Cisco ASA5506w-x first time setup

I have a cisco asa 5506 running version asdm 7.4 and asa 9.4. I am trying to set it for the first time and I'm not familiar at all with this. I can setup a basic router for a static WAN IP but have no clue on setup for this box. I have reset the box to factory defaults and have interfaced into the box on Ethernet1/2 "inside" on 192.168.1.1 and I am in the box using the ASDM. (Also I have verified the cable I am using does work for internet by setting up a router on the same static WAN to verify)

I am looking to setup this as a router replacing a home Linksys router. We have a Comcast box in passthrough/bridged.

1. How do I set ethernet1/1 for "outside" static WAN IP address given my ISP? I believe the Comcast box LAN ip is 10.1.10.1 so do I set the outside IP to 10.1.10.2 and use a static route or use the WAN IP (not actual IP) 50.200.200.251?

2. I guess once I have internet how do I do a basic port forwards like rdp 3389 to local LAN 192.168.1.11
LVL 1
easyworksAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Benjamin Van DitmarsCommented:
1. if youre comcast box is in bridge mode then you should be able to get youre wan addres at the ASA i dont know what they use. if it is an fixed ip. then you should also have documentation.

set youre external interface to security level 0

opion 1static ip address

and set youre static ip address. you alse need to add a rourte. from the outside to 0.0.0.0/0.0.0.0 and fill in the ip address of the gateway of youre provider.

option 2 normal dhcp

set youre wan interface ip address option to Obtain address via DHCP.
and click the box obtain default route using DHCP.

Option 3 use PPPoE

if you have to do authentication, this is normal in holland.
select option number 3 use PPPoE
youre provider should have give you all the information to authenticate.
fil in the form, Select the box Store username and password in local flash

then press the button IP Address and Route Setup.

some providers give you an static ip address, if so select the option box specify ip Address
and fill in the address. this is the same for youre route. is it a a dynamic one select the box Obtain default route using PPPoE, else you need to make a default 0.0.0.0/0.0.0.0 from the outside interface to the provided gateway from youre provider.

test if you have internet now.

2. Make a nat rule

go to firewall -> NAT Rules

create an address object of youre server. and dropdown the nat property
select type is dynamic if you have 1 ip address of static if you want to use an different external address. but i dont think you have more then 1 ip address.
in the box translated address browse for youre external interface, normaly called Outside.
press the advanced button. and select the source and destination interface. normaly inside and outside. select the protocol type tcp or udp. for you to have terminal services open at 3389 select tcp and real port and mapped port will be 3389.

now we only need to add an ACL to allow traffic from the outside to the inside.
add normal acl. source any, destination youre allready made address object of youre server. and services tcp/3389

if you have more questions, let me know

Benjamin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
easyworksAuthor Commented:
I'm not at the office anymore so i'll be sure to try this tomorrow.

I'm interested in "Option 1 static IP address" the most because I would like this to be our router.

opion 1static ip address

and set youre static ip address. you alse need to add a rourte. from the outside to 0.0.0.0/0.0.0.0 and fill in the ip address of the gateway of youre provider.

I have set my external "outside" security to 0.

I think i remember reading what you are talking about, about setting a route it is just kind of foreign to me because i have never done it. I'll look into what you are talking about I think i might know how to now from playing around most of the day. (Was able to get option 2 to work, but still want to just use only option 1)

2. Make a nat rule
I'll need to see this because i have no looked at this part yet because it took me a good while to figure out on how just to get on the internet.
0
Benjamin Van DitmarsCommented:
it al depends on what youre provider is giving to you ;) in holland we are lucky to have almost in every private house an optic connection up to 500/500 mbit with more then one ip

the routing part you can find in device setup -> Routing -> Static routing. and then just press the add button say interface outside, network 0.0.0.0/0.0.0.0 and then youre gateway ip and youre all set

let me know if you need more help

Benjamin
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

easyworksAuthor Commented:
I swear I did all of what you said before, but now it works!

I tried then go add a firewall and create a "access rule" and seemingly I do not have internet access anymore. I tried to delete the rule I just setup and still can not get to the internet. I was unsure on how to do exactly what you were saying and found this page.  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77869-pix-remote-desktop-conn.html
0
easyworksAuthor Commented:
I wouldn't suppose I could grab your help to remote into my PC to help me get the basic idea of what is going?

I reset my box back to factory using the CLI
1. ena
2. config t
3. config factory-default
4. reload save-config noconfirm

I ran back through the the device setup > launch setup wizard. And configured it again for how it had worked just a little bit ago with using a static wan IP and setting up a nat 0.0.0.0/0.0.0.0 (any) and used the gateway of the static IP, but not getting internet.
0
Benjamin Van DitmarsCommented:
ok lets test some stuff.
from the asdm tools -> ping
and ping from this tool youre external IP, GW Ip and 8.8.8.8

let see how for you come.
0
Benjamin Van DitmarsCommented:
oke let's do a factory reset

conf t
config factory-default {youre internal network addres}
do a write mem and reload.
don't do a restore of youre config

what kinda ip do you get from youre provider static/dhcp ? or are you still behind a nat ?
0
easyworksAuthor Commented:
No I am not able to ping 8.8.8.8
0
easyworksAuthor Commented:
I get a static IP I am not behind a NAT.
0
Benjamin Van DitmarsCommented:
ok can you ping youre gateway ?
0
easyworksAuthor Commented:
I just did what you said and waiting for it to reload now.
0
easyworksAuthor Commented:
The gateway meaning the asa box? If so then yes.
0
easyworksAuthor Commented:
Do you use Skype if so I am willing to paypal you some money for compensation for your time.
0
Benjamin Van DitmarsCommented:
after factory reset let's do this

1. setup Outside interface.
device setup -> Interfaces

select interface
interface name Outside
check box interface enabled
select static ip
enter ip address and subnet mask

press ok button

2. make our default route
device setup -> Routing - Static Routes
Add new route like this

interface outside
network 0.0.0.0/0.0.0.0
gateway ip {youre provider gateway ip}

press ok button to save

3. add dynamic nat policy for lan to wan

go to Firewall -> Nat Rules

press the down arrow on the add button en select Add "network object" nat rule

Name {LAN Network}
type network
Ip address youre local network like 192.168.0.0
select correct Netmask

set the box Add Automatic Adress Transport Rules
type Dynamic PAT (Hide)
Translated addr: Outside


now test if you can ping youre provider gateway, and some public address like 8.8.8.8

if this works

add an Access control list to allow ping reply to come back

Firewall -> Access Rules

interface outside

action permit
source any
destination any
service icmp

now you should be able to ping 8.8.8.8 from youre client

last thing is dns. but try this first
0
Benjamin Van DitmarsCommented:
No need to send some money, this forum is all about it people to help the other :)
0
easyworksAuthor Commented:
No, it did not work. I am sure that the IP for the static wan for my ISP is correct because I setup a home router and had to tested before plugging in the asa box.
0
easyworksAuthor Commented:
I just realized that while we were configuring this we did not setup a DNS for the DHCP. Let me set a static IP on my notebook .
0
Benjamin Van DitmarsCommented:
Do you get reply from youre provider gateway ip ?
0
easyworksAuthor Commented:
Still not working :(
0
easyworksAuthor Commented:
no I do not. 50.199.---.--- request time out.
0
easyworksAuthor Commented:
I am able to ping that gateway from a different PC on different network that has a different static IP.
0
Benjamin Van DitmarsCommented:
hmm,

what is youre subnet mask at Outside interface
0
easyworksAuthor Commented:
255.255.255.240
0
Benjamin Van DitmarsCommented:
send me info to my email benjamin@devosft.nl

because i have the feeling the problem is here

network address
broadcast address
and gateway address
0
easyworksAuthor Commented:
Generating server: ------

benjamin@devosft.nl
 #554 5.4.4 SMTPSEND.DNS.NonExistentDomain; nonexistent domain ##
0
easyworksAuthor Commented:
benjamin@devsoft.nl
0
easyworksAuthor Commented:
Thanks for the detailed description and troubleshooting with me.

Also interesting to find out my ISP box arp table held onto a another device trying to use that same static IP when I flip between my home router and asa box and that would explain another reason why I was not able to get it to work at first.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.