Integrating ASA in the network

DCSmart · ‎03-28-2019

Hello,

We are planning to implement a second LAN using a Netgear wi-fi router; Our current LAN is using a Netgear Nighthawk as the primary router which is directly connected to the ISP router and to a Cisco switch to provide DHCP service, wi-fi, and Ethernet connectivity, but for the second LAN we want to have ASA in front of the second router, so the layout would look like this: ISP –- Nighthawk Router –- ASA –- Second Router. At this point, I’m wondering how reliable it would be to have two consumer-grade routers in our network and if the current network layout is going to serve the purpose.

Overall Purpose is to integrate ASA in the network and get rid of the First LAN ( using WiFI router ) altogether. We will have ASA do the DHCP and VPN service.

I’m familiar with Cisco routers and switches but I’m relatively new to ASA. As per the running configs, our ASA box mgmt interface has been configured to be accessed remotely through SSH.

I’ve assigned the interfaces in ASA as follows: G0/0 “Outside” to primary Netgear router and G0/1 “inside” to second Netgear router.

I’ve also configured static routing and opened ports 80/443 and I’m not getting any internet connectivity on the second router neither I can ping internet from ASA.

My guess is that I’m missing some NAT configuration as I’ve already gone through the ACL’s and ICMP is allowed. Any other ideas? Please let me know if something is unclear or more info need is needed.

Attached is the diagram for the intended network design.

John-Finnegan · ‎03-29-2019

Would you be able to share some of the ASA config?

I am assuming the ASA is doing DHCP for the Outside interface so that the Router can provide it an IP address is that accurate?

How is the Second Router getting its IPs? Is it through DHCP on the internal interface of the ASA or are these statically assigned?

Are the networks behind the ASA getting PAT'd out as the ASA DHCP IP or are these networks routed from the Routers perspective and then the Router handles the PAT?

I also noticed you stated that you allowed 80 and 443 but you would still need to allow ICMP if you want to be able to ping and DNS (UDP/TCP 53) so that your devices can resolve domains so that 80 and 443 can be used with domain names.

Any other information you can provide would help in getting you an answer on the issues you are seeing.

frank.argz · ‎03-29-2019

Thanks for your response. I'm also working on this project along with the original poster. Our ASA box had some previous configurations done, so it was reset to factory defaults. DHCP is disabled on ASA but enabled on both routers. All the IP addresses for both routers and interfaces have been statically assigned.

At the moment, the routers are handling the PAT.

ICMP is allowed, and so is UDP/TCP 53.

Below are the interfaces and static routes configs:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 172.16.0.4 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 10.2.10.2 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

ciscoasa(config)# route inside 10.2.10.0 255.255.255.0 172.16.0.4

These are the static NAT configs, but they don't seem to be correct since we can't get internet connectivity. Any ideas as to what's incorrect or missing? I know this is an odd scenario, so any other suggestions are welcome :)

object network inside_to_outside
subnet 172.16.0.0 255.255.255.0
nat (inside,outside) static interface