How to configure ASA5505 with Netgear DM200 and BT Broadband.


I would like to setup my personal firewall directly to the Netgear DM200 ADSL Modem (in modem mode).

This would allow me to connect directly through VPN to my work ASA5510.


ADSL Phone line <-> ADSL filter/splitter <-> Netgear DM200 <-> ASA5505 <->BT HomeHub5

I have set the DM200 in modem mode with the username "", i dont know the password or the Authentication method "PAP or CHAP or MSCHAP"

The ASA is also asking for an VPDN group which I have no details for....

The DM200 is working because I can access th einternet when connected to the LAN port when in Modem mode.


Ultimately i just want to securely VPN into my work ASA but it would be useful to implement the Firewall for all outgoing internet traffic instead of placing it behind the BT Homehub5 that im replacing .

I would really appreciate it if anybody could offer any advice or help.
Brian EdwardsSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hello,When you plug youvPC directly to te modem, what type of IP addressing are you getting on your PC: static or DHCP? public or private?
To Mustafas point, the info you received from BT will dictate whether the outside interface of the ASA should have a specific static IP or configured using dialer to get a dynamic IP.

Does your asa5505 have/include the adsl option in which case you would not need the Netgear adsl modem.

Not sure your workplace would appreciate your entire LAN systems having access to their network.
IMHO, they would usually would like to limit access to a single system that has the requirement that NLA protection against system being exploited.....
Brian EdwardsSystems EngineerAuthor Commented:
I have now setup the asa 5505 to work with the DM200.
When I carry out a Packet tracer from within the ASDM gui I can ping from an outside interface as the source.

But when I select an inside interface as the source it fails, and then states....

Info:       (may-xlate-failed) NAT failed

Any help would be greatly appreciated.

I have the following setup:

Adsl filter (as standard) <--->Dm200(setup as modem/Router)<--->Cisco ASA5505<--->laptop (using either ASDM or CLI)

The DM200 is connected to the ASA using a /30 P2P link.

The inside VLAN is a subnet /24.
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

see whether you have inspect icmp and whether you are natting the inside and have requisite Access-list to handle the outgoing/returning ......

you effectively have a double NAT

ADSL <=> DM200 routed mode NAT <=> WAN CISCO ASA INSIDE <=> NAT<=>...

check ACls on the cisco to see what you authorize to leave the LAN and what you allow to come back.......
since you receive ping response from the outside, it sounds inspect icmp is set.
the only possible is your ACL from inside is not being allowe.

See if you ping the LAN side of the ASA from the LAN do you get a response?
i.i. ping 192.168.1.x ..
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Post the output if the following commands:
Show run nat
Show run access-list
Show run access-group
Show run policy-map
Brian EdwardsSystems EngineerAuthor Commented:
Hi Mustafa,

The outputs are below with comments.....

ciscoasa# show run nat
object network obj_any
 nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any pat-pool interface

Comment: I have a nat from inside to outside would I need one from outside to inside? (or would it remember it)

ciscoasa# show run access-list

Comment: I guess i need to setup an access list for the network objects?

ciscoasa# sho run access-group

Comment: ?

ciscoasa# sho run policy-map
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options

Comment: I cannot see an INSPECT for ICMP......?

Hi Arnold,

I understand the double NAT reference, I wasnt succesful in configuring the ASA when the DM200 was in modem-only mode.
I can ping the from the ASA outside interface ( but not the inside interface (

I see from he outputs i have provided above that there is a peice missing from the config that I need to do.

Any help would be very appreciated.

Many thanks
Brian EdwardsSystems EngineerAuthor Commented:
Also Arnold, The inside interface isnt responding to pings either...
no response from a ping from  (host) to (ASA inside interface)
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Add the following to your config:
policy-map global_policy
 class inspection_default
  inspect icmp

Then try to ping and see if it works.
If it does not work, please post the output of show run interface. No need for ACL if default security levels are used ( 100 for jnsjde and 0 for outside).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
without inspect icmp on the ASA, it would not allow ICMP packets through its "internals" when using outside interface it is receiving an echo reply..... and this is why you can from the ASA ping out, but could not from the inside.
You could from the ASA ping any LAN device and receive a response from the workstations/systems on the LAN.
regarding when netgear operates as a modem/adapter/bridge, the issue might be that you need additional configuration as a dialer config on the ASA to provide credentials (username/password) before asserting a static IP or obtaining an IP via DHCP.

I.e. in bridge if the BT connection uses username/password to authenticate before they provide the ethernet feed.

Look at the netgear config and see whether it uses a username/password.
The other issue to check is whether the BT connection uses MAC address to authorize the use of the IP allocate to you.
Currently if that is in place, the MAC address of the Netgear is the one they have locked to the IP they allocate you. WHen you drop the netgear into bridge mode, the MAC address of the ASA outside interface is seen by BT and it does not match as authorized and thus does not allow your ASA to either bring up the Static IP or receive an IP via DHCP request...

Best if you wish to try it again, to get all the requisite information from the provider by telling them your intent to operate the Netgear in brige mode and what information needs to be provided to them to get this setup operational..

Some ASA's have an ADSL option as well, i.e. a port specific to ADSL, though it has been a while, so not sure whether the ADSL in use and the one on the ASA are of the same "era"
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.