cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1218
Views
0
Helpful
11
Replies

Ethernet dedicated circuit

eddie.sardinha
Level 1
Level 1

Hello All, 

I just got a new dedicated internet circuit installed.  I am used to getting MPLS where I only configure the internal interfaces and now with the EDI circuit I was given the WAN ip along with the customer LAN ip's but they are public IP's so I am not sure the best way to configure the interfaces and have the access via the internal LAN. 

This will eventually replace our MPLS so I will have to set up VPN's etc or a routing protocol and would like some feedback.  If you need more info, please let me know. 

Thank You,

11 Replies 11

Hi 

Please correct me if I understanding wrong.

You usually use MPLS and configure the CE router, the ISP handles the MP-BGP and the MPLS network, but know you have received a dedicated circuit point to point. 

is it just for Internet access?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

yes, correct. I think i just need to set up Nat for the asa. Can you assist with the nat config?

Hi Eddie,

it will be a pleasure, please provide me the version of the IOS and ASA model. 

Thank you in advance. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Great, it's an ASA 5515x and the IOS ver is below: 

Cisco Adaptive Security Appliance Software Version 9.8(1)

Ok perfect, let me share an example to you.




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Great, please share!

Hi Eddie,

Example:

a) Configure the interfaces

interface GigabitEthernet0/0
description INTERNET
duplex full
nameif OUTSIDE
security-level 0
ip address <Public IP address> <subnet mask>
no shut

interface GigabitEthernet0/1
description INTERNAL-NEWORK
duplex full
nameif INSIDE
security-level 100
ip address 10.0.0.1 255.255.255.252
No shut

b) Create object-groups

object-group network TRANSLATED-NETS
<The networks to be translated>
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

object-group network PRIVATE-NATS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

c) Create the ACLs

<create the ACL, you can specify the ports instead>
access-list INSIDE-ACL extended permit icmp any any
access-list INSIDE-ACL extended permit ip object-group PRIVATE-NATS any
access-list INSIDE-ACL extended deny ip any any

access-list OUTSIDE-ACL extended permit icmp any any
access-list OUTSIDE-ACL extended deny ip any any

d) Create the access-groups for each ACL

access-group OUTSIDE-ACL in interface OUTSIDE
access-group INSIDE-ACL in interface INSIDE

e) Create the NAT

nat (INSIDE,OUTSIDE) source dynamic TRANSLATED-NETS interface

f) Create the static routing

route OUTSIDE 0.0.0.0 0.0.0.0 <external next hop ip> 1
route INSIDE 192.168.1.0 255.255.255.0 <internal next hop: ip 10.0.0.2> 1
route INSIDE 192.168.2.0 255.255.255.0 <internal next hop: ip 10.0.0.2> 1
route INSIDE 192.168.3.0 255.255.255.0 <internal next hop: ip 10.0.0.2> 1

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Great that was helpful, I can ping 8.8.8.8 from the ASA but my computer is not able to get out to the internet. 

Here is the config:

Did I do the acl & nat statements correctly?  I omitted the public ip and mask where needed. 

interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.0.250 255.255.255.0
!
interface GigabitEthernet0/2
nameif outside
security-level 0
ip address "Public IP & MASK"
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name englert-mfg.com
object-group network TRANSLATED_NATS
network-object "Public IP & MASK"
object-group network PRIVATE_NAT
network-object 192.168.0.0 255.255.255.0
access-list INSIDE-ACL extended permit icmp any any
access-list INSIDE-ACL extended permit ip object-group PRIVATE_NAT any
access-list INSIDE-ACL extended deny ip any any
access-list OUTSIDE-ACL extended permit icmp any any
access-list OUTSIDE-ACL extended deny ip any any
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source dynamic TRANSLATED_NATS interface
route outside 0.0.0.0 0.0.0.0 default gateway 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default all
ssl cipher tlsv1.2 all
dynamic-access-policy-record DfltAccessPolicy
username englertasa password $sha512$5000$jLYqKYGYFqlWdOJmPBT4kw==$KfQR7Fx8qpXFfRDnmJrVUw== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f965f732de286a45c4fe54585cb6117c
: end

- have you configured DNS on your computer?

Try 8.8.8.8 and 4.2.2.2

- I dont see the access-groups

- Also the following group is for the internal networks as well

object-group network TRANSLATED_NATS
network-object 192.168.0.0 255.255.255.0




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Sorry so I added the access-groups but still unable to get out on a computer, I have also statically assigned an internal IP on the 192.168.0.0/24 network with 8.8.8.8 as dns and still was not able to get out. 

This is confusing a little bit, do I translate the public address?  The private-nats object group is for the internal network, correct?

object-group network TRANSLATED-NETS
<The networks to be translated>
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

object-group network PRIVATE-NATS
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

Hi 

I have created 2 object-groups to be flexible, 1 is for translations and the other one is for the ACL.

Could you please share the entire config (ommiting the public network)

Thank you 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: