Need help with configuring static IP for ASA 5505

Unanswered Question
Feb 11th, 2014
User Badges:

Hi Everyone,


I am new to the Cisco ASA platform but I have recently successfully managed to configure the ASA 5505 with dynamic IP. However, I am really struggling to configure the ASA 5505 with static IP. The ISP has given me the public IP address, subnet, DNS and Gateway IP. However, how do I puck those numbers into the ASA? I am really lost trying to get the internet to work...do I puck the public IP address for the "outside" IP? But if I do so, what do I give my "inside" IP? Is the Gateway IP and the public IP the same? The ISP told me it is the same thing...I am not sure how can I configure the ASA to merge it as a same thing


For illustration the IP addresses that I was given:

Gateway: 101.290.215.90/28

DNS: 210.101.1.60

WAN: 180.80.25.25/30


Appreciate if anyone can provide me any tips or pointers regarding this issue.


Here is the configure:


ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 101.xxx.xxx.xxx 255.xxx.xxx.xxx

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 203.xxx.xxx.xxx

name-server 203.xxx.xxx.xxx

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,inside) 101.127.251.32 101.127.251.32 netmask 255.255.255.240

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 101.127.251.32 255.255.255.240 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 101.xx.xx.xx-101.xx.xx.xx inside

dhcpd enable inside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
cadet alain Wed, 02/12/2014 - 05:37
User Badges:
  • Purple, 4500 points or more

Hi,


interface Vlan2

nameif outside

security-level 0

no ip address dhcp setroute

ip address 180.80.25.25 255.255.255.252

no dhcpd auto_config outside

dhcpd dns 210.101.1.60

no name-server 203.xxx.xxx.xxx

no name-server 203.xxx.xxx.xxx

name-server 210.101.1.60

route outside 0.0.0.0 0.0.0.0   x.x.x.x which is the next-hop  given by provider


But before doing this can you post following output from current config:

sh route outside

sh int ip br

as well as a quick diagram to really get sure i understand your topology correctly


Regards


Alain


Don't forget to rate helpful posts.

ASALawenium Wed, 02/12/2014 - 05:45
User Badges:

Hi Alan,


Thanks for the reply.


I was wondering why did you choose to use the WAN as the outside IP address? Maybe I should have mentioned this earlier but the ISP provided me a Class B private IP address which would probably mean we cannot use this IP address?


Thanks,

Daxi

cadet alain Wed, 02/12/2014 - 05:52
User Badges:
  • Purple, 4500 points or more

Hi,

I don't see any private address in the ones you provided as example and that's why I'd like a quick diagram to see exactly  what is your topology and what about the difference with current situation ? Same ISP but no more DHCP address on Wan interface connected to ISP modem ?


Regards


Alain



Don't forget to rate helpful posts.

ASALawenium Wed, 02/12/2014 - 06:00
User Badges:

Hi Alain,


Appreciate your input very much.


Apologies about my illustration as it is not exactly accurate. The following illustration should be more accurate:


Gateway: 101.120.xxx.xxx/28

LAN: 101.120.xxx.xxx/28 (this is range of IPs)

DNS: 203.116.xxx.xx

PE IP: 172.xx.xx.51

CE IP: 172.xx.xx.52


With this set of IPs, how do one usually configure an ASA 5505 to have static IP?


Thanks again very much for your help.

cadet alain Wed, 02/12/2014 - 06:30
User Badges:
  • Purple, 4500 points or more

Hi,

I still don't understand why you have a private range for CE-PE and public one for LAN,

the LAN is usually on inside and the WAN on outside so i would need a diagram to really understand and give you correct config.


Regards


Alain


Don't forget to rate helpful posts.

Actions

This Discussion