Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 basic setup

Hi!

It feels like I have been beating my head against the wall for three days now. I finally think must accept I have bitten off more than I can chew.

My situation: I want the ASA to have a static IP internally, act as an internal DHCP-server, and on the external end dynamically get an IP. And naturally keep me safe, but no special routes or ports.

And as I,in CLI, now restore factory settings (...again) I wonder if anyone has the commands saved for a super simple setup like this.

Help!

D

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA5505 basic setup

Hi,

One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.

The below configurations are from memory so theres a change something might be missing

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

no shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

no shutdown

interface Ethernet0/0

description WAN

switchport access vlan 2

no shutdown

interface Ethernet0/1

description LAN

no shutdown

dhcpd address 10.10.10.100-10.10.10.110 inside

dhcpd dns

dhcpd enable inside

sysopt noproxyarp inside

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

policy-map global_policy

class inspection_default

   inspect icmp

   inspect icmp error

Dynamic PAT - 8.2 and below

global (outside) 1 interface

nat (inside) 1  10.10.10.0 255.255.255.0

Dynamic PAT - 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

The above should contain some basic configurations

  • Configuring both Vlan interfaces for LAN and WAN usage
  • Assigning physical interfaces to the mentioned Vlans
  • Configuring DHCP Server
  • Disabling Proxy ARP on LAN interface
  • Configuring ACL on the LAN interface (though not necesarily needed)
  • Configuring ICMP Inspection so ICMP reply/return messages are allowed through the firewall
  • Configuring basic Dynamic PAT configuration for outbound connections

- Jouni

11 REPLIES
Super Bronze

ASA5505 basic setup

Hi,

One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.

The below configurations are from memory so theres a change something might be missing

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

no shutdown

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

no shutdown

interface Ethernet0/0

description WAN

switchport access vlan 2

no shutdown

interface Ethernet0/1

description LAN

no shutdown

dhcpd address 10.10.10.100-10.10.10.110 inside

dhcpd dns

dhcpd enable inside

sysopt noproxyarp inside

access-list INSIDE-IN remark Allow all traffic from LAN

access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any

access-group INSIDE-IN in interface inside

policy-map global_policy

class inspection_default

   inspect icmp

   inspect icmp error

Dynamic PAT - 8.2 and below

global (outside) 1 interface

nat (inside) 1  10.10.10.0 255.255.255.0

Dynamic PAT - 8.3 and above

nat (inside,outside) after-auto source dynamic any interface

The above should contain some basic configurations

  • Configuring both Vlan interfaces for LAN and WAN usage
  • Assigning physical interfaces to the mentioned Vlans
  • Configuring DHCP Server
  • Disabling Proxy ARP on LAN interface
  • Configuring ACL on the LAN interface (though not necesarily needed)
  • Configuring ICMP Inspection so ICMP reply/return messages are allowed through the firewall
  • Configuring basic Dynamic PAT configuration for outbound connections

- Jouni

New Member

ASA5505 basic setup

Hi!

Awesome! Thanks - I will try it now.

BTW, ASDM says 8.2(5) on ASA version.

D

New Member

ASA5505 basic setup

This keeps happening:

ciscoasa(config-if)# ip address 10.0.1.10 255.255.255.0

Interface address is not on same subnet as DHCP pool

ERROR: ip address command failed

What am I doing wrong?

D

Super Bronze

Re: ASA5505 basic setup

Hi,

Well, have you configured the DHCP Pool as something else as the actual LAN interface of the ASA? I mean the ASAs LAN interface configurations subnet has to match that used in the DHCP Pool.

The ASA can only act as a DHCP server to hosts that are directly connected to it or connected to it through a L2 switch.

If you happen to have a router in your LAN network behind the ASA then you cant really use ASA as a DHCP server. And by that I mean hosts that are behind the router wont be able to get DHCP address from the ASA.

- Jouni

New Member

ASA5505 basic setup

Hi!

This was right after a factory reset, so I had done no configuring at all.

I am thinking that I will use the Wifi-router from before as a AP inside. My switch probably is not L2, but I'll just use something else instead. How do I kill DHCP?

D

Super Bronze

Re: ASA5505 basic setup

Hi,

The ASA shouldnt really have any DHCP configurations by default. Some later models have DHCP for the management interface but not the ASA5505.

Perhaps you can share the current configuration of the ASA so can check how it is.

- Jouni

New Member

ASA5505 basic setup

Hi!

Here is a backup of my config.

https://dl.dropboxusercontent.com/u/10343256/david.zip

D

Super Bronze

Re: ASA5505 basic setup

Hi,

To me both the Running and Startup Configurations seem to have the basic configurations to enable connectivity through the ASA.

Only thing they are missing is the ICMP Inspection commands I mentioned. Since that is usually the configuration missing from the basic configuration. With ICMP Inpsection missing, you usually arent able to PING / ICMP anything past your firewall.

The error message you mentioned before should to my understanding be the result when you are trying to change your interface IP address and you still have DHCP configurations on the ASA for the current/old network.

So if you are about to change a DHCP pool and the LAN interfaces IP address then you should first clear the DHCP configurations.

You can view them with

show run dhcpd

You can remove all of them with

clear configure dhcpd

You can then configure the LAN interface IP addressing as you see fit. And finally you can add the new DHCP configuration using the current IP addresses of the LAN interface (I mean the "inside" interface)

- Jouni

New Member

Re: ASA5505 basic setup

Hi again!

That worked. IP set. I get this:

ciscoasa(config)# global (outside) 1 interface

global for this range already exists

ciscoasa(config)# global (inside) 1 10.0.1.0 255.255.255.0

                                                               ^

ERROR: % Invalid input detected at '^' marker.

ciscoasa(config)# global (inside) 1 10.0.1.0

Warning: Start and End addresses overlap with broadcast address.

INFO: Global 10.0.1.0 will be Port Address Translated

As you see, I tried to be smart removing the mask. Should I try plugging it in?

D

Edit: That "^" is below "255" in Putty.      

Super Bronze

Re: ASA5505 basic setup

Hi,

Provided that you network behind "inside" is 10.0.1.0/24

Then you should add these

global (outside) 1 interface

nat (inside) 1 10.0.1.0 255.255.255.0

Notice that you tried to add it with "global" command.

The command "global" defines the actual NAT IP address to be used. The command "nat" defines the source addresses/networks for that NAT.

So the above NAT configuration I mentioned should be all thats needed for your ASA. Again, provided that the only LAN network at the moment is 10.0.1.0/24

- Jouni

New Member

Re: ASA5505 basic setup

Amazing. It works. I added the "http 10.0.1.0 255.255.255.0 inside" command and it just works. I am amazed; thanks.

If anyone is interested, here is a backup of this plain config:

https://dl.dropboxusercontent.com/u/10343256/david2.zip

Jouni - you are Batman. Thanks again.

D

1335
Views
0
Helpful
11
Replies
CreatePlease login to create content