Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1140
Views
0
Helpful
2
Replies
DCSmart
Beginner
Beginner
‎03-28-2019 05:43 PM
‎03-28-2019 05:43 PM

Integrating ASA in the network

Hello,


We are planning to implement a second LAN using a Netgear wi-fi router; Our current LAN is using a Netgear Nighthawk as the primary router which is directly connected to the ISP router and to a Cisco switch to provide DHCP service, wi-fi, and Ethernet connectivity, but for the second LAN we want to have ASA in front of the second router, so the layout would look like this: ISP –- Nighthawk Router –- ASA –- Second Router. At this point, I’m wondering how reliable it would be to have two consumer-grade routers in our network and if the current network layout is going to serve the purpose.


Overall Purpose is to integrate ASA in the network and get rid of the First LAN ( using WiFI router ) altogether. We will have ASA do the DHCP and VPN service.

I’m familiar with Cisco routers and switches but I’m relatively new to ASA. As per the running configs, our ASA box mgmt interface has been configured to be accessed remotely through SSH.


I’ve assigned the interfaces in ASA as follows: G0/0 “Outside” to primary Netgear router and G0/1 “inside” to second Netgear router.


I’ve also configured static routing and opened ports 80/443 and I’m not getting any internet connectivity on the second router neither I can ping internet from ASA.


My guess is that I’m missing some NAT configuration as I’ve already gone through the ACL’s and ICMP is allowed. Any other ideas? Please let me know if something is unclear or more info need is needed.


Attached is the diagram for the intended network design.

Labels:
Preview file
32 KB
0 Helpful
2 REPLIES 2
John-Finnegan
Beginner
Beginner
‎03-29-2019 12:22 PM
‎03-29-2019 12:22 PM

Would you be able to share some of the ASA config?

 

I am assuming the ASA is doing DHCP for the Outside interface so that the Router can provide it an IP address is that accurate?

 

How is the Second Router getting its IPs? Is it through DHCP on the internal interface of the ASA or are these statically assigned?

 

Are the networks behind the ASA getting PAT'd out as the ASA DHCP IP or are these networks routed from the Routers perspective and then the Router handles the PAT?

 

I also noticed you stated that you allowed 80 and 443 but you would still need to allow ICMP if you want to be able to ping and DNS (UDP/TCP 53) so that your devices can resolve domains so that 80 and 443 can be used with domain names.

 

Any other information you can provide would help in getting you an answer on the issues you are seeing.

 

0 Helpful
frank.argz
Beginner
Beginner
In response to John-Finnegan
‎03-29-2019 05:46 PM
‎03-29-2019 05:46 PM

Thanks for your response. I'm also working on this project along with the original poster. Our ASA box had some previous configurations done, so it was reset to factory defaults. DHCP is disabled on ASA but enabled on both routers. All the IP addresses for both routers and interfaces have been statically assigned.

At the moment, the routers are handling the PAT.

ICMP is allowed, and so is UDP/TCP 53.

 

Below are the interfaces and static routes configs:

ciscoasa(config)# interface GigabitEthernet0/0 
ciscoasa(config-if)# nameif outside 
ciscoasa(config-if)# ip address 172.16.0.4 255.255.255.0 
ciscoasa(config-if)# security-level 0 
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1 
ciscoasa(config-if)# nameif inside 
ciscoasa(config-if)# ip address 10.2.10.2 255.255.255.0 
ciscoasa(config-if)# security-level 100 
ciscoasa(config-if)# no shutdown

 

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

ciscoasa(config)# route inside 10.2.10.0 255.255.255.0 172.16.0.4

 

These are the static NAT configs, but they don't seem to be correct since we can't get internet connectivity. Any ideas as to what's incorrect or missing? I know this is an odd scenario, so any other suggestions are welcome :)

 

object network inside_to_outside
 subnet 172.16.0.0 255.255.255.0
 nat (inside,outside) static interface

 

 

 

0 Helpful
Latest Contents
Cisco Champion Radio:S9|E20 Protection for Your Enterprise-C...
Created by Amilee San Juan on 05-25-2022 02:54 PM
0
0
0
0
Listen: https://smarturl.it/CCRS9E20Follow us: https://twitter.com/CiscoChampion  With over one trillion email scams per year, more than 22 billion records were exposed by data breaches in 2021. Phishing attacks are clearly on the rise, and they’re e... view more
DOT1X IOS commands overview
Created by Meddane on 05-21-2022 03:14 PM
0
0
0
0
Radius server configuration for 802.1X   Server radius test1 Address ipv4 10.1.1.1 Key 1234 ! Server radius test2 Address ipv4 10.1.1.2 Key 1234 ! aaa group server radius TEST-gr  server name test1  server name test2 !      &... view more
Umbrella’s cloud-delivered firewall (CDFW)
Created by Meddane on 05-21-2022 03:04 PM
0
0
0
0
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To... view more
GRE over IPSec Crypto map versus Tunnel Protection (IPsec Pr...
Created by Meddane on 05-21-2022 03:01 PM
0
0
0
0
GRE over IPSec Crypto map   int tunnel 1ip add 172.16.1.1 255.255.255.0tunnel source G0/0tunnel destination 2.2.2.2!access-list 100 permit gre host 1.1.1.1 host 2.2.2.2!crypto ipsec transform-set TS esp-aes esp-sha-hmac!crypto map TESTset peer 2.2.2.... view more
ISE URL Redirection on IOS-XE
Created by Mohsin_Mohamed on 05-20-2022 01:04 PM
0
0
0
0
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad