11-16-2010 12:49 PM - edited 03-11-2019 12:10 PM
Hi ,
Recently purchased an ASA 5520 and I am trying to configure the WAN interface, What I understand that the gigabit ethernet 0/0 is used for WAN (out side) can you please confirm that please ?
I also want to assign the WAN interface the Gateway ( the router of ISP ) as you would do to access the internet ,, What are the steps to do this as I looked in the ADSM and could not find it , I am guessing this as to be done from the command line.,, I have already configured DNS at the startup wizard do I need to do anything else to get access to the internet from the inside network ( gigabit ethernet 0/1 )
MY GW 1P : 213.129.76.222 ~( ISP Router )
MY IP address : 213.129.76.193 255.255.255.224
I need internal network ( 172.16.1.0 , 255.255.255.0 ) access the internet
ASA Version 8.2(1)
!
hostname DBFWNODE1
enable password LGm889R5.tVRN3aF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 213.129.76.193 255.255.255.224
!
interface GigabitEthernet0/1
nameif Production-Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Production-Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Production-Inside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:942c262592cba99bc768d918940d3993
: end
DBFWNODE1(config-if)#
Many Thanks
11-16-2010 12:53 PM
You can use gi0/0 for WAN if you want, no problem.
Not familiar with ASDM but to add your default-route from CLI -
route outside 0.0.0.0 0.0.0.0
Edit - you already have this in your config -
route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1
so not sure what you are asking.
Jon
11-16-2010 01:07 PM
Hi Jon ,
Thanks for the reply, My question is do I need to allow a access rule for my 172.16.1.0/24 to access the internet also what are the commands to configure DNS settings for the WAN interface 0/0.
Many Thanks
11-16-2010 01:20 PM
Rabih,
Your management interface is only configured for management-only access.
So, all you need is the following lines for Production-Inside network to go out to the internet.
global (Outside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0
You can remove these lines:
conf t
no global (Production-Inside) 101 interface
no nat (management) 101 0.0.0.0 0.0.0.0
-KS
11-16-2010 01:34 PM
Thanks for the reply ,, does that mean that every network on the inside interface ethernet 0/1 will have access to the outside ,, ( ie internet ) ..??
Also if have multipule VLAN how do I handle this ,,lets say I have VLAN 100 and VLAN 200 ( different networks ) connected to the ASA via ethernet 0/1 how do I allow access from these vlan to the internet..do I need to create a sub interfaces ..
VLAN 100 network : 172.16.1.0 /24
GW for Vlan 100: 172.16.1.254 /24
VLAN 200: 192.168.74.0/24
GW for Vlan 200: 192.168.74.1
Many Thanks
11-16-2010 01:45 PM
That is correct. All networks that live behind this Production-Inside interface will have internet access.
You just need a route added on the firewall
route Production-Inside 192.168.74.0 255.255.255.0 172.16.1.254
-KS
11-16-2010 02:11 PM
what are the commands to configure ISP DNS setting on the WAN interface please ?
11-16-2010 04:02 PM
What is the reason for this?
You want the firewall to be able to resolve yahoo.com and google.com?
You already have dhcpd configured for the management interface:
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management
For the hosts behind the management interface to work you need to remove this line from the management interface.
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only --------------------------------> remove this line. This will only allow management traffic TO the box and not THROUGH the box.
conf t
int m0/0
no management-only
Also, you need to make sure the nat line is there.
nat (management) 101 192.168.1.0 255.255.255.0
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide