Link to home
Start Free TrialLog in
Avatar of goraek
goraekFlag for Australia

asked on

Setup and configure Cisco ASA 5512-x

Hi Guys

I'm setting up ASA 5512, and having trouble trying to get to the internet. I've got all the configuration entered correctly, but still no good. I've also added the ACL and NAT, I believe they are correct.

Can anyone with ASA knowledge assist with my configuration?

Thanks
Goraek
Avatar of Mohammed Khawaja
Mohammed Khawaja
Flag of Canada image

Could you provide the following information:

1. Do you have static or dynamic Internet IPs
2. What IP range do you want to use
3. Do you need any connections from the Internet to a resource inside your network
Do you have default route pointing to ISP?
Can you post your config (without passwords)?
Avatar of goraek

ASKER

Yes, we have static for internet. We have mutiple sites connected to one site for internet access.
Yes there is a default route to the ISP.

I dont have the config as I'm not at work. I can get it tomorrow.

However is there a standard config I can use to get the internet working?
We are using ASA 9.1 with ADSM 7.1
Avatar of goraek

ASKER

More info

ISP IP: 1.1.1.1/24
ISP Gateway: 1.1.1.254

LAN1: 2.2.2.2/24
LAN1 Gateway: 2.2.2.254

LAN2: 3.3.3.3/24
LAN2 Gateway: 3.3.3.254

LAN1 = Main Site
LAN2 = Secondary SIte

We are replacing an existing Firewall with the new ASA.

Basically, we want GigaEthernet 0/0 WAN and GigaEthernet 0/1 LAN1.

I hope that's enough info for now.
Can you ping default gateway from ASA?
Avatar of goraek

ASKER

That's the thing, if I reboot the ASA it pings, but after that it stops pinging for some reason.

I've also followed this guide - http://www.techrepublic.com/forums/questions/how-do-i-configure-a-cisco-asa-5510-for-internet-access/

But the command is different to the new firmware version 9.1.
SOLUTION
Avatar of Fidelius
Fidelius
Flag of Croatia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of goraek

ASKER

Do you mean put this?

object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
 nat (inside,outside) dynamic interface

I havent tried that yet, I usually do this in the GUI.

Also what does packet-tracer do? What IP should I use? My LAN?
This will add PAT translations for all inside hosts. You should put 2.2.2.0 255.255.255.0 instead of 192.168.0.0 255.255.255.0.
If it works, I will tell you how to add LAN2 also.

Packet tracer simulates packet flow through firewall, and it will show you where the packet is blocked.
Try with:
ciscoasa# packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80
Avatar of goraek

ASKER

Can I add 0.0.0.0 0.0.0.0 insteadl of 2.2.2.0 255.255.255.0? I guess this adds all the LAN?

Does the firewall need to be connected to the internet to do packet-tracer?
You can try with 0.0.0.0/0.0.0.0. I will check if it is OK.

Firewall doesn't need to be connected to internet, but outside port should be up.
Avatar of goraek

ASKER

Ok cool. sounds good.
I will check tomorrow morning and see how I go.
Avatar of goraek

ASKER

By the way, what access list do I need to add?

I saw this config that you provided in that link:

ASA Version 9.1(1)
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 198.51.100.100 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/2
 nameif dmz
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
object network inside-subnet
 subnet 192.168.0.0 255.255.255.0
object network dmz-subnet
 subnet 192.168.1.0 255.255.255.0
object network webserver
 host 192.168.1.100
object network webserver-external-ip
 host 198.51.100.101
object network dns-server
 host 192.168.0.53

!
access-list outside_acl extended permit tcp any object webserver eq www
access-list dmz_acl extended permit udp any object dns-server eq domain
access-list dmz_acl extended deny ip any object inside-subnet
access-list dmz_acl extended permit ip any any
!
object network inside-subnet
 nat (inside,outside) dynamic interface
object network dmz-subnet
 nat (dmz,outside) dynamic interface
object network webserver
 nat (dmz,outside) static webserver-external-ip service tcp www www
access-group outside_acl in interface outside
access-group dmz_acl in interface dmz
!
route outside 0.0.0.0 0.0.0.0 198.51.100.1 1

Is there something I need to do with the acl?
Avatar of goraek

ASKER

Also with packet-tracer input inside tcp 2.2.2.2 12345 208.117.229.214 80

Does 2.2.2.2 need to be live (eg a PC with this address)? And also with 208.117.229.214, can this be any live WAN IP?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of goraek

ASKER

Thanks for the info.
Do i need to add aany ststic routes for other subnets to route?
Avatar of goraek

ASKER

I've configured them, did a packet-trace all came through success. However still not able to get to the internet. I can ping from the ASA, but not from a PC.
Avatar of goraek

ASKER

This is my packet tracer result, and still not getting internet.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip any any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside-network
 nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 2.2.2.2/12345 to 1.1.1.1/12345

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) after-auto source dynamic any interface description Inside-Subnet
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6238, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Avatar of goraek

ASKER

Ok, I'm able to resolve the internet connection.
How do I add the remaining subnets? I cant add another subnet under the object, it will replace it.
Instead of object network, create object-group network.
Here is how: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_objects.html#wp1525264

object-group network inside-net
  network-object 2.2.2.0 255.255.255.0
  network-object 3.3.3.0 255.255.255.0
!

Replace all occurances of old object with this one.
Avatar of goraek

ASKER

Ok thanks i'll do that.

The problem I'm facing now is I cant get to LAN2 from LAN1 switch, but i can get to LAN2 from ASA.
I've set my LAN1 switch to route to the ASA (ip route 0.0.0.0 0.0.0.0 2.2.2.1).

Any ideas?
Avatar of goraek

ASKER

I've added the object-group, however it doesnt give me the option to add the nat (inside,outside) source dynamic interface

Is there another way to do this?
So for NAT, easiest way is as below (I will send you later version with ACL):

object network inside-subnet
 subnet 2.2.2.0 255.255.255.0
!
object network inside-subnet
 nat (inside,outside) dynamic interface
!
object network inside-subnet2
 subnet 3.3.3.0 255.255.255.0
!
object network inside-subnet2
 nat (inside,outside) dynamic interface
!

Regarding routing, how LAN2 network is connected to firewall?
Where is L3 interface in LAN2 network connected (3.3.3.254)?

Regards!
Avatar of goraek

ASKER

Great thanks.

I've figured everything out.

All seems to be ok now. We had to put static route on the L3 switch as well.
Yes. Sorry, I wasn't aware of your L3 network topology to advise that earlier.
Does the NAT works now?
Avatar of goraek

ASKER

Yes its all working thanks.
Avatar of goraek

ASKER

Thanks for the info.
With your advise and right direction, I was able to figure it out.