cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1112
Views
0
Helpful
7
Replies

Gateway on ASA 5520

r.arzouni
Level 1
Level 1

Hi ,

Recently purchased an ASA 5520 and I am trying to configure the WAN interface, What I understand that the gigabit ethernet 0/0 is used for WAN (out side) can you please confirm that please ?

I also want to assign the WAN interface the Gateway ( the router of ISP ) as you would do to access the internet ,, What are the steps to do this as I looked in the ADSM and could not find it , I am guessing  this as to be done from the command line.,, I have already configured DNS at the startup wizard do I need to do anything else to get access to the internet from the inside network ( gigabit ethernet 0/1 )

MY GW 1P : 213.129.76.222 ~( ISP Router )

MY IP address : 213.129.76.193 255.255.255.224

I need internal network ( 172.16.1.0 , 255.255.255.0 ) access the internet

ASA Version 8.2(1)
!
hostname DBFWNODE1
enable password LGm889R5.tVRN3aF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 213.129.76.193 255.255.255.224
!
interface GigabitEthernet0/1
nameif Production-Inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
security-level 0
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Production-Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
global (Production-Inside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:942c262592cba99bc768d918940d3993
: end
DBFWNODE1(config-if)#

Many Thanks

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

You can use gi0/0 for WAN if you want, no problem.

Not familiar with ASDM but to add your default-route from CLI -

route outside 0.0.0.0 0.0.0.0

Edit - you already have this in your config -

route Outside 0.0.0.0 0.0.0.0 213.129.76.222 1

so not sure what you are asking.

Jon

Hi Jon ,

Thanks for the reply, My question is do I need to allow a access rule for my 172.16.1.0/24 to access the internet also what are the commands to configure DNS settings for the WAN interface 0/0.

Many Thanks

Rabih,

Your management interface is only configured for management-only access.

So, all you need is the following lines for Production-Inside network to go out to the internet.

global (Outside) 101 interface
nat (Production-Inside) 101 0.0.0.0 0.0.0.0

You can remove these lines:

conf t
no global (Production-Inside) 101 interface
no nat (management) 101 0.0.0.0 0.0.0.0

-KS

Thanks for the reply ,, does that mean that every network on the inside interface ethernet 0/1 will have access to the outside ,, ( ie internet ) ..??

Also  if have multipule VLAN how do I handle this ,,lets say I have VLAN 100 and VLAN 200 ( different networks ) connected to the ASA via ethernet 0/1 how do I allow access from these vlan to the internet..do I need to create a sub interfaces ..

VLAN 100 network : 172.16.1.0 /24

GW for Vlan 100: 172.16.1.254 /24

VLAN 200: 192.168.74.0/24

GW for Vlan 200: 192.168.74.1

Many Thanks

That is correct. All networks that live behind this Production-Inside interface will have internet access.

You just need a route added on the firewall

route Production-Inside 192.168.74.0 255.255.255.0 172.16.1.254

-KS

what are the commands to configure ISP DNS setting on the WAN interface please ?

What is the reason for this?

You want the firewall to be able to resolve yahoo.com and google.com?

You already have dhcpd configured for the management interface:

dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 213.129.65.53 213.129.94.10 interface management
dhcpd auto_config Production-Inside interface management
dhcpd enable management

For the hosts behind the management interface to work you need to remove this line from the management interface.

interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only --------------------------------> remove this line. This will only allow management traffic TO the box and not THROUGH the box.

conf t

int m0/0

no management-only

Also, you need to make sure the nat line is there.

nat (management) 101 192.168.1.0 255.255.255.0

-KS

Review Cisco Networking for a $25 gift card