Re: Beginner ASA5500 setup help.

Kyle_McIver · ‎01-09-2010

I hate to be that guy begging for help, but this is absolutley the first time I have worked on firewalling & routing at all so I guess it is what it is. Please forgive my excessive lack of knowledge on the subject. I have an ASA5505 that I am having a difficult time getting to do what I want.

If i turn DHCP server on in my ISP router and plug a single workstation into the ASA where the workstation recieves a DHCP address from the firewall (or any combination of static IP addresses within this range so long as the inside interface is not changed from the default 192.168.x.x) the out of the box config will work and the workstation can access the internet in this manner:

ISP router -> ASA -> workstation.

In this scenario the ISP router is performing the NAT from internal to public IP.

As soon as I start doing anything else to try to configure the device to fit into my internal IP scheme nothing works right. I am trying to reconfigure the "inside" interface to the IP addressing scheme I already have setup and set the outside interface to something between the ASA and the ISP router.A simple single switched internal network gaining internet access.

I could just reconfigure my DHCP server to make everything inside work with the cisco out of the box config or let the ASA do the DHCP for the network, but at this point I want to actually learn how to manipulate this device correctly.

I've found a basic config guide from Cisco and the network diagram here is pretty much what I want:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094768.shtml#configs

I have set the firewall up this way on a couple occasions with no success thus far.

Do I need to to setup the ISP firewall in a pass through mode and let the ASA do the NAT translation? Is there something else I am missing?

any help is appreciated.

thanks

McIver

svaish · ‎01-09-2010

Hi ,

I would sayy that you can do a clear config all on the ASA

save it and reload the ASA.

One interface on ASA can be in server mode or client mode for DHCP

If you want to use your ISP router to provide ip addresses to the internal clents use then you need to configure DHCP relay

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/dhcp.html#wp1041663

here is the link

Now after you do all that you need to configure a siomple translation rule for your inside network as well.

Since you are using ASA5505 please take care of the VLAN concept and adhere to the license feature installed.

Kyle_McIver · ‎01-09-2010

I don't want either of them providing DHCP. I have a dhcp server setup on my internal network.

Since my OP I have been able to configure both my internal and external interfaces with static IP's and I can connect to the internet with all my servers that have static IP configurations.

Currently none of my workstations that up my internal DHCP server will connect to any part of the network - will not log into active directory or access the intnernet. They act as normal if i log in locally and configure a static IP, DNS and default gateway.

This must have something to do with the way I am handling DHCP across the firewall? Or do I need to give a static route or entry in the ACL?

I've got a static route for my inside interface 0.0.0.0 0.0.0.0

svaish · ‎01-09-2010

Hi ,

So you have an internal DHCP server.

Is your DHCP server and the clients behind the same interfave or in same Vlan.

If yes then are the clients able to get the ip address and other parameters from the DHCP servere.

Kyle_McIver · ‎01-09-2010

svaish wrote:

Hi ,

So you have an internal DHCP server.

Is your DHCP server and the clients behind the same interfave or in same Vlan.

If yes then are the clients able to get the ip address and other parameters from the DHCP servere.

Yes, the clients and DHCP server are behind the same interface, my "inside" interface. Currently the DHCP clients are not able to recieve the proper information from the server. When manually configured they work and access the internet just fine.

svaish · ‎01-09-2010

Hi,

So if the ip address assignment process is going through the firewall then we need to check this on the ASA.

So is the DHCP request and Reply going through the firewall or is it going through some router on the internal network,

If the request and reply is not going through the firewall then it is not a problem with the firewall at all.

Let me know if the request or reply is going through the firewall or not.

Kyle_McIver · ‎01-09-2010

the request/reply should not be going through the firewall. I have the network configured like is pictured in the graphic in my first post with an internal router in between the Cisco device and my internal clents.

That is why I am puzzled. As soon as I got everything setup and in and out access to my servers, my wrk stations would no longer recieve DHCP data, but I've made no changes to the router....

SOL10 · ‎01-11-2010

kyle

please post your config.

have you turned off DHCP within the ASA?

i gues the the inside interface IP is set within the DHCP reservation list with your DHCP server?

i wouldnt think you would need to worry about acl's for the DCHP request and reply

the ASA config would be a great help

thanks

Kyle_McIver · ‎01-11-2010

solpandor wrote:

kyle

please post your config.

have you turned off DHCP within the ASA?

i gues the the inside interface IP is set within the DHCP reservation list with your DHCP server?

i wouldnt think you would need to worry about acl's for the DCHP request and reply

the ASA config would be a great help

thanks

solpandor,

I have turned off DHCP within the ASA and the inside interface IP is within the DHCP reservation list on nmy DHCP server. Below is my running configuration.

thanks for the help.

Kyle

: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.10 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.3.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.3.254 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:c78aad4983316f1ac1f4e22fd4ff5f6e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Kyle_McIver · ‎01-11-2010

All I have done thus far from the out of the box config is the following:

1) Set static IP on outside interface

2) Add a static route for the outside interface of 0.0.0.0 0.0.0.0 with the internal IP of my ISP's router

3)Change inside IP interface to static IP address on my private network & add that network to the device access list

At that point I solved my original problem of not being able to reach the internet from mmy private network. At that time I learned that anything on my network that was supposed to recieve a DHCP assignment was not contacting the server and needed to be manually configured.

SOL10 · ‎01-11-2010

kyle

ok couple of things -

1) are you letting your ISP's router/modem assign the IP to your ASA's outside interface?

the reason i ask is ) that you have set your outside Interfafce to get its IP from the upstream router using the "dhcpd auto_config outside" (experts pls feel free to correct) but at the same time you have assigned it a static IP?

if you are getting the outside interface IP assigned by the ISP's router then remove the IP from the outside interface, then go under the outside interface and enter the command "ip address dhcp setroute."

also, remove the static route you entered route outside 0.0.0.0 0.0.0.0 10.10.3.254 as the "ip address dhcp setroute" command will get the route

apart from this - the config looks fine to me

let me know how you get on.

Kyle_McIver · ‎01-11-2010

solpandor wrote:
kyle
ok couple of things -
1) are you letting your ISP's router/modem assign the IP to your ASA's outside interface?
the reason i ask is ) that you have set your outside Interfafce to get its IP from the upstream router using the "dhcpd auto_config outside" (experts pls feel free to correct) but at the same time you have assigned it a static IP?
if you are getting the outside interface IP assigned by the ISP's router then remove the IP from the outside interface, then go under the outside interface and enter the command  "ip address dhcp setroute."
also, remove the static route you entered  route outside 0.0.0.0 0.0.0.0  10.10.3.254     as the  "ip address dhcp setroute" command will get the route
apart from this - the config looks fine to me
let me know how you get on.

Hmm...I know the default config has the outside IP set to recieve DHCP. I do not want this to happen. It is supposed to be statically assigned. So I would need to turn the "dhcp auto_config outside" off.

I want the ISP's router doing as little as possible as it is a POS.

SOL10 · ‎01-11-2010

Kyle

if you want to assign a static IP then (depending on your country, ISP and their router) you can enable the Pass through feature on some ISP routers ( BT business hub here in the UK is one of them) and then assign a static IP from your block of IP's to the outside interface of the ASA, but you will still need those commands in there

When i configured an ASA5505 at our Spanish office i had to use PPPOE commands on the ASA to set the outside interface to have a static IP (we only had one IP)

so I guess you might need the assistance of your ISP, unless the router is very straightforward to set up

HTH

Kyle_McIver · ‎01-11-2010

The static IP I have set on nthe outside interface of the ASA is a private IP on a subnet between my ISP router and the ASA. The ISP router is handling NAT.

solpandor wrote:
Kyle
if you want to assign a static IP then (depending on your country, ISP and their router) you can enable the Pass through feature on some ISP routers ( BT business hub here in the UK is one of them) and then assign a static IP from your block of IP's to the outside interface of the ASA,  but you will still need those commands in there
When i configured an ASA5505 at our Spanish office i had to use PPPOE commands on the ASA to set the outside interface to have a static IP (we only had one IP)
so I guess you might need the assistance of your ISP, unless the router is very straightforward to set up
HTH

Kyle_McIver · ‎01-12-2010

I still have no idea why my work stations don't receive DHCP from the server on the same network segment. Everything is running manually configured. It works, but it's annoying.

It doesn't look like I posted it before, but from some of the responses it looks like it needs to be said. I am using the ASDM console to manage this thing. It appears that entering some of the stuff into the ASDM does not have the complete desired effect.