topic Re: ASA 5510 home lab in Network Security

ASA 5510 home lab

WannaB — Fri, 21 Feb 2020 14:20:22 GMT

New to ASA Firewall. Trying to setup a home lab following a Microsoft guide. I have one network that is using AT&T ARRIS NVG599 and I have my home lab network using a Dell server with VMWARE installed that has 2 NIC cards, one NIC card goes to the ARRIS and the other NIC card is used to support my home lab. The 2 NIC card goes to the Inside interface of the ASA firewall.. The outside interface of the ASA Firwall goes to the ARRIS

The problem that I'm having is that I cannot seem to get from my home lab network to any outside IP address whether its a local IP Address or if its a site on the internet through the ARRIS. I have attached a .pdf file to help explain my setup. I have a AT&T Modem ARRIS NVG599 that servers as my main network and hands out 10.10.1.0.

My ASA has the outside interface set to 10.10.1.111 255.255.255.0

My ASA has the inside interface set to 10.0.0.111 255.255.255.0

MY home lab network is 10.0.0.0 \24

My ARRIS network is 10.10.1.0 \24

I used the below example to setup NATING

The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:

hostname(config)# object network my-range-obj

hostname(config-network-object)# range 10.2.2.1 10.2.2.10

hostname(config)# object network my-inside-net

hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj

AND I used 0 0 outside 10.1.1.111 to set the defaut route.

Re: ASA 5510 home lab

Flavio Miranda — Thu, 21 Sep 2017 04:32:43 GMT

Hello,

I have found your configuration a bit confuse. If your home lab has network 10.0.0.0 \24, your IP range must go from 10.0.0.1 up to 10.0.0.254.

I think this should be enough to access the internet.

route outside 0.0.0.0 0.0.0.0 "IP ARRIS"

object network Internal_Net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface

Re: ASA 5510 home lab

WannaB — Thu, 21 Sep 2017 23:53:36 GMT

Sorry for the confusion. I was trying to ask how to correctly configure a asa 5510 firewall behind a AT&T ARRIS .

My lab will be routed through the ASA 5510 and I would like it to be able to reach the internet. Looking at your answer it appears that I need to add the statement below.

object network Internal_Net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
How do I configure the ASA to use dynamic interface or is that the actual command?

Here is my NATING to get to the AT&T ARRIS and then to the Internet.
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.10.1.50 10.2.2.80
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 10.0.0.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
My Inside interface 0/1 Ethernet 10.0.0.111
My Outside Interface 0/0 Ethernet 10.10.1.111

And I used 0 0 outside 10.10.1.111 to set the default route.

Hopefully, I did not make the water anymore muddy.

Re: ASA 5510 home lab

Flavio Miranda — Fri, 22 Sep 2017 00:54:49 GMT

But why you need this range 10.10.1.50 10.2.2.80 ? Are you trying to convert your internal IP to one of those IPs ? Imagine that when the packet hit ARRIS the source address will have one of this IP, does ARRIS know how to reply considering that this IP is not directly connected to it I mean, it has no route

Re: ASA 5510 home lab

WannaB — Sat, 23 Sep 2017 13:31:07 GMT

Thank you for replying. To answer your question, Are you trying to convert your internal IP to one of those IPs, the answer is yes. Also, are you saying that I need to create a route from the 10.10.1.0 network to the 10.0.0.0 network. If yes, would I create this route on the ASA or will I need to create this route on the ARRIS.

Also, I made a typo on my range. Range 10.10.1.50 10.2.2.80 ?

My range should be 10.10.1.50 to 10.10.1.80.

Here is my NATING to get to the AT&T ARRIS and then to the Internet.
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.10.1.50 10.10.1.80
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 10.0.0.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
My Inside interface 0/1 Ethernet 10.0.0.111
My Outside Interface 0/0 Ethernet 10.10.1.111

Re: ASA 5510 home lab

Flavio Miranda — Sat, 23 Sep 2017 14:50:16 GMT

Got it. But, I think you could try this

object network Internal_Net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface

For internet access this should be enough.

Forget about route as I said lastly, I said that because the range was in a different network, but now I saw the range is on the ARRIS network.