this:
ciscoasa# packet-tracer input inside tcp 192.168.0.125 12345 203.0.113.1 80
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
goraekAuthor Commented:
Do you mean put this?

object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) dynamic interface

I havent tried that yet, I usually do this in the GUI.

Also what does packet-tracer do? What IP should I use? My LAN?
0
FideliusCommented:
This will add PAT translations for all inside hosts. You should put 2.2.2.0 255.255.255.0 instead of 192.168.0.0 255.255.255.0.
If it works, I will tell you how to add LAN2 also.

Packet tracer simulates packet flow through firewall, and it will show you where the packet is blocked.
Try with:
ciscoasa# packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
0
goraekAuthor Commented:
Can I add 0.0.0.0 0.0.0.0 insteadl of 2.2.2.0 255.255.255.0? I guess this adds all the LAN?

Does the firewall need to be connected to the internet to do packet-tracer?
0
FideliusCommented:
You can try with 0.0.0.0/0.0.0.0. I will check if it is OK.

Firewall doesn't need to be connected to internet, but outside port should be up.
0
goraekAuthor Commented:
Ok cool. sounds good.
I will check tomorrow morning and see how I go.
0
goraekAuthor Commented:
By the way, what access list do I need to add?

I saw this config that you provided in that link:

ASA Version 9.1(1)
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver
 host 192.168.1.100
object network webserver-external-ip
 host 198.51.100.101
object network dns-server
 host 192.168.0.53

!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1

Is there something I need to do with the acl?
0
goraekAuthor Commented:
Also with packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80

Does 2.2.2.2 need to be live (eg a PC with this address)? And also with 208.117.229.214, can this be any live WAN IP?
0
FideliusCommented:
Regarding 0.0.0.0 0.0.0.0 it is better to restrict only to your inside networks, so you can do it like:
object network inside-subnet
 subnet 2.2.2.0 255.255.255.0
 subnet 3.3.3.0 255.255.255.0
!

Regarding ACL, if you don't have any public services (web server, mail server,...) inside your network, you don't need any ACL, as ASA will block any attempt from outside to inside, except returning connections (as it is statefull firewall).

Regarding packet-tracer:
No, 2.2.2.2 doesn't need to be alive. Only your interfaces on firewall must be up.
Yes, 208.117.229.214 can be any public IP. I used one of www.google.com IP just for example.

Regards!
0
goraekAuthor Commented:
Thanks for the info.
Do i need to add aany ststic routes for other subnets to route?
0
goraekAuthor Commented:
I've configured them, did a packet-trace all came through success. However still not able to get to the internet. I can ping from the ASA, but not from a PC.
0
goraekAuthor Commented:
This is my packet tracer result, and still not getting internet.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
 nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 2.2.2.2/12345 to 1.1.1.1/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface description Inside-Subnet
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6238, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
0
goraekAuthor Commented:
Ok, I'm able to resolve the internet connection.
How do I add the remaining subnets? I cant add another subnet under the object, it will replace it.
0
FideliusCommented:
Instead of object network, create object-group network.
Here is how: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_objects.html#wp1525264

object-group network inside-net
  network-object 2.2.2.0 255.255.255.0
  network-object 3.3.3.0 255.255.255.0
!

Replace all occurances of old object with this one.
0
goraekAuthor Commented:
Ok thanks i'll do that.

The problem I'm facing now is I cant get to LAN2 from LAN1 switch, but i can get to LAN2 from ASA.
I've set my LAN1 switch to route to the ASA (ip route 0.0.0.0 0.0.0.0 2.2.2.1).

Any ideas?
0
goraekAuthor Commented:
I've added the object-group, however it doesnt give me the option to add the nat (inside,outside) source dynamic interface

Is there another way to do this?
0
FideliusCommented:
So for NAT, easiest way is as below (I will send you later version with ACL):

object network inside-subnet
 subnet 2.2.2.0 255.255.255.0
!
object network inside-subnet
 nat (inside,outside) dynamic interface
!
object network inside-subnet2
 subnet 3.3.3.0 255.255.255.0
!
object network inside-subnet2
 nat (inside,outside) dynamic interface
!

Regarding routing, how LAN2 network is connected to firewall?
Where is L3 interface in LAN2 network connected (3.3.3.254)?

Regards!
0
goraekAuthor Commented:
Great thanks.

I've figured everything out.

All seems to be ok now. We had to put static route on the L3 switch as well.
0
FideliusCommented:
Yes. Sorry, I wasn't aware of your L3 network topology to advise that earlier.
Does the NAT works now?
0
goraekAuthor Commented:
Yes its all working thanks.
0
goraekAuthor Commented:
Thanks for the info.
With your advise and right direction, I was able to figure it out.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.