Setting up Deedicated Internet Access on ASA

I've been tasked to set up a dedicated Internet Access to a new service provider.  I've never done this before.  I have an ASA 5510 and I have the ADSM 6.2.  I have the information needed to do this I just don't have the know how.  This is a Site to Site VPN connection for the Internet access..
They gave me the following:
Network Address - I'm thinking that's my gate way. x.x.x.128/30
FN interface - I'm thinking this is the ISP address x.x.x.129/30
Customer Interface - I'm thinking this is my outside address x.x.x.130/30
there's a space I don't know what that is but it's x.x.x.16/30
and finally a range that's is for my NATS. 17-30
No spanning tree and te MTU is 1546 with Link aggregation disabled.
Can someone point me to some documentation on how to program this?
WellingtonISAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Trent SmithCommented:
Are you changing providers or is the current provider updating your IP information?

Do you have a secondary internet connect?
WellingtonISAuthor Commented:
We are changing providers.  We will still have our old provider but I have only one ASA.  So if I make the change it's changed.  The only other thing is I have 2 ASA one is a standby so I could configure one and then switch back if it doesn't work.
Trent SmithCommented:
My suggestion is don't change your main internet settings on the ASA.  Set up a secondary (failover) connection and get that up and running then migrate from one connection to the other.  

https://glazenbakje.wordpress.com/2010/08/03/cisco-asa-5510-isp-failover/

This will allow you to maintain the network in an up configuration until you verify that the secondary internet is up and running properly.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

WellingtonISAuthor Commented:
I have it set up like that.  I just need to know how to set up the new connection.
WellingtonISAuthor Commented:
OK so basically I have to change the Outside address, the subnet mask and the gateway to make this function? I'm not sure if that's what I need to do.  Perhaps I'm not explaining this correctly.  Let me try again...
I have an ASA 5510 currently set up for internet access with a service provider.  We are switching Service Providers and they gave me the information as follows
Network Address - I'm thinking that's my gate way. x.x.x.128/30
 FN interface - I'm thinking this is the ISP address x.x.x.129/30
 Customer Interface - I'm thinking this is my outside address x.x.x.130/30
 there's a space I don't know what that is but it's x.x.x.16/30
 and finally a range that's is for my NATS. 17-30
 No spanning tree and te MTU is 1546 with Link aggregation disabled.

I'm not sure if it's just a matter of changing the IP's on the ASA to connect to the new ISP.  Can somone point me in the right direction?
Trent SmithCommented:
If you are configured to send traffic to the WAN port instead of the IP address through the policies then yes simply updating the address information should be all that you need.
WellingtonISAuthor Commented:
OK hopefully that's all I need to do. Thanks.
Trent SmithCommented:
Can you submit a copy of your config so I can look through it?  I just want to make sure you aren't referencing the IP address in any of your policies.  If you don't reference it other than in the port settings then you should have nothing to worry about.
WellingtonISAuthor Commented:
I can.  give me a llittle time.  Just don't want to publish the IP's that's all.
Trent SmithCommented:
That is understandable.  You can look through it yourself and see if the IP is referenced or if the port is referenced.  If it is set up properly it should be set to the port instead of the IP.
WellingtonISAuthor Commented:
Here's the config file from the ASA. I've blanked out the IP's and names.
Trent SmithCommented:
I don't see the config.  Can you re-attach it for me?
WellingtonISAuthor Commented:
The file isn't attached.  Here's the file
C--Users-wrmrosnei-Desktop-configasa.txt
vallegdCommented:
Please do the following and reconfigure as necessary:

Network Address - I'm thinking that's my gate way. x.x.x.128/30  (This is not your gateway!!This is the Network)
FN interface - I'm thinking this is the ISP address x.x.x.129/30 (This is your gateway)
Customer Interface - I'm thinking this is my outside address x.x.x.130/30 (This is your Interface)


Address:   X.X.X.128        
Netmask:   255.255.255.252 = 30  
Wildcard:  0.0.0.3              
=>
Network:     X.X.X.128/30              
HostMin:     X.X.X.129 ----- YOUR GATEWAY        
HostMax:     X.X.X.130 ----- IP CONFIGURED IN YOUR INTERFACE , THIS WILL BE USED FOR NAT    
Broadcast:   X.X.X.131 ----- BROADCAST YOU DONT USE IT    

ROUTE OUTSIDE 0.0.0.0 0.0.0.0 (NEXT HOP OUTSIDE INTERFACE)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
Wow thanks.  As soon as I finish my other projects I'll take care of this. Thanks!
WellingtonISAuthor Commented:
Should I use that 128 address as the outside address of my ASA or is the 130 the outside address of the ASA?
vallegdCommented:
Yes X.X.X130 is the OUTSIDE interface.

x.x.x.128/29 is the network associated and controlling the IP range so this you would not touch or configure.
WellingtonISAuthor Commented:
Please do not close this as I haven't been able to get to this as of yet.
WellingtonISAuthor Commented:
I have the ASA setup but no internet access.  I've set the correct internal address - its a temporary one
and I've set everything as follows:
  X.X.X.129 ----- YOUR GATEWAY        
 HostMax:     X.X.X.130 ----- IP CONFIGURED IN YOUR INTERFACE , THIS WILL BE USED FOR OUTSIDE
129 is my gateway and 130 is my outside address.  I have a route 0.0.0.0 0.0.0.0 x.x.x.129.  I can't ping anything?
WellingtonISAuthor Commented:
I have the ASA setup but no internet access.  I've set the correct internal address - its a temporary one
and I've set everything as follows:
  X.X.X.129 ----- YOUR GATEWAY        
 HostMax:     X.X.X.130 ----- IP CONFIGURED IN YOUR INTERFACE , THIS WILL BE USED FOR OUTSIDE
129 is my gateway and 130 is my outside address.  I have a route 0.0.0.0 0.0.0.0 x.x.x.129.  I can't ping anything?

I found an access list
Access-list inside_nat0_outbound extended permit ip inside range subnet x.x.x192. x.x.x240
access-list inside_nat0_outbound extended permit ip x.x.x.192 x.x.x240 inside range subnet.  
I'm wondering if I have to change this to the gateway address?
WellingtonISAuthor Commented:
HEre's where I'm at I CAN ping from the router/asa 8.8.8.8.  I have a laptop directly connected to the ASA.  I have the gateway set to the ASA IP and pubic DNS in my settings.  I can't ping the 129 address of the router/asa or the 130 of the asa.  I'm thinking something is missing?  And of course I can't get out to the internet  I have the nat setup to the outside 128 address too.   That was the mistake I was making.  I still can't get out on the laptop.
Trent SmithCommented:
Can you do a tracert from your laptop?  This will show us where you can get to.
WellingtonISAuthor Commented:
OK here's where I'm at.  I am able to ping the gateway from the ASA now.  That issue was solved by direct connecting to the new ISP instead of going though the network.  The ASA was defaulting to the old ISP.  So now I'm able to ping everything from the ASA.  I'm connected to the ASA via a static IP using the ASA as my gateway.  I can't get out on my laptop.  My traceroutes are all *****.

I'm getting this error on the ASA 10.10.10.150 (laptop ip) 52342 204.75.108.1 53 Through-the-device packet to/from management-only network is denied: udp src inside 10.10.10.150/52342 dst outside204.74.108.1/53.  I think this is because I'm using the 10.10.10.151 which is the IP of the ASA and also management port.  Do I need to route and configure another gateway or is there a way around this just for testing?
WellingtonISAuthor Commented:
These were the correct settings.  mY issue was I had the filtering checked if my Websense appliance was down to stop all traffic.  When I allowed no filtering I had internet access.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.