Yes, it's a simple network. I am just beginning my journey into Cisco and I was able to get the ASA and 2811 Router so I have been working with a friend that knows them more then myself. but his knowledge goes up to 8.2 and 8.3 changed with the Onject items and the Nat statements and ACL's.

Plus it makes it hard to do testing and get on the internet when I have to switch it from my old PFsense Router and the Cisco's to try stuff, then back

I am going to try adding your suggestions and see if it gets me on. I appreciate it more than you can know, it's been a week working on it. I have even tried adding the individual objects like you suggested but I couldn't get the nat statement to work for some reason, probably my syntax.

It's a learning curve since my experience is just Cisco switches and that is just a little (was all I had access to to work with).

I'll make those changes and see if I can get on! I will let you know.

Thank you!

Hi,

If you want to read some about the new NAT configuration format then you could take a look at the document I wrote last year about the NAT 8.3+

Here is a link to the document. Maybe it will provide some help understanding the new NAT

https://supportforums.cisco.com/docs/DOC-31116

- Jouni

Hi,

After I create:

object-group network PAT-SOURCE

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 10.10.1.0 255.255.255.252

nat (inside,outside) after-auto source dynamic PAT-SOURCE interface

Are there any access-lists I have to set to allow traffic or are they already OK?

I changed the RIP to the 10.0.0.0 (for now, once I understand it more I can mess with it).

As for this:

You are also doing Dynamic PAT on the router which I would remove also  so that the ASA could see the actual source IP addresses of the users  and not see just the PAT IP address of the router. Actually I am not  sure if it even applies since you don't have the

"ip nat inside"

under the subinterfaces of the routers. I would imagine that having it  under the physical interface wont help with the subinterfaces?

I was told it's best to let the firewall just do Firewall stuff, and do all the routing and stuff from the router. That is why the ASA is set just to send traffic on the 10.0.0.0 Subnet and then all the routing would be done on the 2811. This might be old school thought, but since I am trying to learn them both I'll keep it so I can work on the router as well as the ASA.

If I should make any changes on the router though, let me know so it works more efficiently and properly. I would rather see how it should be than not.

Thanks!

Hi,

By default the ASA will allow traffic from a higher "security-level" interface to flow to a lower "security-level" interface. In your basic setup this means that all traffic from behind "inside" will be allowed to "outside" without any need to add ACLs to the interfaces.

You would only need interface ACLs when you want to block some traffic from "inside" to "outside". Naturally also if you configure some Static NAT for an internal server or Static PAT (Port Forward) then you would have to attach an ACL to the "outside" interface to allow traffic to the internal server.

Did adding the NAT configuration have any effect?

- Jouni

I made those changes, but still no internet. I did not add this statement nat (inside,outside) after-auto source dynamic any interface I went with the more granular.

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd liqhNWIOSfzvir2g encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.195.168.123 255.255.255.240

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

no ip address

!

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.195.168.4

name-server 205.171.2.65

name-server 205.171.3.65

domain-name internal.int

object-group network PAT-SOURCE

network-object 172.16.10.0 255.255.255.0

network-object 172.16.20.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 10.10.1.0 255.255.255.252

access-list USERS standard permit 10.10.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

nat (Inside,Outside) after-auto source dynamic PAT-SOURCE interface

!

router rip

network 10.0.0.0

network 199.195.168.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

: end

Message was edited by: Mitchell Tuckness

To test config I plug my provider into the ASA, release and renew my IP from my current router and get an IP from the 2811 and then try to access internet through the 2811 and then the ASA.

When I have my provider connected, from the ASA I can ping googles DNS servers and I can ping internal addresses on my network, I then try to access a web page that is when it doesn't work.

I tried adding those commands and they don't seem to work:

Then you should add

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

ASA5510# conf t

ASA5510(config)# policy

ASA5510(config)# policy-map global_policy

ASA5510(config-pmap)# class in

ASA5510(config)# class inspection_default

ASA5510(config-cmap)# inspect icmp

                        ^

ERROR: % Invalid input detected at '^' marker.

ASA5510(config-cmap)# inspect icmp error

                        ^

ERROR: % Invalid input detected at '^' marker.

ASA5510(config-cmap)# in

ASA5510(config-cmap)# ins

ASA5510(config-cmap)# ?

MPF class-map configuration commands:

  description  Specify class-map description

  exit         Exit from MPF class-map configuration mode

  help         Help for MPF class-map configuration commands

  match        Configure classification criteria

  no           Negate or set default values of a command

  rename       Rename this class-map

Hi,

Seems to me that the commands were entered in the wrong way

ASA5510(config)# policy-map global_policy

ASA5510(config-pmap)# class in

The above should have been

ASA5510(config)# policy-map global_policy

ASA5510(config-pmap)# class inspection_default

And then enter the

inspect icmp

inspect icmp error

But since you can't access a web page from the host there is other problems

I would suggest changing the default route on the Router.

ip route 0.0.0.0 0.0.0.0 10.10.1.1

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

You could also check the routing table on the router just incase

show ip route

- Jouni

Here is the route statement on the router:

Gateway of last resort is 10.10.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.1.1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.1.0/30 is directly connected, FastEthernet0/0

L        10.10.1.2/32 is directly connected, FastEthernet0/0

Here is the new Router config:

RouterDeMitch#sh running-config

Building configuration...

Current configuration : 2595 bytes

!

! Last configuration change at 20:09:43 UTC Sat Jan 4 2014

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterDeMitch

!

boot-start-marker

boot system flash

boot-end-marker

!

!

! card type command needed for slot/vwic-slot 0/0

!

no aaa new-model

!

!

dot11 syslog

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

no ip domain lookup

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

!

!

!

license udi pid CISCO2811 sn FTX1041A07T

!

redundancy

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

!

interface FastEthernet0/1.2

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

!

access-list 1 permit any

dialer-list 1 protocol ip permit

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

exec-timeout 0 0

transport input all

!

scheduler allocate 20000 1000

end

That was the full output from the router.(Below)

But good news, I am on the internet through the ASA and the router now!

THANK YOU SO MUCH! Not sure which change did it, but this is awesome now I can access it!

CISCO-2811#sh running-config

Building configuration...

Current configuration : 2720 bytes

!

! Last configuration change at 20:33:55 UTC Sat Jan 4 2014

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

!

hostname CISCO-2811

!

boot-start-marker

boot system flash

boot-end-marker

!

!

! card type command needed for slot/vwic-slot 0/0

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 172.16.10.1 172.16.10.49

ip dhcp excluded-address 172.16.20.1 172.16.20.49

!

ip dhcp pool Mitchs_Network

network 192.168.1.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 192.168.1.1

!

ip dhcp pool VLAN10

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

!

ip dhcp pool VLAN20

network 172.16.20.0 255.255.255.0

dns-server 199.195.168.4 205.171.2.65 205.171.3.65 8.8.8.8

default-router 172.16.20.1

!

!

!

no ip domain lookup

ip name-server 199.195.168.4

ip name-server 205.171.2.65

ip name-server 205.171.3.65

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

!

!

!

!

!

license udi pid CISCO2811 sn FTX1041A07T

!

redundancy

!

!

ip ssh time-out 60

ip ssh authentication-retries 5

!

!

!

!

!

!

!

interface FastEthernet0/0

description CONNECTION TO INSIDE INT. OF ASA

ip address 10.10.1.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 10

ip address 172.16.10.1 255.255.255.0

!

interface FastEthernet0/1.2

encapsulation dot1Q 20

ip address 172.16.20.1 255.255.255.0

!

interface FastEthernet0/1.3

description Trunk Interface VLAN 1

encapsulation dot1Q 1 native

ip address 192.168.1.1 255.255.255.0

!

interface Dialer0

no ip address

!

router rip

version 2

network 172.16.0.0

network 192.168.1.0

network 199.195.168.0

no auto-summary

!

ip default-gateway 10.10.1.1

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 10.10.1.1

!

access-list 1 permit any

dialer-list 1 protocol ip permit

!

!

!

!

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

exec-timeout 0 0

!

scheduler allocate 20000 1000

end