Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Beginner ASA5500 setup help.

I hate to be that guy begging for help, but this is absolutley the first time I have worked on firewalling & routing at all so I guess it is what it is.  Please forgive my excessive lack of knowledge on the subject.  I have an ASA5505 that I am having a difficult time getting to do what I want.

If i turn DHCP server on in my ISP router and plug a single workstation into the ASA where the workstation recieves a DHCP address from the firewall (or any combination of static IP addresses within this range so long as the inside interface is not changed from the default 192.168.x.x) the out of the box config will work and the workstation can access the internet in this manner:

ISP router -> ASA -> workstation.

In this scenario the ISP router is performing the NAT from internal to public IP.


As soon as I start doing anything else to try to configure the device to fit into my internal IP scheme nothing works right.  I am trying to reconfigure the "inside" interface to the IP addressing scheme I already have setup and set the outside interface to something between the ASA and the ISP router.A simple single switched internal network gaining internet access.

I could just reconfigure my DHCP server to make everything inside work with the cisco out of the box config or let the ASA do the DHCP for the network, but at this point I want to actually learn how to manipulate this device correctly.

I've found a basic config guide from Cisco and the network diagram here is pretty much what I want:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml#configshttp://www.cisco.com/image/gif/paws/10136/19a_update.gif

I have set the firewall up this way on a couple occasions with no success thus far.

Do I need to to setup the ISP firewall in a pass through mode and let the ASA do the NAT translation?  Is there something else I am missing?

any help is appreciated.

thanks

McIver

  • Firewalling
17 REPLIES
New Member

Re: Beginner ASA5500 setup help.

Hi ,

I would sayy that you can do a clear config all on the ASA

save it and reload the ASA.

One interface on ASA can be in server mode or client mode for DHCP

If you want to use your ISP router to provide ip addresses to the internal clents use then you need to configure DHCP relay

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1041663

here is the link

Now after you do all that you need to configure a siomple translation rule for your inside network as well.

Since you are using ASA5505 please take care of the VLAN concept and adhere to the license feature installed.

New Member

Re: Beginner ASA5500 setup help.

I don't want either of them providing DHCP. I have a dhcp server setup on my internal network.

Since my OP I have been able to configure both my internal and external interfaces with static IP's and I can connect to the internet with all my servers that have static IP configurations.

Currently none of my workstations that up my internal DHCP server will connect to any part of the network - will not log into active directory or access the intnernet.  They act as normal if i log in locally and configure a static IP, DNS and default gateway.

This must have something to do with the way I am handling DHCP across the firewall?  Or do I need to give a static route or entry in the ACL?

I've got a static route for my inside interface 0.0.0.0  0.0.0.0

New Member

Re: Beginner ASA5500 setup help.

Hi ,

So you have an internal DHCP server.

Is your DHCP server and the clients behind the same interfave or in same Vlan.

If yes then are the clients able to get the ip address and other parameters from the DHCP servere.

New Member

Re: Beginner ASA5500 setup help.

svaish wrote:

Hi ,

So you have an internal DHCP server.

Is your DHCP server and the clients behind the same interfave or in same Vlan.

If yes then are the clients able to get the ip address and other parameters from the DHCP servere.

Yes, the clients and DHCP server are behind the same interface, my "inside" interface.   Currently the DHCP clients are not able to recieve the proper information from the server.  When manually configured they work and access the internet just fine.

New Member

Re: Beginner ASA5500 setup help.

Hi,

So if the ip address assignment process is going through the firewall then we need to check this on the ASA.

So is the DHCP request and Reply going through the firewall or is it going through some router on the internal network,

If the request and reply is not going through the firewall then it is not a problem with the firewall at all.

Let me know if the request or reply is going through the firewall or not.

New Member

Re: Beginner ASA5500 setup help.

the request/reply should not be going through the firewall.  I have the network configured like is pictured in the graphic in my first post with an internal router in between the Cisco device and my internal clents.

That is why I am puzzled.  As soon as I got everything setup and in and out access to my servers, my wrk stations would no longer recieve DHCP data, but I've made no changes to the router....

New Member

Re: Beginner ASA5500 setup help.

kyle

please post your config.

have you turned off DHCP within the ASA? 

i gues the the inside interface IP is set within the DHCP reservation list with your DHCP server?

i wouldnt think you would need to worry about acl's for the DCHP request and reply

the ASA config would be a great help

thanks

New Member

Re: Beginner ASA5500 setup help.

solpandor wrote:

kyle

please post your config.

have you turned off DHCP within the ASA?

i gues the the inside interface IP is set within the DHCP reservation list with your DHCP server?

i wouldnt think you would need to worry about acl's for the DCHP request and reply

the ASA config would be a great help

thanks

solpandor,

I have turned off DHCP within the ASA and the inside interface IP is within the DHCP reservation list on nmy DHCP server.  Below is my running configuration.

thanks for the help.

Kyle

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.3.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.3.254 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c78aad4983316f1ac1f4e22fd4ff5f6e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
New Member

Re: Beginner ASA5500 setup help.

All I have done thus far from the out of the box config is the following:

1) Set static IP on outside interface

2) Add a static route for the outside interface of 0.0.0.0 0.0.0.0 with the internal IP of my ISP's router

3)Change inside IP interface to static IP address on my private network & add that network to the device access list

At that point I solved my original problem of not being able to reach the internet from mmy private network.  At that time I learned that anything on my network that was supposed to recieve a DHCP assignment was not contacting the server and needed to be manually configured.

1721
Views
5
Helpful
17
Replies
This widget could not be displayed.