How to configure ASA5505 with Netgear DM200 and BT Broadband.

Intro

I would like to setup my personal firewall directly to the Netgear DM200 ADSL Modem (in modem mode).

This would allow me to connect directly through VPN to my work ASA5510.

Setup

ADSL Phone line <-> ADSL filter/splitter <-> Netgear DM200 <-> ASA5505 <->BT HomeHub5

I have set the DM200 in modem mode with the username "bthomehub@btbroadband.com", i dont know the password or the Authentication method "PAP or CHAP or MSCHAP"

The ASA is also asking for an VPDN group which I have no details for....

The DM200 is working because I can access th einternet when connected to the LAN port when in Modem mode.

Issue

Ultimately i just want to securely VPN into my work ASA but it would be useful to implement the Firewall for all outgoing internet traffic instead of placing it behind the BT Homehub5 that im replacing .

I would really appreciate it if anybody could offer any advice or help.
Brian EdwardsSystems EngineerAsked:
Who is Participating?
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Add the following to your config:
policy-map global_policy
 class inspection_default
  inspect icmp

Then try to ping 8.8.8.8 and see if it works.
If it does not work, please post the output of show run interface. No need for ACL if default security levels are used ( 100 for jnsjde and 0 for outside).
0
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Hello,When you plug youvPC directly to te modem, what type of IP addressing are you getting on your PC: static or DHCP? public or private?
0
 
arnoldCommented:
To Mustafas point, the info you received from BT will dictate whether the outside interface of the ASA should have a specific static IP or configured using dialer to get a dynamic IP.

Does your asa5505 have/include the adsl option in which case you would not need the Netgear adsl modem.

Not sure your workplace would appreciate your entire LAN systems having access to their network.
IMHO, they would usually would like to limit access to a single system that has the requirement that NLA protection against system being exploited.....
1
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Brian EdwardsSystems EngineerAuthor Commented:
I have now setup the asa 5505 to work with the DM200.
When I carry out a Packet tracer from within the ASDM gui I can ping 8.8.8.8 from an outside interface as the source.

But when I select an inside interface as the source it fails, and then states....

Info:       (may-xlate-failed) NAT failed

Any help would be greatly appreciated.

I have the following setup:

Adsl filter (as standard) <--->Dm200(setup as modem/Router)<--->Cisco ASA5505<--->laptop (using either ASDM or CLI)

The DM200 is connected to the ASA using a 10.10.10.0 /30 P2P link.

The inside VLAN is a 192.168.1.0 subnet /24.
0
 
arnoldCommented:
see whether you have inspect icmp and whether you are natting the inside and have requisite Access-list to handle the outgoing/returning ......


you effectively have a double NAT

ADSL <=> DM200 routed mode NAT <=> WAN CISCO ASA INSIDE <=> NAT<=>...

check ACls on the cisco to see what you authorize to leave the LAN and what you allow to come back.......
since you receive ping response from the outside, it sounds inspect icmp is set.
the only possible is your ACL from inside is not being allowe.

See if you ping the LAN side of the ASA from the LAN do you get a response?
i.i. ping 192.168.1.x ..
0
 
Mustafa Al HousamiNetwork and Security Consultant/CCIE #48377Commented:
Post the output if the following commands:
Show run nat
Show run access-list
Show run access-group
Show run policy-map
0
 
Brian EdwardsSystems EngineerAuthor Commented:
Hi Mustafa,

The outputs are below with comments.....

ciscoasa# show run nat
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any pat-pool interface
!

Comment: I have a nat from inside to outside would I need one from outside to inside? (or would it remember it)

ciscoasa# show run access-list
!

Comment: I guess i need to setup an access list for the 192.168.1.0 network objects?

ciscoasa# sho run access-group
!

Comment: ?

ciscoasa# sho run policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!

Comment: I cannot see an INSPECT for ICMP......?



Hi Arnold,

I understand the double NAT reference, I wasnt succesful in configuring the ASA when the DM200 was in modem-only mode.
I can ping the 8.8.8.8 from the ASA outside interface (10.10.10.2) but not the inside interface (192.168.1.2).

I see from he outputs i have provided above that there is a peice missing from the config that I need to do.

Any help would be very appreciated.

Many thanks
1
 
Brian EdwardsSystems EngineerAuthor Commented:
Also Arnold, The inside interface isnt responding to pings either...
i.e
no response from a ping from 192.168.1.97  (host) to 192.168.1.1 (ASA inside interface)
0
 
arnoldCommented:
without inspect icmp on the ASA, it would not allow ICMP packets through its "internals" when using outside interface it is receiving an echo reply..... and this is why you can from the ASA ping out, but could not from the inside.
You could from the ASA ping any LAN device and receive a response from the workstations/systems on the LAN.
1
 
arnoldCommented:
regarding when netgear operates as a modem/adapter/bridge, the issue might be that you need additional configuration as a dialer config on the ASA to provide credentials (username/password) before asserting a static IP or obtaining an IP via DHCP.

I.e. in bridge if the BT connection uses username/password to authenticate before they provide the ethernet feed.

Look at the netgear config and see whether it uses a username/password.
The other issue to check is whether the BT connection uses MAC address to authorize the use of the IP allocate to you.
Currently if that is in place, the MAC address of the Netgear is the one they have locked to the IP they allocate you. WHen you drop the netgear into bridge mode, the MAC address of the ASA outside interface is seen by BT and it does not match as authorized and thus does not allow your ASA to either bring up the Static IP or receive an IP via DHCP request...

Best if you wish to try it again, to get all the requisite information from the provider by telling them your intent to operate the Netgear in brige mode and what information needs to be provided to them to get this setup operational..


Some ASA's have an ADSL option as well, i.e. a port specific to ADSL, though it has been a while, so not sure whether the ADSL in use and the one on the ASA are of the same "era"
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.