We are planning to implement a second LAN using a Netgear wi-fi router; Our current LAN is using a Netgear Nighthawk as the primary router which is directly connected to the ISP router and to a Cisco switch to provide DHCP service, wi-fi, and Ethernet connectivity, but for the second LAN we want to have ASA in front of the second router, so the layout would look like this: ISP –- Nighthawk Router –- ASA –- Second Router. At this point, I’m wondering how reliable it would be to have two consumer-grade routers in our network and if the current network layout is going to serve the purpose.
Overall Purpose is to integrate ASA in the network and get rid of the First LAN ( using WiFI router ) altogether. We will have ASA do the DHCP and VPN service.
I’m familiar with Cisco routers and switches but I’m relatively new to ASA. As per the running configs, our ASA box mgmt interface has been configured to be accessed remotely through SSH.
I’ve assigned the interfaces in ASA as follows: G0/0 “Outside” to primary Netgear router and G0/1 “inside” to second Netgear router.
I’ve also configured static routing and opened ports 80/443 and I’m not getting any internet connectivity on the second router neither I can ping internet from ASA.
My guess is that I’m missing some NAT configuration as I’ve already gone through the ACL’s and ICMP is allowed. Any other ideas? Please let me know if something is unclear or more info need is needed.
Attached is the diagram for the intended network design.
Would you be able to share some of the ASA config?
I am assuming the ASA is doing DHCP for the Outside interface so that the Router can provide it an IP address is that accurate?
How is the Second Router getting its IPs? Is it through DHCP on the internal interface of the ASA or are these statically assigned?
Are the networks behind the ASA getting PAT'd out as the ASA DHCP IP or are these networks routed from the Routers perspective and then the Router handles the PAT?
I also noticed you stated that you allowed 80 and 443 but you would still need to allow ICMP if you want to be able to ping and DNS (UDP/TCP 53) so that your devices can resolve domains so that 80 and 443 can be used with domain names.
Any other information you can provide would help in getting you an answer on the issues you are seeing.
Thanks for your response. I'm also working on this project along with the original poster. Our ASA box had some previous configurations done, so it was reset to factory defaults. DHCP is disabled on ASA but enabled on both routers. All the IP addresses for both routers and interfaces have been statically assigned.
At the moment, the routers are handling the PAT.
ICMP is allowed, and so is UDP/TCP 53.
Below are the interfaces and static routes configs:
ciscoasa(config)# interface GigabitEthernet0/0 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# ip address 172.16.0.4 255.255.255.0 ciscoasa(config-if)# security-level 0 ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip address 10.2.10.2 255.255.255.0 ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# no shutdown
These are the static NAT configs, but they don't seem to be correct since we can't get internet connectivity. Any ideas as to what's incorrect or missing? I know this is an odd scenario, so any other suggestions are welcome :)
Listen: https://smarturl.it/CCRS9E20Follow us: https://twitter.com/CiscoChampion
With over one trillion email scams per year, more than 22 billion records were exposed by data breaches in 2021. Phishing attacks are clearly on the rise, and they’re e...
Radius server configuration for 802.1X
Server radius test1
Address ipv4 10.1.1.1
Server radius test2
Address ipv4 10.1.1.2
aaa group server radius TEST-gr
server name test1
server name test2
Umbrella’s cloud-delivered firewall (CDFW) is a cool features that provides Firewall Services in the Cisco Umbrella Cloud without the need to deploy on-premises firewall devices and visibility and control for internet traffic across all branch offices. To...
SymptomsDownloadable ACL (dACL) does not take effect on the IOS-XE Network Access DevicesDiagnosisCreating redirection ACL on the IOS-XE device failed to redirect the specified traffic for captive portal redirectionSolutionEnable device tracking, Below is...