cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2784
Views
0
Helpful
22
Replies

ASA 5505 and 3660 Router

woodjl1650
Level 1
Level 1

Please help me out here....

I am stuck, I am trying to configure my home lab and I can't seem to find out how to do the following:

Internet -->ASA5505-->3660Router-->2900XL Switch --->ASA5505--->Wireless AP

Attached is an image  with a better idea of what I am wanting to do.

I have read that any router with the ASA is usless, but I would like to have the ASA just be a firewall/VPN and not much else.  Any help with this would be apprciated.

***All Cisco Equipment has basic configs loaded on them, if needed I can provide a show ver.

Home_Network.jpg

22 Replies 22

Show IP

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.2.1     255.255.255.0   CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0   DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Vlan1                    inside                 192.168.2.1     255.255.255.0   CONFIG
Vlan2                    outside                174.56.139.62   255.255.248.0   DHCP

Show Route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    174.56.136.0 255.255.248.0 is directly connected, outside
S    192.168.1.0 255.255.255.0 [1/0] via 192.168.2.2, inside
C    192.168.2.0 255.255.255.0 is directly connected, inside

Ping 4.2.2.2

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2

Success rate is 0 percent (0/1)

Ahh, it looks like you have no default route.

Usually the command in the interfaces config for the outside "ip address dhcp setroute" will allow you to be assigned a default route by your ISP, but it either looks like that isn't happening or the ISP isn't sending that.

To remedy this you can add in

"route outside 0 0 " where next hop is the IP address of the ASAs next hop. You can find this out by doing either calling your ISP or taking a look at your "show arp" and see if there is another IP in the outside range (174.56.136.0 255.255.248.0) *Not really a surefire method, but can be faster than getting a hold of your ISP.

Wow, Comcast is horrible with tech support....I am trying to explain what I need with no luck at all....

Should I just ask what the default route is? or is there something else I should be asking for?

Yeah, you should be asking what the IP address of the next hop should be, it should be in the 174.56.136.0 255.255.248.0 subnet. My guess is that it may be 174.56.136.1 as that is the first IP after the subnet ID, but this is just a common convention and may not be true in your case.

Finally......it works...final question.  I would like to take the other ASA and put in between the phyical network and the wireless AP as shown in the picture above, is that overkill or smart sence it is dealing with wireless.  I want that more for intrustion detection....

Thanks.

Design questions are a little bit trickier as we can't really know the full scenario of your network, I.E. what you want the wireless for, is it just a guest network, do you need inside users to access it. Do you consider it to be more or less secure than the inside?

I'll throw out an idea, not a professional recommendation, but you may want to look into placing this as a DMZ on your current ASA depending on your license and whether you want the inside to communicate with it or not.

There are just so many unknowns to the scenario that we just can't say what is best.

No DMZ on my license ...just an extra one I have...my network is a home network that I just want secure.  So I was wondering if the ASA would provide that with the access point connected to it.

Adding another security device might add a small amount of protection. To me, this firewall would mean that you don't trust the rest of the objects in the 192.168.1.0 network and want to restrict their access to your wireless network. I would guess that if you do trust them, then the firewall isn't going to do much as the internet facing firewall should be doing all the filtering that the second firewall would do.

Another thing you have to consider is your addressing scheme:

1. If you want to keep the 192.168.1.0 on both sides of the second ASA you will need to run it in transparent mode.

2. If you decide that you want to keep it the second ASA in routed mode, you may run into asymmetric routing issues.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: