Configuring a simulation of the internet

I am trying to set up two Cisco ASA5506 firewalls for a client.  I'd like to configure and test them in my office such that they don't need any changes when put into the field.

I thought that I ought to be able to do this with two inexpensive routers between the ASAs.  I have mapped out what I think will work but wanted some input before I went down this path.

The general setup of the ASAs is that they will provide internet access from the LAN, a site-to-site VPN between them for non-internet traffic, and some port forwarding for remote access.  I'm not looking for configuration assistance with that (yet), but want to know if I can get the "simulated internet" correct.

My proposed configuration is as follows.  The WAN addresses are fictitious for this posting.  I'll use the proper ones from the ISPs on the real simulation and configuration.  I'll use crossover cables if needed between routers.

Keep in mind that the temporary routers will be standard home routers that won't have sophisticated capabilities.  I do expect them to support a DMZ and also static routing.

CiscoA (ASA at Site A)
LAN: 192.168.78.1/24
DHCP: 192.168.78.100-.199

WAN: 78.1.1.1/30
Gateway: 78.1.1.2
DNS: 4.2.2.2

Connect WAN port of CiscoA to WAN port of TempRouter1

TempRouter1:
WAN: 78.1.1.2/30
Gateway: 78.1.1.1
DNS: 4.2.2.2 (shouldn't matter)
DMZ: 10.10.10.2

LAN: 10.10.10.1/24
DHCP: off

Connect LAN port of TempRouter1 to LAN port of TempRouter2

TempRouter2:
LAN: 10.10.10.2/24
DHCP: off

WAN: 112.1.1.2/30
Gateway: 112.1.1.1
DMZ: 10.10.10.1

Connect WAN port of TempRouter2 to WAN port of CiscoB

CiscoB (ASA at Site B)
WAN: 112.1.1.1/30
Gateway: 112.1.1.2
DNS: 4.2.2.2

LAN: 192.168.112.1/24
DHCP: 192.168.112.100 - .199


I figure that if I connect a computer to the 10.10.10.x network (LAN side of the temporary routers) with the appropriate gateway, I can test remote access (through ASA port forwarding) to either site.  If I put a web server on the 10.10.10.x network then I can test internet access from either site (adjusting the gateway address on the web server accordingly).  I'm not concerned about testing access to the DNS.

Am I on the right track here?
The only tricky part related to getting traffic coming in one temporary router's WAN port to be sent out the other temporary router's WAN port.  I figured that using the DMZ approach should suffice.  Would I be better off doing a static route on both of the temporary routers instead?
LVL 23
CompProbSolvAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Garry GlendownConsulting and Network/Security SpecialistCommented:
Actually, a single router would do, as long as you can configure two interfaces independently with appropriate IPs for the two locations ... assuming any low-end Cisco router e.g. 880 series, do something like:

int fa1
  switchport access vlan 2

int fa2
  switchport access vlan 3

int vlan 2
   ip address 78.1.1.2 255.255.255.252

int vlan 3
   ip address 112.1.1.2 255.255.255.252

No manual routes necessary (unless you have additional networks present on either of the ASAs), as both subnets are "connected". Then just hook up the two ASAs to the Fa1 and Fa2 and you're done.
The setup will probably even work on some low-end Soho routers as long as you can configure forwarding without NAT on its ports. Use WAN for one end, LAN for the other, and provide the necessary IPs as fixed IPs.

Your setup should work, too, but you are still missing the routes for the two ASA networks on the opposing ends ...
0
CompProbSolvAuthor Commented:
Thank you for the info.

I'm going to try a different path, but it was inspired by your comment.  I have better availability of computers than I do Cisco routers (and the SOHO ones I've got don't seem to let me disable NAT).  Your suggestion made me realize that I could likely do this more easily with a PC that has three network cards: one each for the different WAN IPs and another for a simulated "other" internet address.  I believe that this is basically what you were suggesting with the additional router.  I'll give a shot at that and report back.
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
Setting up a PC is definitely simple, too ... e.g., just using a basic Linux installation would also be a breeze,  windows shouldn't be any harder, either ... just configure the LAN interfaces to the appropriate IPs and (in the case of Linux) enable forwarding (echo 1 >/proc/sys/net/ipv4/ip_forward ), that should be all...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

CompProbSolvAuthor Commented:
I'm having problems with setting up a PC with three NICs to accomplish this.  I'll post details shortly.
0
CompProbSolvAuthor Commented:
I have details now...
(Attached files document most of the details below)

I configured  Windows Vista Business 32-bit computer (call it "Fake Internet") with three NICs.  One connects to my LAN with an IP address of 192.168.50.200 and has the default gateway set to 192.168.50.1.  It has no problem getting to the internet.

The second NIC is configured with an IP address of 45.255.104.166 and a netmask of 255.255.255.252.  This is to mimic the ISP's gateway to which the first router will eventually connect.

I set up a third NIC, but that isn't relevant yet.  I have no cable connected to that card.

I then set up a laptop with a single NIC (and the wireless shut off).  The IP is set to 45.255.104.165, a netmask of 255.255.255.252, and a default gateway of 45.255.104.166.  This mimics how the first router will be configured.  I connected a cable between this NIC and the second on on the Fake Internet box.

From the laptop, I have no problem pinging the 45.255.104.166 NIC of the Fake Internet box.

Interesting note here: if this Network Connection on the Fake Internet box is set to "Private", I don't get replies.  I do get replies when it is set to "Public".  I'd have thought just the opposite would be the case.

I am also able to ping 45.255.104.165 (the laptop NIC) from the Fake Internet box.  So far, so good!

My problems appear to be with routing through the Fake Internet box.  I am not successful at pinging the other NIC at 192.168.50.200, the main router at 192.168.50.1, nor the internet at 4.2.2.2 from the laptop.

I ran a tracert from the laptop to 4.2.2.2 and it times out on every hop.  I would have thought that I'd get a reply from the first NIC on the Fake Internet box at 45.255.104.166 and no other replies (assuming a routing problem).

I've included the output of route print -4 for both computers in case that would help.  I'm not seeing any issues there.

My basic question is Why am I not getting to the internet from the laptop through the Fake Internet computer?

I've experimented with a number of different Route Add commands, but haven't made any progress with that.  Am I going down the wrong path trying to do this with Windows Vista?
Laptop.txt
FakeInternet.txt
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
There are two possible (probable) pitfalls here ...
For one, by default, Windows (at least Workstation OSes) does not do IP forwarding ... that is, forwarding a packet received on one NIC will not happen if the destination is a second NIC or the network behind it ... you could try this how-to to enable the IP forwarding ... (I don't have any Vista boxes available to try it on) For an old XP laptop, I used a third-party tool that took care of the forwarding and the second problem:
Windows also doesn't do NAT by default, either, so even if you have the IP forwarding enabled, packets would remain as they are. As long as you have all levels of the network up to the actual Internet gateway under control, that is fine, but you will have to ensure you have the appropriate routes set up. In your case, anything on the 192 network that you want to talk to from your 45..165 machine needs to have a route for that network pointing back to the 192..200 gateway.
Again, haven't tried, but here's another doc on how to enable NAT on Vista, which would convert any packets originating from the 45 network to the other NIC's IP address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CompProbSolvAuthor Commented:
Some improvement.... but still not there.

I found mention of the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
and changing the value of IPEnableRouter from 0 to 1.

After rebooting, the laptop can now ping any of the three NICs in the Fake Internet box.  Unfortunately, it goes no further.  For example, I can ping 192.168.50.200 (the NIC connected to my LAN), but not 192.168.50.1 (the router on my LAN).
0
CompProbSolvAuthor Commented:
Thanks for the input.  I'll take a look at it and get back to you later.
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
Have you configured a route for the 45 network on your router? It has to point towards the .200 IP of the Vista box ...
For debugging purposes, you could run Wireshark on the Vista box ...
0
CompProbSolvAuthor Commented:
The first link was similar to what I found with regard to the IPEnableRouter value.  That got me closer, but not quite there.

The second link appeared to have nothing more that the typical setup where you have a static IP on the workstation with a private address.

I'm trying this over again with Windows 7.  I used Vista only because I had a machine with it all ready to go.  It looks as if I need to use RRAS to do this.
0
CompProbSolvAuthor Commented:
Tried again with Windows 7 Ultimate, but still not quite there.

If I enable RRAS on the Fake Router I am able to ping all three NICs on the Fake Router from the laptop.  I'm not able to ping the internet (trying 4.2.2.2) or even the default gateway on my LAN.  There's something that I'm missing in the Fake Router that is allowing packets to go between NICs but not leave the box.

I tried the same registry setting for IPEnableRouter (and rebooted) and it didn't appear to make a difference.

The Fake Router has no problem pinging the internet.

I tried adding a route on the Fake Router to 4.2.2.2 with a netmask of 255.255.255.255, a gateway of 192.168.50.1, the interface 192.168.50.200, and a low or high metric.  Still no success.

Any other thoughts?
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
The current Internet router needs a route to 45.255.104.166 (or .164/30) with GW 192.168.50.200!
0
CompProbSolvAuthor Commented:
"current internet router": are you referring to the external one that actually connects to the internet?  I'm trying to get that routing to occur in the Fake Router before it ever gets on the cable that goes to the real one.
0
Garry GlendownConsulting and Network/Security SpecialistCommented:
You have to way of getting the current setup to work. Either your fake router (the Windows-Box with the three interfaces) has to do NAT when trying to reach the Internet, or your Internet router has to have the return route for your test notebook ...
0
CompProbSolvAuthor Commented:
I've made further progress on this and will report back shortly.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.