Seb

I believe that the biggest issue with John's configuration is not the choice to use the default vlan 1 but is the choice to use the same network as seems to also be used by the modem. If John follows your advice and replaces vlan 1 with vlan 100 and continues to use 192.168.1.0 as his inside network then I believe that John will continue to have issues with Internet access.

HTH

Rick

Yes the modem is acting like a router, DHCP server, NAT/PAT translator, etc. It's a box providing TV (but I don't need it), phone and Internet (via RJ45 and wifi).

I have this modem with IP address : 192.168.1.1, and I would like to have the ASA as a firewall/router/DHCP server between the modem and the switch. If I have to do NAT/PAT and have a network like 10.0.0.0/24 behind the ASA, it's okay but I'm not sure it would be useful.

My need is to control the local network, I don't want to depend on a modem provided by an ISP. I just want it as a gateway to the Internet.

Thanks

John

What you show in the drawing should be reasonable and should work. Can you show us how you were configuring it? With an appropriate DHCP pool/scope configured the ASA should provide addresses to the hosts. With an appropriate set of route commands it should function as the gateway for your hosts and forward their traffic to the modem.

If the modem is going to use address 192.168.1.1 for its connection to you, then I think that you will not be able to turn off its doing address translation. Whatever addressing you are using inside needs to be translated on its way out and the ASA does not have a public address to translate to. And if the modem expects to receive traffic with source addresses in the 192.168.1.0 network then probably you need to configure the ASA to translate the inside addresses (PAT using the ASA "outside" interface address) as it prepares traffic to be forwarded to the modem.

HTH

Rick

I don't want the modem to be DHCP server but even if I execute the command "dhcpd address 192.168.1.10-192.168.1.40 inside", the ASA doesn't do anything.

When I deactivated the DHCP functionality from my modem, I had an IP like 169.41.x.x...

If I could have my modem just as a gateway, it would be perfect.

Thank you. I followed your advice. I can reach the 10.0.0.1 if I force my IP to be in this network but by DHCP I get an IP address like 192.168.1.x. So it seems that the modem is giving an IP.

I can't access to the Internet either. The ASA should be send me an IP address right ? Why doesn't it work ?

Here is my config :

ASA Version 8.2(5)

!

hostname Cisco-ASA-5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.254 255.255.255.0

!

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 10.0.0.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcpd address 10.0.0.10-10.0.0.40 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server inside 192.168.1.42 /srv/tftp/cisco-rtr-01-config

webvpn

username admin password 4RdDnLO1w29lihWc encrypted

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3b61612a25ae3e376b2d7dafc627d96b

: end

John

Try adding the command dhcpd enable inside and let us know if it works better.

Also I notice this in the config

tftp-server inside 192.168.1.42 /srv/tftp/cisco-rtr-01-config

I am not sure where this comes from but it appears to reflect the original environment where you were trying to use 192.168.1.0 as the inside network. It probably needs to change to reflect the current use of 10.0.0.0/24.

HTH

Rick

Thank you Richard, it seems that my PCs are getting an IP address from the ASA.

But when I try to go to a website, I get the error message : unknown address. I think it's because my DNS servers are defined on the modem (We use the ISP's DNS). So should I copy the IP addresses of primary and secondary DNS from ISP and write them for the ASA ? Do you know how can I do that please ?

An other thing is about static IP address. How can I give the same address from the DHCP pool to a MAC address ?

Thanks

John

These commands made it work :

dhcpd dns interface inside

dhcpd update dns both override interface inside

Thanks for your help !

Hi,

are the hosts getting these DNS servers? ---> ipconfig/all

can you do a nslookup google.com  on a host and post the output

EDIT: glad you could make it work

Regards

Alain

Don't forget to rate helpful posts.

Ce message a été modifié par: cadet alain