09-19-2010 02:20 PM - edited 03-11-2019 11:42 AM
Please help me out here....
I am stuck, I am trying to configure my home lab and I can't seem to find out how to do the following:
Internet -->ASA5505-->3660Router-->2900XL Switch --->ASA5505--->Wireless AP
Attached is an image with a better idea of what I am wanting to do.
I have read that any router with the ASA is usless, but I would like to have the ASA just be a firewall/VPN and not much else. Any help with this would be apprciated.
***All Cisco Equipment has basic configs loaded on them, if needed I can provide a show ver.
09-20-2010 12:22 AM
Show IP
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.2.1 255.255.255.0 CONFIG
Vlan2 outside 174.56.139.62 255.255.248.0 DHCP
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan1 inside 192.168.2.1 255.255.255.0 CONFIG
Vlan2 outside 174.56.139.62 255.255.248.0 DHCP
Show Route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 174.56.136.0 255.255.248.0 is directly connected, outside
S 192.168.1.0 255.255.255.0 [1/0] via 192.168.2.2, inside
C 192.168.2.0 255.255.255.0 is directly connected, inside
Ping 4.2.2.2
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
No route to host 4.2.2.2
Success rate is 0 percent (0/1)
09-20-2010 02:10 AM
Ahh, it looks like you have no default route.
Usually the command in the interfaces config for the outside "ip address dhcp setroute" will allow you to be assigned a default route by your ISP, but it either looks like that isn't happening or the ISP isn't sending that.
To remedy this you can add in
"route outside 0 0
09-20-2010 02:59 AM
Wow, Comcast is horrible with tech support....I am trying to explain what I need with no luck at all....
Should I just ask what the default route is? or is there something else I should be asking for?
09-20-2010 07:12 AM
Yeah, you should be asking what the IP address of the next hop should be, it should be in the 174.56.136.0 255.255.248.0 subnet. My guess is that it may be 174.56.136.1 as that is the first IP after the subnet ID, but this is just a common convention and may not be true in your case.
09-20-2010 12:50 PM
Finally......it works...final question. I would like to take the other ASA and put in between the phyical network and the wireless AP as shown in the picture above, is that overkill or smart sence it is dealing with wireless. I want that more for intrustion detection....
Thanks.
09-20-2010 02:19 PM
Design questions are a little bit trickier as we can't really know the full scenario of your network, I.E. what you want the wireless for, is it just a guest network, do you need inside users to access it. Do you consider it to be more or less secure than the inside?
I'll throw out an idea, not a professional recommendation, but you may want to look into placing this as a DMZ on your current ASA depending on your license and whether you want the inside to communicate with it or not.
There are just so many unknowns to the scenario that we just can't say what is best.
09-20-2010 02:34 PM
No DMZ on my license ...just an extra one I have...my network is a home network that I just want secure. So I was wondering if the ASA would provide that with the access point connected to it.
09-20-2010 02:56 PM
Adding another security device might add a small amount of protection. To me, this firewall would mean that you don't trust the rest of the objects in the 192.168.1.0 network and want to restrict their access to your wireless network. I would guess that if you do trust them, then the firewall isn't going to do much as the internet facing firewall should be doing all the filtering that the second firewall would do.
Another thing you have to consider is your addressing scheme:
1. If you want to keep the 192.168.1.0 on both sides of the second ASA you will need to run it in transparent mode.
2. If you decide that you want to keep it the second ASA in routed mode, you may run into asymmetric routing issues.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: