Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
Cisco ASA5506w-x first time setup
I have a cisco asa 5506 running version asdm 7.4 and asa 9.4. I am trying to set it for the first time and I'm not familiar at all with this. I can setup a basic router for a static WAN IP but have no clue on setup for this box. I have reset the box to factory defaults and have interfaced into the box on Ethernet1/2 "inside" on 192.168.1.1 and I am in the box using the ASDM. (Also I have verified the cable I am using does work for internet by setting up a router on the same static WAN to verify)
I am looking to setup this as a router replacing a home Linksys router. We have a Comcast box in passthrough/bridged.
1. How do I set ethernet1/1 for "outside" static WAN IP address given my ISP? I believe the Comcast box LAN ip is 10.1.10.1 so do I set the outside IP to 10.1.10.2 and use a static route or use the WAN IP (not actual IP) 50.200.200.251?
2. I guess once I have internet how do I do a basic port forwards like rdp 3389 to local LAN 192.168.1.11
I am looking to setup this as a router replacing a home Linksys router. We have a Comcast box in passthrough/bridged.
1. How do I set ethernet1/1 for "outside" static WAN IP address given my ISP? I believe the Comcast box LAN ip is 10.1.10.1 so do I set the outside IP to 10.1.10.2 and use a static route or use the WAN IP (not actual IP) 50.200.200.251?
2. I guess once I have internet how do I do a basic port forwards like rdp 3389 to local LAN 192.168.1.11
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
1. if youre comcast box is in bridge mode then you should be able to get youre wan addres at the ASA i dont know what they use. if it is an fixed ip. then you should also have documentation.
set youre external interface to security level 0
opion 1static ip address
and set youre static ip address. you alse need to add a rourte. from the outside to 0.0.0.0/0.0.0.0 and fill in the ip address of the gateway of youre provider.
option 2 normal dhcp
set youre wan interface ip address option to Obtain address via DHCP.
and click the box obtain default route using DHCP.
Option 3 use PPPoE
if you have to do authentication, this is normal in holland.
select option number 3 use PPPoE
youre provider should have give you all the information to authenticate.
fil in the form, Select the box Store username and password in local flash
then press the button IP Address and Route Setup.
some providers give you an static ip address, if so select the option box specify ip Address
and fill in the address. this is the same for youre route. is it a a dynamic one select the box Obtain default route using PPPoE, else you need to make a default 0.0.0.0/0.0.0.0 from the outside interface to the provided gateway from youre provider.
test if you have internet now.
2. Make a nat rule
go to firewall -> NAT Rules
create an address object of youre server. and dropdown the nat property
select type is dynamic if you have 1 ip address of static if you want to use an different external address. but i dont think you have more then 1 ip address.
in the box translated address browse for youre external interface, normaly called Outside.
press the advanced button. and select the source and destination interface. normaly inside and outside. select the protocol type tcp or udp. for you to have terminal services open at 3389 select tcp and real port and mapped port will be 3389.
now we only need to add an ACL to allow traffic from the outside to the inside.
add normal acl. source any, destination youre allready made address object of youre server. and services tcp/3389
if you have more questions, let me know
Benjamin
set youre external interface to security level 0
opion 1static ip address
and set youre static ip address. you alse need to add a rourte. from the outside to 0.0.0.0/0.0.0.0 and fill in the ip address of the gateway of youre provider.
option 2 normal dhcp
set youre wan interface ip address option to Obtain address via DHCP.
and click the box obtain default route using DHCP.
Option 3 use PPPoE
if you have to do authentication, this is normal in holland.
select option number 3 use PPPoE
youre provider should have give you all the information to authenticate.
fil in the form, Select the box Store username and password in local flash
then press the button IP Address and Route Setup.
some providers give you an static ip address, if so select the option box specify ip Address
and fill in the address. this is the same for youre route. is it a a dynamic one select the box Obtain default route using PPPoE, else you need to make a default 0.0.0.0/0.0.0.0 from the outside interface to the provided gateway from youre provider.
test if you have internet now.
2. Make a nat rule
go to firewall -> NAT Rules
create an address object of youre server. and dropdown the nat property
select type is dynamic if you have 1 ip address of static if you want to use an different external address. but i dont think you have more then 1 ip address.
in the box translated address browse for youre external interface, normaly called Outside.
press the advanced button. and select the source and destination interface. normaly inside and outside. select the protocol type tcp or udp. for you to have terminal services open at 3389 select tcp and real port and mapped port will be 3389.
now we only need to add an ACL to allow traffic from the outside to the inside.
add normal acl. source any, destination youre allready made address object of youre server. and services tcp/3389
if you have more questions, let me know
Benjamin
I'm not at the office anymore so i'll be sure to try this tomorrow.
I'm interested in "Option 1 static IP address" the most because I would like this to be our router.
I have set my external "outside" security to 0.
I think i remember reading what you are talking about, about setting a route it is just kind of foreign to me because i have never done it. I'll look into what you are talking about I think i might know how to now from playing around most of the day. (Was able to get option 2 to work, but still want to just use only option 1)
I'm interested in "Option 1 static IP address" the most because I would like this to be our router.
opion 1static ip address
and set youre static ip address. you alse need to add a rourte. from the outside to 0.0.0.0/0.0.0.0 and fill in the ip address of the gateway of youre provider.
I have set my external "outside" security to 0.
I think i remember reading what you are talking about, about setting a route it is just kind of foreign to me because i have never done it. I'll look into what you are talking about I think i might know how to now from playing around most of the day. (Was able to get option 2 to work, but still want to just use only option 1)
2. Make a nat ruleI'll need to see this because i have no looked at this part yet because it took me a good while to figure out on how just to get on the internet.
it al depends on what youre provider is giving to you ;) in holland we are lucky to have almost in every private house an optic connection up to 500/500 mbit with more then one ip
the routing part you can find in device setup -> Routing -> Static routing. and then just press the add button say interface outside, network 0.0.0.0/0.0.0.0 and then youre gateway ip and youre all set
let me know if you need more help
Benjamin
the routing part you can find in device setup -> Routing -> Static routing. and then just press the add button say interface outside, network 0.0.0.0/0.0.0.0 and then youre gateway ip and youre all set
let me know if you need more help
Benjamin
I swear I did all of what you said before, but now it works!
I tried then go add a firewall and create a "access rule" and seemingly I do not have internet access anymore. I tried to delete the rule I just setup and still can not get to the internet. I was unsure on how to do exactly what you were saying and found this page. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77869-pix-remote-desktop-conn.html
I tried then go add a firewall and create a "access rule" and seemingly I do not have internet access anymore. I tried to delete the rule I just setup and still can not get to the internet. I was unsure on how to do exactly what you were saying and found this page. http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/77869-pix-remote-desktop-conn.html
I wouldn't suppose I could grab your help to remote into my PC to help me get the basic idea of what is going?
I reset my box back to factory using the CLI
1. ena
2. config t
3. config factory-default
4. reload save-config noconfirm
I ran back through the the device setup > launch setup wizard. And configured it again for how it had worked just a little bit ago with using a static wan IP and setting up a nat 0.0.0.0/0.0.0.0 (any) and used the gateway of the static IP, but not getting internet.
I reset my box back to factory using the CLI
1. ena
2. config t
3. config factory-default
4. reload save-config noconfirm
I ran back through the the device setup > launch setup wizard. And configured it again for how it had worked just a little bit ago with using a static wan IP and setting up a nat 0.0.0.0/0.0.0.0 (any) and used the gateway of the static IP, but not getting internet.
ok lets test some stuff.
from the asdm tools -> ping
and ping from this tool youre external IP, GW Ip and 8.8.8.8
let see how for you come.
from the asdm tools -> ping
and ping from this tool youre external IP, GW Ip and 8.8.8.8
let see how for you come.
oke let's do a factory reset
conf t
config factory-default {youre internal network addres}
do a write mem and reload.
don't do a restore of youre config
what kinda ip do you get from youre provider static/dhcp ? or are you still behind a nat ?
conf t
config factory-default {youre internal network addres}
do a write mem and reload.
don't do a restore of youre config
what kinda ip do you get from youre provider static/dhcp ? or are you still behind a nat ?
after factory reset let's do this
1. setup Outside interface.
device setup -> Interfaces
select interface
interface name Outside
check box interface enabled
select static ip
enter ip address and subnet mask
press ok button
2. make our default route
device setup -> Routing - Static Routes
Add new route like this
interface outside
network 0.0.0.0/0.0.0.0
gateway ip {youre provider gateway ip}
press ok button to save
3. add dynamic nat policy for lan to wan
go to Firewall -> Nat Rules
press the down arrow on the add button en select Add "network object" nat rule
Name {LAN Network}
type network
Ip address youre local network like 192.168.0.0
select correct Netmask
set the box Add Automatic Adress Transport Rules
type Dynamic PAT (Hide)
Translated addr: Outside
now test if you can ping youre provider gateway, and some public address like 8.8.8.8
if this works
add an Access control list to allow ping reply to come back
Firewall -> Access Rules
interface outside
action permit
source any
destination any
service icmp
now you should be able to ping 8.8.8.8 from youre client
last thing is dns. but try this first
1. setup Outside interface.
device setup -> Interfaces
select interface
interface name Outside
check box interface enabled
select static ip
enter ip address and subnet mask
press ok button
2. make our default route
device setup -> Routing - Static Routes
Add new route like this
interface outside
network 0.0.0.0/0.0.0.0
gateway ip {youre provider gateway ip}
press ok button to save
3. add dynamic nat policy for lan to wan
go to Firewall -> Nat Rules
press the down arrow on the add button en select Add "network object" nat rule
Name {LAN Network}
type network
Ip address youre local network like 192.168.0.0
select correct Netmask
set the box Add Automatic Adress Transport Rules
type Dynamic PAT (Hide)
Translated addr: Outside
now test if you can ping youre provider gateway, and some public address like 8.8.8.8
if this works
add an Access control list to allow ping reply to come back
Firewall -> Access Rules
interface outside
action permit
source any
destination any
service icmp
now you should be able to ping 8.8.8.8 from youre client
last thing is dns. but try this first
No, it did not work. I am sure that the IP for the static wan for my ISP is correct because I setup a home router and had to tested before plugging in the asa box.
I just realized that while we were configuring this we did not setup a DNS for the DHCP. Let me set a static IP on my notebook .
I am able to ping that gateway from a different PC on different network that has a different static IP.
send me info to my email benjamin@devosft.nl
because i have the feeling the problem is here
network address
broadcast address
and gateway address
because i have the feeling the problem is here
network address
broadcast address
and gateway address
Generating server: ------
benjamin@devosft.nl
#554 5.4.4 SMTPSEND.DNS.NonExistentDo
benjamin@devosft.nl
#554 5.4.4 SMTPSEND.DNS.NonExistentDo
Thanks for the detailed description and troubleshooting with me.
Also interesting to find out my ISP box arp table held onto a another device trying to use that same static IP when I flip between my home router and asa box and that would explain another reason why I was not able to get it to work at first.
Also interesting to find out my ISP box arp table held onto a another device trying to use that same static IP when I flip between my home router and asa box and that would explain another reason why I was not able to get it to work at first.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial