01-24-2012 09:29 AM - edited 03-04-2019 03:00 PM
I have a Cisco 2621 with a WIC-1ADSL and I replaced my ISP's DSL router. Fa0/0 connects to a Cisco ASA-5505. WIC-1ADSL connects via Dialer interface to Frontier Communications. Works like a champ using IOS 12.3 (26).
I would like to connect a PC to the Fa0/1 port so that I can simulate testing so that the PC would appear as though it is the Internet. Currently, I have to go home and try things out on my home PC or from an Android cell phone (which with my age and eyesite, have trouble reading the small text). I am not sure how to set the NAT statements but would assume that I can static map the single IP of the PC or the entire subnet of the interface???? This is where I am unsure. I would like to be able to access the internet from this PC also and if something happens to it for not being behind a firewall, I will just reload it. It is just an old HP running WinXP.
Anyway, just wanted to test the VPN from the PC connected to the 2621 into my network which would look like:
PC
|
Fa0/1
|
Internet - ATM0/0 - 2621 - Fa0/0 - ASA5505 - InternalNetwork
Current config:
interface Loopback0
ip address 10.10.10.1 255.255.255.0
!
interface ATM0/0
description Physical DSL Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
atm ilmi-keepalive
dsl operating-mode auto
pvc X/Y
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/0
ip address FrontierIP FrontierNetMask
ip nat outside
ip route-cache same-interface
ip route-cache flow
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface FastEthernet0/1
ip address 10.1.100.1 255.255.255.0
ip nat inside
ip route-cache same-interface
ip route-cache flow
ip tcp adjust-mss 1452
no cdp enable
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group autosec_firewall_acl in
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username username@frontier.com password 7 <encrypted password>
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
The ultimate goal here is to get the VPN working on the ASA-5505 so that I can access my Cisco UC320W from home via VPN. I would also like the VPN to terminate client VPN (specifically Android via Android VPN) and Windows 7. Not sure if AnyConnect or IPSec/L2TP yet but looks like AnyConnect requires me to root my phone which won't happen because it voids the warranty of the phone. Side note: this is documented on Cisco's website but am probably not sure how Cisco would feel if another company's directions explicity stated to void the warranty on a Cisco device, hmmm.
Anyone have any ideas on how to make this PC appear as though it is coming from the Internet and still have access to the Internet?
Thanks in advance.
Solved! Go to Solution.
01-25-2012 06:09 AM
01-25-2012 05:34 AM
Hi Todd,
** First of all, FastEthernet0/0 interface is supposed to be connected to the ASA firewall not Frontier. Well thats what I understood by your problem description. So this interface should have ASA outside subnet and be "ip nat inside"
** Second, You can reach internet from the PC connected on Fa0/1 interface but I am not sure I understand by your statement "make this PC appear as though it is coming from the Interne". Are you looking for send traffic From this PC towards the ASA for testing? i.e from Fa0/1 interface towards Fa0/0?
If yes, then its more like a Test environment that you want to create, so just give a Public ip address lets say 1.1.1.2/30 to the PC and assign 1.1.1.1/30 to Fa0/1 interface. You don't need to do any NAT for the traffic going from the PC to ASA and to your ASA it will look like the traffic is coming from a Public ip.
** Now to make this PC go to internet as well through Dialer1, issue the config statements:
access-list 100 permit ip 1.1.1.0 0.0.0.3 any
ip nat inside source list 100 interface dialer1 overload
interface fa0/1
ip nat inside
interface dialer1
ip nat outside
** For hosting services like VPN (anyconnect or RemoteAccess), you would need a public ip address from your ISP apart from the one being assigned to Dialer1 interface dynamically. then you'll be configuring a static NAT mapping that public ip to ASA's outside interface which is going to act as the VPN end point.
Hope the above information helps
Neeraj
01-25-2012 06:06 AM
Neeraj,
Thanks, that did it. Sorry for the confusion with the Frontier side of things. The outside interface of the ASA is a static Frontier IP and I replaced their crappy little DSL modem with the 2621 so it is "all" Frontier from the outside ASA. Actually, I had real issues with getting through my ASA and Frontier told me their device was just a DSL modem but upon further inspection, it is a Router too so I was getting blocked even before traffic hit my ASA. With the 2621, I now have full control.
I already have some static NAT on the ASA for some Cisco IP Cameras and a couple of other items that I needed access to from the outside. Now, I am getting a lot of these holes poked in my firewall and would rather close them up and use a VPN solution which the ASA already has built-in and I paid for the license if I remember correctly.
Now I can enable VPN and test within the confines of my own office and not have to run home to try things out!
Thanks much!
01-25-2012 06:09 AM
Glad to be of help!!
Don't forget to rate the post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide