08-25-2013 11:27 AM - edited 03-11-2019 07:30 PM
Hi!
It feels like I have been beating my head against the wall for three days now. I finally think must accept I have bitten off more than I can chew.
My situation: I want the ASA to have a static IP internally, act as an internal DHCP-server, and on the external end dynamically get an IP. And naturally keep me safe, but no special routes or ports.
And as I,in CLI, now restore factory settings (...again) I wonder if anyone has the commands saved for a super simple setup like this.
Help!
D
Solved! Go to Solution.
08-25-2013 11:40 AM
Hi,
One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.
The below configurations are from memory so theres a change something might be missing
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
no shutdown
interface Ethernet0/0
description WAN
switchport access vlan 2
no shutdown
interface Ethernet0/1
description LAN
no shutdown
dhcpd address 10.10.10.100-10.10.10.110 inside
dhcpd dns
dhcpd enable inside
sysopt noproxyarp inside
access-list INSIDE-IN remark Allow all traffic from LAN
access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any
access-group INSIDE-IN in interface inside
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Dynamic PAT - 8.2 and below
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
Dynamic PAT - 8.3 and above
nat (inside,outside) after-auto source dynamic any interface
The above should contain some basic configurations
- Jouni
08-25-2013 11:40 AM
Hi,
One essential information we would need is what your software level on the ASA is? Mostly for the NAT configuration, though I can give you examples of both old and new format.
The below configurations are from memory so theres a change something might be missing
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
no shutdown
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
no shutdown
interface Ethernet0/0
description WAN
switchport access vlan 2
no shutdown
interface Ethernet0/1
description LAN
no shutdown
dhcpd address 10.10.10.100-10.10.10.110 inside
dhcpd dns
dhcpd enable inside
sysopt noproxyarp inside
access-list INSIDE-IN remark Allow all traffic from LAN
access-list INSIDE-IN permit ip 10.10.10.0 255.255.255.0 any
access-group INSIDE-IN in interface inside
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Dynamic PAT - 8.2 and below
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
Dynamic PAT - 8.3 and above
nat (inside,outside) after-auto source dynamic any interface
The above should contain some basic configurations
- Jouni
08-25-2013 11:52 AM
Hi!
Awesome! Thanks - I will try it now.
BTW, ASDM says 8.2(5) on ASA version.
D
08-25-2013 12:09 PM
This keeps happening:
ciscoasa(config-if)# ip address 10.0.1.10 255.255.255.0
Interface address is not on same subnet as DHCP pool
ERROR: ip address command failed
What am I doing wrong?
D
08-25-2013 12:11 PM
Hi,
Well, have you configured the DHCP Pool as something else as the actual LAN interface of the ASA? I mean the ASAs LAN interface configurations subnet has to match that used in the DHCP Pool.
The ASA can only act as a DHCP server to hosts that are directly connected to it or connected to it through a L2 switch.
If you happen to have a router in your LAN network behind the ASA then you cant really use ASA as a DHCP server. And by that I mean hosts that are behind the router wont be able to get DHCP address from the ASA.
- Jouni
08-25-2013 12:20 PM
Hi!
This was right after a factory reset, so I had done no configuring at all.
I am thinking that I will use the Wifi-router from before as a AP inside. My switch probably is not L2, but I'll just use something else instead. How do I kill DHCP?
D
08-25-2013 12:22 PM
Hi,
The ASA shouldnt really have any DHCP configurations by default. Some later models have DHCP for the management interface but not the ASA5505.
Perhaps you can share the current configuration of the ASA so can check how it is.
- Jouni
08-25-2013 12:35 PM
08-25-2013 12:43 PM
Hi,
To me both the Running and Startup Configurations seem to have the basic configurations to enable connectivity through the ASA.
Only thing they are missing is the ICMP Inspection commands I mentioned. Since that is usually the configuration missing from the basic configuration. With ICMP Inpsection missing, you usually arent able to PING / ICMP anything past your firewall.
The error message you mentioned before should to my understanding be the result when you are trying to change your interface IP address and you still have DHCP configurations on the ASA for the current/old network.
So if you are about to change a DHCP pool and the LAN interfaces IP address then you should first clear the DHCP configurations.
You can view them with
show run dhcpd
You can remove all of them with
clear configure dhcpd
You can then configure the LAN interface IP addressing as you see fit. And finally you can add the new DHCP configuration using the current IP addresses of the LAN interface (I mean the "inside" interface)
- Jouni
08-25-2013 01:19 PM
Hi again!
That worked. IP set. I get this:
ciscoasa(config)# global (outside) 1 interface
global for this range already exists
ciscoasa(config)# global (inside) 1 10.0.1.0 255.255.255.0
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# global (inside) 1 10.0.1.0
Warning: Start and End addresses overlap with broadcast address.
INFO: Global 10.0.1.0 will be Port Address Translated
As you see, I tried to be smart removing the mask. Should I try plugging it in?
D
Edit: That "^" is below "255" in Putty.
08-25-2013 01:23 PM
Hi,
Provided that you network behind "inside" is 10.0.1.0/24
Then you should add these
global (outside) 1 interface
nat (inside) 1 10.0.1.0 255.255.255.0
Notice that you tried to add it with "global" command.
The command "global" defines the actual NAT IP address to be used. The command "nat" defines the source addresses/networks for that NAT.
So the above NAT configuration I mentioned should be all thats needed for your ASA. Again, provided that the only LAN network at the moment is 10.0.1.0/24
- Jouni
08-25-2013 01:44 PM
Amazing. It works. I added the "http 10.0.1.0 255.255.255.0 inside" command and it just works. I am amazed; thanks.
If anyone is interested, here is a backup of this plain config:
https://dl.dropboxusercontent.com/u/10343256/david2.zip
Jouni - you are Batman. Thanks again.
D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide