Re: ASA5505 - How to configure ASA with dynamic IP from ISP

srose · ‎07-17-2009

I would like to implement my ASA5505 into my network and take my verizon fios handoff into my outside interface but I don't have a static IP and using dynamic from the provider.

Currently I'm running a crappy actiontec from FIOS with DDNS and a Linksys wireles-N.

My goal is to have my provider handoff to the outside ASA interface and setup a dhcp pool on an inside interface into one network and another inside interface with a different dhcp pool into my Cisco lab. My Cisco lab consists of 2x2950 switches & 3x2621 routers. I am wanting to setup a vpn tunnel from off my network, but am unsure how to do that considering I don't have a static IP. I'm sure that question will get answered on whether or not I can do a dynamic config with ddns on the outside interface from the provider.

I'm obviously a newb to the ASA and Security in general so looking for the best ideas and practices.

Thanks in advance!

JORGE RODRIGUEZ · ‎07-17-2009

Seth,

on ASA outside interface set it to dhcp with a setroute parameter to optain IP from ISP provider and have asa define default route. As for optaining DNS from outside interface to pass to inside I belive you use dhcp outo_config outside but Im not %100 sure - have not faced this particular scenario , perhaps someone can confirm or just give it a try.

i.e

asa(config-if)#interface vlan 2

asa(config-if)ip address dhcp setroute

asa(config)#dhcp outo_config outside

details for above commands

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/d2.html#wp1948034

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1875763

For your other request in creating an Ipsec tunnel between a dynamic ASA to another PIX or IOS router sure you can do it, as long the other end of the tunnel uses static. Have a look at this link for Dynamic to static L2L tunnel.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

See other config examples for Dynamic to Static L2l VPNs between PIX/ASA to IOS under site-to-site VPNS

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Regards

Jorge Rodriguez

Eric Gosh · ‎09-23-2013

I've ran into this issue several time and it seems I keep forgetting the answer. Everytime I research it I find dozens of dead ends and that Ars article about the guy who had this issue, couldn't figure it out so he dropped his ASA off his balcony. This is the first hit on google and it hasn't been completely answered so I will leave these instructions here for anyone else that needs it (including me next time this happens).

Your cable / FiOS / DSL modem most likely only has 1 public IP to hand out. Almost all of these devices marry the first device they meet. It identifies the device it meets by it's MAC address. The problem with this is that your eth0/0 has a MAC address and your OUTSIDE vlan has another (diffrent) MAC address. If the first person it's going to meet is

eth0/0. Then along comes your OUTSIDE vlan and wants that IP and it won't even talk to it.
You fix this issue by setting your OUTSIDE vlan MAC to be the same as your eth0/0 MAC.

show int eth0/0
BLAH BLAH MAC address -> 0023.5exx.xxxx <-

conf t

int vlan2 (or whatever the number of your OUTSIDE vlan is)

mac-address 0023.5exx.xxxx

ip address dhcp setroute
shut

Power cycle your cable / FiOS / DSL modem and once it's back up

no shut

Wait a moment

Show IP

emp[]y · ‎01-25-2018

This is absolutely the answer. I've been fighting this thing for a couple days now, this instantly got me going. Comcast modem > ASA 5505 > 24 port switch > endpoints. Comcast modem is in bridge mode but ASA wouldn't pick up an IP. After looking at this, I changed Vlan 2 outside MAC to the same as E0/0. Bam!