10-07-2013 08:01 PM - edited 03-11-2019 07:48 PM
I have pulled my ASA5505 out of my internal network, after hearing that ASA needs direct WAN ip access to have VPN running. (at least for novice/freshmen like new CCNAs like me).
ASA5505 has direct WAN mapping now and has a non-private IP address.
I'm struggling to have devices connected to ASA5505 have connection to the internet.
The ISP router has address of 97.24.221.35 and default gateway of 97.24.220.0.
ISP router's internal address is 192.168.1.255. In the ISP router configuration, I can have one of its ports work as a bridge, instead of givign DHCP address to my ASA.
What address should the ASA get assigned of? it's current internal IP is default at 192.168.1.1.
(IP address here might be a bit off as I chaned them in haste for security).
What about the NATs? and ACLs?
Your help would help me sleep tonight.
Thank you sir(s) and ma'am(s).
10-07-2013 11:21 PM
Hi,
Well generally I would have the ISP router/modem configured as a bridge device with no IP address at all and configure the public IP address assigned by the ISP directly to the ASA "outside" interface. If the ISP only provides you with DHCP IP addresses then you would need to configure the "outside" interface to get its IP address with DHCP rather than configure the IP staticly.
Are you sure about the gateway address?
For the NAT configuration format we would need to know the device current software level which can be checked with the command
show version
I guess it would be easier to see the actual configurations of the ASA in their current form and then we could suggest what might need correcting or what you should check.
- Jouni
10-08-2013 06:43 AM
Sorry I meant 192.168.1.200. The reason my ip addresses are off is because I changed them in haste for security.
I've been messing around with ASDM.
How do I get into the configuration with PuTTY? It seems it blocks both Telnet and SSH.
Thanks.
10-08-2013 07:00 AM
Hi,
Telnet can be enabled with
telnet
Where you specify the source network from where the management connection is coming and also the interface behind which that network is located.
For SSH you need a similiar configuration
ssh version 2
ssh
You might also need
ASA(config)# crypto key generate rsa modulus 1024
- Jouni
10-08-2013 07:17 AM
For
Doing this in sim(s) all seemed easy when doing in real life is harder.
Thanks.
10-08-2013 08:32 AM
Hi,
You can specify a single IP address or a complete network or a subnet in the command. It doesnt necesarily have to match the exact DHCP pool are.
To add a single internal IP address it could be
telnet 10.10.10.10 255.255.255.255 inside
To add a subnet it could be
telnet 10.10.10.0 255.255.255.0 inside
You can insert multiple lines of these commands for multiple IPs/networks/subnets
Same goes for SSH naturally.
- Jouni
10-08-2013 11:36 AM
Also, within ASDM, how do policies differ from rules? for NAT and ACLs.
They should all direct internal route to the outside interface IP address, correct?
Thanks.
10-08-2013 12:28 PM
Hi,
I am sorry but I am not sure I really understand the question.
With regards to routing and forwarding traffic the ASA generally looks at its routing table that can be viewed with "show route" command. But the NAT configurations especially in the 8.3 (and above) software levels can override the routing table when ASA is choosing the output/egress interface for the traffic.
- Jouni
10-08-2013 02:08 PM
Oh, so ASAs are unlike IOS routers for which you have to configure the routes manually?
ASAs are more automatic like the small home routers?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide