Solved: ASA5505 basic setup

David Thulin · ‎08-25-2013

Hi!

It feels like I have been beating my head against the wall for three days now. I finally think must accept I have bitten off more than I can chew.

My situation: I want the ASA to have a static IP internally, act as an internal DHCP-server, and on the external end dynamically get an IP. And naturally keep me safe, but no special routes or ports.

And as I,in CLI, now restore factory settings (...again) I wonder if anyone has the commands saved for a super simple setup like this.

Help!

D

Jouni Forss · ‎08-25-2013

Hi,

One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.

The below configurations are from memory so theres a change something might be missing

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

no shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

no shutdown

interface Ethernet0/0

description WAN

switchport access vlan 2

no shutdown

interface Ethernet0/1

description LAN

no shutdown

dhcpd address 10.10.10.100-10.10.10.110 inside

dhcpd dns

dhcpd enable inside

sysopt noproxyarp inside

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Dynamic PAT - 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

Dynamic PAT - 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

The above should contain some basic configurations

Configuring both Vlan interfaces for LAN and WAN usage
Assigning physical interfaces to the mentioned Vlans
Configuring DHCP Server
Disabling Proxy ARP on LAN interface
Configuring ACL on the LAN interface (though not necesarily needed)
Configuring ICMP Inspection so ICMP reply/return messages are allowed through the firewall
Configuring basic Dynamic PAT configuration for outbound connections

- Jouni

View solution in original post

Jouni Forss · ‎08-25-2013

Hi,

One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.

The below configurations are from memory so theres a change something might be missing

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

no shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

no shutdown

interface Ethernet0/0

description WAN

switchport access vlan 2

no shutdown

interface Ethernet0/1

description LAN

no shutdown

dhcpd address 10.10.10.100-10.10.10.110 inside

dhcpd dns

dhcpd enable inside

sysopt noproxyarp inside

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Dynamic PAT - 8.2 and below

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

Dynamic PAT - 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

The above should contain some basic configurations

Configuring both Vlan interfaces for LAN and WAN usage
Assigning physical interfaces to the mentioned Vlans
Configuring DHCP Server
Disabling Proxy ARP on LAN interface
Configuring ACL on the LAN interface (though not necesarily needed)
Configuring ICMP Inspection so ICMP reply/return messages are allowed through the firewall
Configuring basic Dynamic PAT configuration for outbound connections

- Jouni

David Thulin · ‎08-25-2013

Hi!

Awesome! Thanks - I will try it now.

BTW, ASDM says 8.2(5) on ASA version.

D

David Thulin · ‎08-25-2013

This keeps happening:

ciscoasa(config-if)# ip address 10.0.1.10 255.255.255.0

Interface address is not on same subnet as DHCP pool

ERROR: ip address command failed

What am I doing wrong?

D

Jouni Forss · ‎08-25-2013

Hi,

Well, have you configured the DHCP Pool as something else as the actual LAN interface of the ASA? I mean the ASAs LAN interface configurations subnet has to match that used in the DHCP Pool.

The ASA can only act as a DHCP server to hosts that are directly connected to it or connected to it through a L2 switch.

If you happen to have a router in your LAN network behind the ASA then you cant really use ASA as a DHCP server. And by that I mean hosts that are behind the router wont be able to get DHCP address from the ASA.

- Jouni

David Thulin · ‎08-25-2013

Hi!

This was right after a factory reset, so I had done no configuring at all.

I am thinking that I will use the Wifi-router from before as a AP inside. My switch probably is not L2, but I'll just use something else instead. How do I kill DHCP?

D

Jouni Forss · ‎08-25-2013

Hi,

The ASA shouldnt really have any DHCP configurations by default. Some later models have DHCP for the management interface but not the ASA5505.

Perhaps you can share the current configuration of the ASA so can check how it is.

- Jouni

David Thulin · ‎08-25-2013

Hi!

Here is a backup of my config.

https://dl.dropboxusercontent.com/u/10343256/david.zip

D

Jouni Forss · ‎08-25-2013

Hi,

To me both the Running and Startup Configurations seem to have the basic configurations to enable connectivity through the ASA.

Only thing they are missing is the ICMP Inspection commands I mentioned. Since that is usually the configuration missing from the basic configuration. With ICMP Inpsection missing, you usually arent able to PING / ICMP anything past your firewall.

The error message you mentioned before should to my understanding be the result when you are trying to change your interface IP address and you still have DHCP configurations on the ASA for the current/old network.

So if you are about to change a DHCP pool and the LAN interfaces IP address then you should first clear the DHCP configurations.

You can view them with

show run dhcpd

You can remove all of them with

clear configure dhcpd

You can then configure the LAN interface IP addressing as you see fit. And finally you can add the new DHCP configuration using the current IP addresses of the LAN interface (I mean the "inside" interface)

- Jouni

David Thulin · ‎08-25-2013

Hi again!

That worked. IP set. I get this:

ciscoasa(config)# global (outside) 1 interface

global for this range already exists

ciscoasa(config)# global (inside) 1 10.0.1.0 255.255.255.0

^

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# global (inside) 1 10.0.1.0

Warning: Start and End addresses overlap with broadcast address.

INFO: Global 10.0.1.0 will be Port Address Translated

As you see, I tried to be smart removing the mask. Should I try plugging it in?

D

Edit: That "^" is below "255" in Putty.

Jouni Forss · ‎08-25-2013

Hi,

Provided that you network behind "inside" is 10.0.1.0/24

Then you should add these

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

Notice that you tried to add it with "global" command.

The command "global" defines the actual NAT IP address to be used. The command "nat" defines the source addresses/networks for that NAT.

So the above NAT configuration I mentioned should be all thats needed for your ASA. Again, provided that the only LAN network at the moment is 10.0.1.0/24

- Jouni

David Thulin · ‎08-25-2013

Amazing. It works. I added the "http 10.0.1.0 255.255.255.0 inside" command and it just works. I am amazed; thanks.

If anyone is interested, here is a backup of this plain config:

https://dl.dropboxusercontent.com/u/10343256/david2.zip

Jouni - you are Batman. Thanks again.

D