topic Re: How to configure Cisco ASA 5510 behind a Router in Network Security

How to configure Cisco ASA 5510 behind a Router

IsiakaBayonle27219 — Fri, 17 Jan 2020 08:06:14 GMT

I have a cisco 1900 router connected to ISP with Static IP address and the router has been configured to act as DHCP to the 2 switches behind it and all hosts connected to the switches are browsing.

Now, i want the ASA to be behind the router and allow traffic outwardly.

What basic config can i do on the ASA to achieve this? Though, we are planning to introduce a centralized server such that some members of the LAN will be able to access it. Also, do i need to change any config on the router again?

Pls help with the basic ASA config to achieve this.

Below is the config on the router:

FIRE_SERVICE_ROUTER#sh run
Building configuration...

Current configuration : 1679 bytes
!
! Last configuration change at 15:24:53 UTC Fri Dec 27 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname FIRE_SERVICE_ROUTER
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$MVkr$KNmqCTIFdyGOBTW75dl2Y0
enable password xxxxx
!
no aaa new-model
ethernet lmi ce
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.0 192.168.1.1
!
ip dhcp pool INTERNAL_NETWORK
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 2
!
!
!
ip name-server 8.8.8.8
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid xxxxxxxxxxxxxxxxxxxxxx
!
!
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description to the ISP
ip address xxxx xxxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description to the SWITCH
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip default-gateway xxxx
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxxx
!
dialer-list 1 protocol ip permit
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password xxxx
login
transport input none
!
scheduler allocate 20000 1000
!
end

FIRE_SERVICE_ROUTER#

Re: How to configure Cisco ASA 5510 behind a Router

Muhammad Awais Khan — Mon, 20 Jan 2020 03:03:24 GMT

Hi,

Can you share the ASA model and OS version. Most likely you will be deploying ASA in L3 mode. Some changes will be required on the Router LAN side. Now your Router will be connected to your ASA and from ASA LAN your switches will be connected, which means we have to introduce a new subnet between ASA outside and Router LAN side. You have to change the Router existing LAN side IP to the new subnet IP

On ASA, we have to create two interfaces 'inside and outside' where outside will be connected to the Router and inside will be connected to the LAN side.

below are the minimum configuration needed on ASA

interface gi0/0

nameif inside

security-level 100

ip address x.x.x.x

interface gi0/1

nameif outside

security-level 0

ip address x.x.x.x

You may need to allow some traffic from Router ( traffic initiated from Router ) to internet Network, if you want, you need to created access-list and need to apply it to interface

Below is example to allow Telnet from Router to any device internally:

access-list OUTSIDE_INBOUND permit tcp any any eq 23
access-group OUTSIDE_INBOUND in interface OUTSIDE

depending on your needs and os version, we may need to disable nat-control.

Re: How to configure Cisco ASA 5510 behind a Router

IsiakaBayonle27219 — Mon, 20 Jan 2020 07:02:48 GMT

The two interfaces created on the ASA, are they going to be on the same
subnet or different subnet?

Re: How to configure Cisco ASA 5510 behind a Router

Muhammad Awais Khan — Mon, 20 Jan 2020 07:35:34 GMT

It will be on different subnets. Treat it like a Router where every interface should be on different subnet

Re: How to configure Cisco ASA 5510 behind a Router

Muhammad Awais Khan — Tue, 21 Jan 2020 03:28:11 GMT

You manage to configure it yet ? Let us know here for more info if needed

Re: How to configure Cisco ASA 5510 behind a Router

IsiakaBayonle27219 — Tue, 21 Jan 2020 12:59:38 GMT

I am still on site and no success yet!

the router and firewall are not communicating. I have configure OUTSIDE interface of firewall to the router with 192.168.2.1 255.255.255.0 while INSIDE with 192.168.1.1 255.255.255.0. Access list that allows both network and tied to EXTERNAL INTERFACE. yet i can not ping WAN IP on the router also, i can not ping other host on 192.168.1.0

Pls help

Re: How to configure Cisco ASA 5510 behind a Router

IsiakaBayonle27219 — Tue, 21 Jan 2020 15:53:28 GMT

There is still no handshake between Router and Firewall!. I had to bypass the firewall to avoid downtime. Below is the working config on the router.

AMENITY_ROUTER#sh run
Building configuration...

Current configuration : 5539 bytes
!
! Last configuration change at 12:07:04 UTC Tue Jan 21 2020 by .....
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AMENITY_ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$.e89$Fr1KFh3/5uOkVQWmzMzIZ1
enable password 666666
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2

ip dhcp excluded-address 192.168.1.0 192.168.1.5
!
ip dhcp pool INTERNAL_NETWORK
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 2

ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-549131248
!
!
crypto pki certificate chain TP-self-signed-5
certificate self-signed 01
3
license udi pid CISCO1941/
!
!
username A privilege 15 secret 5 $1$Q2Gq$cvhgvoNDYAgTN6oTaW6fj0
!
redundancy

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNAL LINK TO THE LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description EXTERNAL LINK TO ISP
ip address m.x.y.z. 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip default-gateway A.B.C.D
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 A.B.C.D
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

AMENITY_ROUTER#

FIREWALL CONFIG:

ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password W.AKqMdQEbiC07IP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description to LAN_INSIDE
nameif INSIDE
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list OUTSIDE_IN extended permit tcp 192.168.2.0 255.255.255.0 any eq www
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aa64576aef38f9593a31c31ebcb0e5b8
: end
ciscoasa#

Please Help

Re: How to configure Cisco ASA 5510 behind a Router

Muhammad Awais Khan — Tue, 21 Jan 2020 17:25:41 GMT

Hi,

I have notice 2 things;

1) when you connect Router LAN to ASA outside, u changed the IP on the router from 192.168.1.0 to 192.168.2.0 ?

2) if u did above then u need to also add the Route of 192.168.1.0 pointing to the Asa interface

i would suggest below changes on the Router and Firewall:

interface GigabitEthernet0/0
description INTERNAL LINK TO THE LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip dhcp pool INTERNAL_NETWORK
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 2
!
ip route 192.168.1.0 255.255.255.0 192.168.2.2

At FW

interface Ethernet0/0
description to LAN_INSIDE
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.2.2 255.255.255.0

!
no access-list OUTSIDE_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq www
no access-list OUTSIDE_IN extended permit tcp 192.168.2.0 255.255.255.0 any eq www

!no need to put above as traffic from inside network to outside will be allowed

Test it using below:

From ASA: Ping 192.168.2.1 ?
Inside your network , ping ASA Inside interface, Router LAN Interface

Re: How to configure Cisco ASA 5510 behind a Router

IsiakaBayonle27219 — Wed, 22 Jan 2020 07:53:46 GMT

What i could deduce from your recommendation is:

**Router interface to Firewall External interface to be on 192.168.2.1 and 192.168.2.2 - same network.

**Firewall interface to switch to be on 192.168.1.1 - DHCP pool network

On the router:

ip route 192.168.1.0 255.255.255.0 192.168.2.2

What about adding this default route to the router to forward traffic to ISP gateway (A.B.C.D):

ip route 0.0.0.0 0.0.0.0 A.B.C.D

Re: How to configure Cisco ASA 5510 behind a Router

Muhammad Awais Khan — Wed, 22 Jan 2020 08:29:22 GMT

yes thats correct and default route should be there on the Router pointing to ISP to make your traffic reachable to Internet.

Further, you need to also have default Route on the FW pointing to Router LAN Side interface ( 192.168.2.0)

Command at FW:

route outside 0.0.0.0 0.0.0.0 192.168.2.x ( where x is Router IP )