ASA5505 has direct WAN mapping now

sendalot7 · ‎10-07-2013

I have pulled my ASA5505 out of my internal network, after hearing that ASA needs direct WAN ip access to have VPN running. (at least for novice/freshmen like new CCNAs like me).

ASA5505 has direct WAN mapping now and has a non-private IP address.

I'm struggling to have devices connected to ASA5505 have connection to the internet.

The ISP router has address of 97.24.221.35 and default gateway of 97.24.220.0.

ISP router's internal address is 192.168.1.255. In the ISP router configuration, I can have one of its ports work as a bridge, instead of givign DHCP address to my ASA.

What address should the ASA get assigned of? it's current internal IP is default at 192.168.1.1.

(IP address here might be a bit off as I chaned them in haste for security).

What about the NATs? and ACLs?

Your help would help me sleep tonight.

Thank you sir(s) and ma'am(s).

Jouni Forss · ‎10-07-2013

Hi,

Well generally I would have the ISP router/modem configured as a bridge device with no IP address at all and configure the public IP address assigned by the ISP directly to the ASA "outside" interface. If the ISP only provides you with DHCP IP addresses then you would need to configure the "outside" interface to get its IP address with DHCP rather than configure the IP staticly.

Are you sure about the gateway address?

For the NAT configuration format we would need to know the device current software level which can be checked with the command

show version

I guess it would be easier to see the actual configurations of the ASA in their current form and then we could suggest what might need correcting or what you should check.

- Jouni

sendalot7 · ‎10-08-2013

Sorry I meant 192.168.1.200. The reason my ip addresses are off is because I changed them in haste for security.

I've been messing around with ASDM.

How do I get into the configuration with PuTTY? It seems it blocks both Telnet and SSH.

Thanks.

Jouni Forss · ‎10-08-2013

Hi,

Telnet can be enabled with

telnet

Where you specify the source network from where the management connection is coming and also the interface behind which that network is located.

For SSH you need a similiar configuration

ssh version 2

ssh

You might also need

ASA(config)# crypto key generate rsa modulus 1024

- Jouni

sendalot7 · ‎10-08-2013

For and , am I fitting my DHCP pool in there? For what shall I put in?

Doing this in sim(s) all seemed easy when doing in real life is harder.

Thanks.

Jouni Forss · ‎10-08-2013

Hi,

You can specify a single IP address or a complete network or a subnet in the command. It doesnt necesarily have to match the exact DHCP pool are.

To add a single internal IP address it could be

telnet 10.10.10.10 255.255.255.255 inside

To add a subnet it could be

telnet 10.10.10.0 255.255.255.0 inside

You can insert multiple lines of these commands for multiple IPs/networks/subnets

Same goes for SSH naturally.

- Jouni

sendalot7 · ‎10-08-2013

Also, within ASDM, how do policies differ from rules? for NAT and ACLs.

They should all direct internal route to the outside interface IP address, correct?

Thanks.

Jouni Forss · ‎10-08-2013

Hi,

I am sorry but I am not sure I really understand the question.

With regards to routing and forwarding traffic the ASA generally looks at its routing table that can be viewed with "show route" command. But the NAT configurations especially in the 8.3 (and above) software levels can override the routing table when ASA is choosing the output/egress interface for the traffic.

- Jouni

sendalot7 · ‎10-08-2013

Oh, so ASAs are unlike IOS routers for which you have to configure the routes manually?

ASAs are more automatic like the small home routers?

Thanks.