cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1175
Views
0
Helpful
35
Replies

install transparent asa into existing network with public ip's

Carlomd
Level 1
Level 1

  Hi all, I'm trying to find the best approach on getting my ASA to replace our Juniper, we have public ip's from our isp and it's set to nat the gateway and mip the inside ip's to outside public ip's.

  I tried hooking up the asa into the leased router, added my inside rules to be accessed outside but not able to get to the web or ping, I read that nat is not needed on the ASA in transparent mode though it's possible, but in my setup with our isp I may need to use nat or could I go away with it, what would be my best option to get this setup, any samples or links would be great.

Thanks,

Carlo

35 Replies 35

Sorry I did not get the concept, maybe if you could explain this a bit better.

Value our effort and rate the assistance!

Jumora, here's a sample setup -

old firewall (untrust = 12.1.1.1) ip of leased router (this was the outside ip gateway I think I can't see in the router since it's not managed by us, but it's nat'd to our internal gateway ip) >(trust = 101.2.2.2) this is our internal gateway ip

that's the current setting in the juniper

so on the asa, the new config for nat would be

nat (inside,outside) static mygateway - then we can still use 101.2.2.2 as gateway, I think this is what I'm missing to get an open connection to the outside.

I get you, yeah NAT, go for it so that the upstream router can add it to the ARP table. Also add the routes that Julio mentioned for routing.

Value our effort and rate the assistance!

Hi guys, so I went and put my route to outside pointing to my isp's router gateway as well as nat, but somehow I can't ping, here's my edited run-config. Let me know what I'm missing, thanks.

Give me logs I need to see logs to see what is the ASA indicating.

Value our effort and rate the assistance!

here's my sh logging output, can't get the whole log to show in putty, but these are focused on the bvi int, it seems to show a bunch of errors or teardowns that I also see when looking at asdm latest syslog message. I added a simple network topology diagram. Any help would be great

We're you able to look into my logs, is there any other way to see what's happening in the traffic inside the asa besides logs.

What address where you trying to reach??

Value our effort and rate the assistance!

I'm trying to get traffic to go through the asa, inside to outside, here's what my juniper's route config looks like compared to the asa, I know it's something with route cause as soon as I plugged the asa to the isp's router which is a outside public ip it stopped letting traffic through, I added a route from some config samples I've read around the forum that I thought would work just by changing the ip's but no avail, hopefully these configs will tell you something missing on the asa.

ASA

interface Ethernet0/0

nameif outside

bridge-group 1

security-level 0

!

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 208.x.x.11 255.255.255.0

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.x.x.12

domain-name domain.com

object network cirexxintl

host 208.x.x.85

object network cirexxintldc

host 208.x.x.12

object network crxmail

host 208.x.x.3

object network att

host 12.x.x.33

object network int-gateway

host 208.x.x.1

object-group protocol TCP_UDP

description Grouping of TCP and UDP protocols

protocol-object tcp

protocol-object udp

object-group service All-service

service-object gre

service-object icmp echo

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq domain

object-group network internal-servers

network-object object cirexxintl

network-object object cirexxintldc

network-object object crxmail

access-list inside_access_out extended permit object-group All-service object-group internal-servers any

access-list inside_access_out extended permit object-group TCP_UDP object-group internal-servers any

pager lines 24

arp timeout 14400

no arp permit-nonconnected

access-group inside_access_out out interface inside

object network int-gateway

nat (inside,outside) static att

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

Juniper

ns25-> get route

IPv4 Dest-Routes for (0 entries)

--------------------------------------------------------------------------------

H: Host C: Connected S: Static A: Auto-Exported

I: Imported R: RIP P: Permanent D: Auto-Discovered

iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1

E2: OSPF external type 2

IPv4 Dest-Routes for (4 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth1 0.0.0.0 C 0 0 Root

* 4 12.x.x.34/32 eth3 0.0.0.0 H 0 0 Root

* 3 12.x.x.32/27 eth3 0.0.0.0 C 0 0 Root

* 2 208.x.x.1/32 eth1 0.0.0.0 H 0 0 Root

ns25-> get route source

S: Static P: Permanent

Src-Routes for (1 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth3 12.x.x.33 S 20 1 Root

arp permit-nonconnected

Value our effort and rate the assistance!

Why this route?

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

If you BVI has an IP of

interface BVI1

ip address 208.x.x.11 255.255.255.0

Value our effort and rate the assistance!

it worked when I had it set in the lab inside my internal network when all the ip's were the same, but as soon as I plugged it on the actual isp router it stopped working, that's why I was looking at either routing or nat, I read your supposed to set route if you have an external ip like for example a modem or router and point to your outside int facing the router, One thing I noticed when I connect to the router, under monitoring and then routing, it shows the connected outside route for the isp, still can't ping or browse though.

Hello,

Can you provide us the updated config ,

I will take a look at it as soon as you do it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Here you go,

crxasa# sh run

: Saved

:

ASA Version 9.1(2)8

!

firewall transparent

hostname crxasa

domain-name domain.com

enable password jtiwndTuzIDdTcxA encrypted

names

!

interface Ethernet0/0

nameif outside

bridge-group 1

security-level 0

!

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 208.x.x.11 255.255.255.0

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.x.x.12

domain-name domain.com

object network cirexxintl

host 208.x.x.85

object network cirexxintldc

host 208.x.x.12

object network crxmail

host 208.x.x.3

object network gateway

host 12.x.x.34

object-group protocol TCP_UDP

description Grouping of TCP and UDP protocols

protocol-object tcp

protocol-object udp

object-group service All-service

service-object gre

service-object icmp echo

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq domain

object-group network internal-servers

network-object object cirexxintl

network-object object cirexxintldc

network-object object crxmail

access-list inside_access_out extended permit object-group All-service object-group internal-servers any

access-list inside_access_out extended permit object-group TCP_UDP object-group internal-servers any

pager lines 24

logging enable

logging buffer-size 1048576

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

nat (inside,outside) source dynamic any internal-servers

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 15

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password 571.UcWz1aqKyGh3 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:38c3e7a94d8863770e325b9dcc564360

: end

crxasa#

Hi carlo,

How's everything going buddy????

Man are all of the inside hosts on the network 208.x.x.0/24 ?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: