Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Gateway on ASA 5520

Hi ,

Recently purchased an ASA 5520 and I am trying to configure the WAN interface, What I understand that the gigabit ethernet 0/0 is used for WAN (out side) can you please confirm that please ?

I also want to assign the WAN interface the Gateway ( the router of ISP ) as you would do to access the internet ,, What are the steps to do this as I looked in the ADSM and could not find it , I am guessing  this as to be done from the command line.,, I have already configured DNS at the startup wizard do I need to do anything else to get access to the internet from the inside network ( gigabit ethernet 0/1 )

MY GW 1P : 213.129.76.222 ~( ISP Router )

MY IP address : 213.129.76.193 255.255.255.224

I need internal network ( 172.16.1.0 , 255.255.255.0 ) access the internet

ASA Version 8.2(1)
!
hostname DBFWNODE1
enable password LGm889R5.tVRN3aF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 213.129.76.193 255.255.255.224
!
interface GigabitEthernet0/1
nameif Production-Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Production-Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Production-Inside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:942c262592cba99bc768d918940d3993
: end
DBFWNODE1(config-if)#

Many Thanks

7 REPLIES
Hall of Fame Super Blue

Re: Gateway on ASA 5520

You can use gi0/0 for WAN if you want, no problem.

Not familiar with ASDM but to add your default-route from CLI -

route outside 0.0.0.0 0.0.0.0

Edit - you already have this in your config -

route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1

so not sure what you are asking.

Jon

New Member

Re: Gateway on ASA 5520

Hi Jon ,

Thanks for the reply, My question is do I need to allow a access rule for my 172.16.1.0/24 to access the internet also what are the commands to configure DNS settings for the WAN interface 0/0.

Many Thanks

Cisco Employee

Re: Gateway on ASA 5520

Rabih,

Your management interface is only configured for management-only access.

So, all you need is the following lines for Production-Inside network to go out to the internet.

global (Outside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0

You can remove these lines:

conf t
no global (Production-Inside) 101 interface
no nat (management) 101 0.0.0.0 0.0.0.0

-KS

New Member

Re: Gateway on ASA 5520

Thanks for the reply ,, does that mean that every network on the inside interface ethernet 0/1 will have access to the outside ,, ( ie internet ) ..??

Also  if have multipule VLAN how do I handle this ,,lets say I have VLAN 100 and VLAN 200 ( different networks ) connected to the ASA via ethernet 0/1 how do I allow access from these vlan to the internet..do I need to create a sub interfaces ..

VLAN 100 network : 172.16.1.0 /24

GW for Vlan 100: 172.16.1.254 /24

VLAN 200: 192.168.74.0/24

GW for Vlan 200: 192.168.74.1

Many Thanks

Cisco Employee

Re: Gateway on ASA 5520

That is correct. All networks that live behind this Production-Inside interface will have internet access.

You just need a route added on the firewall

route Production-Inside 192.168.74.0 255.255.255.0 172.16.1.254

-KS

New Member

Re: Gateway on ASA 5520

what are the commands to configure ISP DNS setting on the WAN interface please ?

Cisco Employee

Re: Gateway on ASA 5520

What is the reason for this?

You want the firewall to be able to resolve yahoo.com and google.com?

You already have dhcpd configured for the management interface:

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management

For the hosts behind the management interface to work you need to remove this line from the management interface.

interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only --------------------------------> remove this line. This will only allow management traffic TO the box and not THROUGH the box.

conf t

int m0/0

no management-only

Also, you need to make sure the nat line is there.

nat (management) 101 192.168.1.0 255.255.255.0

-KS

479
Views
0
Helpful
7
Replies
CreatePlease to create content