Cisco ASA 5510 and TWC Telecom Ethernet WAN Handoff Routing Configuration

Answered Question
Sep 9th, 2010

We have an Ethernet Circuit from TWC Telecom (no router provided, simply an ethernet port 100mb pipe)

We have a Cisco ASA 5510 4 ports.  Do we need a router is question? If not how would one configure this? I'm confused because we have it working but don't understand how to be able to use our public range of addresses 64.XX2.225.130 thru 64.XX2.225.158 .

Below is what was provided by TWC Telecom XX=Privacy:

Assigned Address Space - Routed IP'sExternal Interfaces
WAN Ethernet:  207.XX.103.90
Subnet Mask: 255.255.255.252
This will be the  interface that directly connects to the tw telecom circuit
Default  Route for Router: 207.XX.103.89
This will be the path that all of your internet traffic takes to get out  to the internet.

Internal Interfaces

Assigned LAN Netblock:  64.XX2.225.128
Subnet Mask: 255.255.255.224
LAN Ethernet usable  IP's: 64.XX2.225.130 thru 64.XX2.225.158
You can use this on your LAN (PC, Workstation, Firewall, etc)
Default  Gateway for LAN Netblock: 64.XX2.225.129
This will be the IP that  all devices use as a default route or gateway for your LAN back to the  router.

We are wanting your typical private network and DMZ.

Current show run:

ASA Version 7.0(6)
!
hostname XXXXXXXXXXXXX
domain-name XXXXXXXXXXXXXX
enable  password XXXXXXXXXXXXXXXX encrypted
names
dns-guard
!
interface  Ethernet0/0
nameif outside
security-level 0
ip address  207.XX.103.90 255.255.255.252
!
interface Ethernet0/1
nameif  inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip  address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no  nameif
no security-level
no ip address
!
interface  Management0/0
  shutdown
no nameif
no security-level
no  ip address
!
passwd XXXXXXXXXXXXXXXXX encrypted
ftp mode passive
access-list  inbound remark ** Inbound Filters **
access-list inbound remark --  Terminal Server Access --
access-list inbound extended permit tcp  any host 64.XX2.225.130 eq 3389
access-list inbound extended permit  tcp any host 64.XX2.225.130
access-list inbound extended permit tcp  any host 64.XX2.225.130 eq ssh
access-list inbound extended permit  icmp any any
access-list inbound extended permit tcp any host  174.XX3.211.10 eq 3389
access-list inbound extended permit tcp any  host 174.XX3.211.10 eq ssh
access-list inbound extended permit tcp  any host 174.XX3.211.10
access-list outbound remark ** Outbound  Filters **
access-list outbound extended permit ip any any
pager  lines 24
logging enable
logging timestamp
logging buffered  debugging
logging trap informational
mtu outside 1500
mtu  inside 1500
mtu DMZ 1500
no failover
icmp permit any outside
icmp  permit any inside
icmp permit any echo-reply inside
icmp permit  any unreachable inside
icmp permit any time-exceeded inside
asdm  image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
nat-control
global  (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group  inbound in interface outside
access-group outbound in interface  inside
route outside 0.0.0.0 0.0.0.0 207.XX.103.89 1
timeout  xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00  icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp  0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout  uauth 0:05:00 absolute
username XXX password XXXXXXXXXXXXXXXXXXX  encrypted privilege 15
no snmp-server location
no snmp-server  contact
snmp-server enable traps snmp authentication linkup linkdown  coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh  0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console  timeout 0
!
class-map inspection_default
match  default-inspection-traffic
!
!
policy-map global_policy
class  inspection_default
   inspect dns maximum-length 512
  inspect  ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
   inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
   inspect sqlnet
  inspect sunrpc
   inspect tftp
  inspect sip
   inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:

7e59f142d2f22ed3961ce578355d9390
:  end
I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 2 months ago

totusdotus wrote:

We have an Ethernet Circuit from TWC Telecom (no router provided, simply an ethernet port 100mb pipe)

We have a Cisco ASA 5510 4 ports.  Do we need a router is question? If not how would one configure this? I'm confused because we have it working but don't understand how to be able to use our public range of addresses 64.XX2.225.130 thru 64.XX2.225.158 .

Below is what was provided by TWC Telecom XX=Privacy:

Assigned Address Space - Routed IP'sExternal Interfaces
WAN Ethernet:  207.XX.103.90
Subnet Mask: 255.255.255.252
This will be the  interface that directly connects to the tw telecom circuit
Default  Route for Router: 207.XX.103.89
This will be the path that all of your internet traffic takes to get out  to the internet.

Internal Interfaces

Assigned LAN Netblock:  64.XX2.225.128
Subnet Mask: 255.255.255.224
LAN Ethernet usable  IP's: 64.XX2.225.130 thru 64.XX2.225.158
You can use this on your LAN (PC, Workstation, Firewall, etc)
Default  Gateway for LAN Netblock: 64.XX2.225.129
This will be the IP that  all devices use as a default route or gateway for your LAN back to the  router.

We are wanting your typical private network and DMZ.

Troy

You don't need to assign the public IPs to physical devices on your LAN. That public IP range  64.xx2.225.128/27 can be used however you want because the ISP should be routing any traffic for those addresses to the WAN IP 207.xx.103.90 which you should assign to the outside interface of your ASA.

So you can have a privately addressed internal network and just NAT the internal clients to either the WAN IP 207.xx.103.90 or use one of your 64.xx2.225.128/27 addresses. For your DMZ servers you can use private addressing and use 64.xx2.225.128/27 to present the servers to the internet eg.

static (DMZ,outside) 64.xx2.225.130 192.168.2.10 netmask 255.255.255.255

would present the 192.168.2.10 DMZ server as 64.xx2.225.130 to the internet. Obviously you then also need to allow the correct ports etc. to that server with an acl on the outside interface.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 09/10/2010 - 03:22

totusdotus wrote:

We have an Ethernet Circuit from TWC Telecom (no router provided, simply an ethernet port 100mb pipe)

We have a Cisco ASA 5510 4 ports.  Do we need a router is question? If not how would one configure this? I'm confused because we have it working but don't understand how to be able to use our public range of addresses 64.XX2.225.130 thru 64.XX2.225.158 .

Below is what was provided by TWC Telecom XX=Privacy:

Assigned Address Space - Routed IP'sExternal Interfaces
WAN Ethernet:  207.XX.103.90
Subnet Mask: 255.255.255.252
This will be the  interface that directly connects to the tw telecom circuit
Default  Route for Router: 207.XX.103.89
This will be the path that all of your internet traffic takes to get out  to the internet.

Internal Interfaces

Assigned LAN Netblock:  64.XX2.225.128
Subnet Mask: 255.255.255.224
LAN Ethernet usable  IP's: 64.XX2.225.130 thru 64.XX2.225.158
You can use this on your LAN (PC, Workstation, Firewall, etc)
Default  Gateway for LAN Netblock: 64.XX2.225.129
This will be the IP that  all devices use as a default route or gateway for your LAN back to the  router.

We are wanting your typical private network and DMZ.

Troy

You don't need to assign the public IPs to physical devices on your LAN. That public IP range  64.xx2.225.128/27 can be used however you want because the ISP should be routing any traffic for those addresses to the WAN IP 207.xx.103.90 which you should assign to the outside interface of your ASA.

So you can have a privately addressed internal network and just NAT the internal clients to either the WAN IP 207.xx.103.90 or use one of your 64.xx2.225.128/27 addresses. For your DMZ servers you can use private addressing and use 64.xx2.225.128/27 to present the servers to the internet eg.

static (DMZ,outside) 64.xx2.225.130 192.168.2.10 netmask 255.255.255.255

would present the 192.168.2.10 DMZ server as 64.xx2.225.130 to the internet. Obviously you then also need to allow the correct ports etc. to that server with an acl on the outside interface.

Jon

totusdotus Fri, 09/10/2010 - 08:15

Thanks Jon! Easy enough  ...got it working in less than 5 minutes

Actions

This Discussion

Related Content