Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3047
Views
75
Helpful
31
Replies

IP Address assignment on LAN Interface ASDM /CLI

amh4y0001
Level 3
Level 3

‎03-28-2022 11:13 AM

Hi,

Have Cisco Firepower 1200 /ASDM and inside Ethernet 2 (inside) has 192.168.1.x IP address by default for the management purposes.
Question:
a) Is this port (Ethernet 2) and remaining other ports (Ethernet 3 - Ethernet belongs to same vLAN?
b) Can I leave Ethernet 2 (inside) as it is with it's default IP addressing scheme, or there is some other best practices?Firepower, Cisco Adaptive Security Appliance (ASA), Other Network Security Topics
c) How I can use Ethernet ports (3 - as LAN ports, same vLAN (but different from what Ethernet 2 belongs to) and IP address assignment etc.?

Thanks!

0 Helpful
31 Replies 31

amh4y0001
Level 3
Level 3

‎03-29-2022 06:28 AM - edited ‎03-29-2022 06:29 AM

@Rob Ingram Thanks, see below. I was trying to ping 8.8.8.8 and even open a browser to see if I have internet access.
Have enabled ICMP Echo requests for IPv4 on both end-points.

 

ciscoasa# packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

Result:
input-interface: Site-A_LAN-P3
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000562d87f3ff8e flow (NA)/NA

------------------------------------------------------------------------------------------------

ciscoasa# packet-tracer input Site-A_LAN-P4 tcp 192.168.12.10 3000 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Result:
input-interface: Site-A_LAN-P4
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host, Drop-location: frame 0x0000562d87f3ff8e flow (NA)/NA

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 06:31 AM

@amh4y0001 Drop-reason: (no-route) No route to host - do you have a default route configured?

 

route outside 0 0 <next hop ip address>

 

 

amh4y0001
Level 3
Level 3

‎03-29-2022 06:54 AM - edited ‎03-29-2022 06:57 AM

@Rob Ingram my bad, I have not configured the default route. However, I have configured now, but still no internet access.


ciscoasa# show nat detail

Auto NAT Policies (Section 2)
1 (Site-A_LAN-P3) to (outside) source dynamic Site-A_LAN-P3 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.11.0/24, Translated: X.Y.Z.40/28
2 (Site-A_LAN-P4) to (outside) source dynamic Site-A_LAN-P4 interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.12.0/24, Translated: X.Y.Z.40/28
3 (any) to (outside) source dynamic obj_any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: X.Y.Z.40/28
ciscoasa# packet-tracer input Site-A_LAN-P3 tcp 192.168.11.10 3000 8.8.8.8 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.y.z.33 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Site-A_LAN-P3
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562d87f37680 flow (NA)/NA
ciscoasa# packet-tracer input Site-A_LAN-P4 tcp 192.168.12.10 3000 8.8.8.8 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop x.y.z.33 using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Site-A_LAN-P4
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562d87f37680 flow (NA)/NA

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 06:59 AM

@amh4y0001 can you provide your full configuration, remove confidential information (change public IP addresses etc).

amh4y0001
Level 3
Level 3

‎03-29-2022 07:07 AM - edited ‎03-29-2022 07:07 AM

@Rob Ingram do you mean contents of "show running-config"?

0 Helpful

amh4y0001
Level 3
Level 3

‎03-29-2022 07:18 AM - edited ‎03-29-2022 07:19 AM

@Rob Ingram 

Thanks and sorry for the botheration  
I am new to ASA, see attached.

Preview file
9 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 07:23 AM

@amh4y0001 please can the security level of the outside interface

 

interface Ethernet1/1
nameif outside
security-level 0

then try connecting again

 

Ensure you can ping 8.8.8.8 from the ASA itself.

amh4y0001
Level 3
Level 3

‎03-29-2022 07:30 AM

@Rob Ingram Thanks, following is done

How to ping 8.8.8.8 from ASA?

security-level 0

 

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-29-2022 07:32 AM

@amh4y0001 from the CLI just run the command "ping 8.8.8.8" and ensure you get a reply.

amh4y0001
Level 3
Level 3
In response to Rob Ingram

‎03-30-2022 01:17 AM

@Rob Ingram yes, successful PING from CLI.

However, on both endpoints, there is no internet (192.168.11.11 and 192.168.12.12)

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-30-2022 01:23 AM

@amh4y0001 I assume the endpoints have a default gateway of the ASA and they can at least ping their local default gateway address?

 

Can you repeat the packet-tracer commands again, provide the full output.

Also provide the output of "show nat detail" and the running configuration.

amh4y0001
Level 3
Level 3
In response to Rob Ingram

‎03-30-2022 01:29 AM

@Rob Ingram appreciate you reply here.

End points now have Internet access, after configuring the DNS manually on NIC to 8.8.8.8

YES: Local default gateway was accessible.

ciscoasa# show nat detail

Auto NAT Policies (Section 2)
1 (Site-A_LAN-P3) to (outside) source dynamic Site-A_LAN-P3 interface
translate_hits = 165, untranslate_hits = 261
Source - Origin: 192.168.11.0/24, Translated: x.y.z.40/28
2 (Site-A_LAN-P4) to (outside) source dynamic Site-A_LAN-P4 interface
translate_hits = 454, untranslate_hits = 8
Source - Origin: 192.168.12.0/24, Translated: x.y.z.40/28
3 (any) to (outside) source dynamic obj_any interface
translate_hits = 233, untranslate_hits = 1
Source - Origin: 0.0.0.0/0, Translated: x.y.z/28

0 Helpful

Rob Ingram
VIP
VIP
In response to amh4y0001

‎03-30-2022 02:20 AM

@amh4y0001 ok, good to hear.

Optional, but you also may want an ACL from inside to outside to permit only the required access (http, https, dns etc).

You also may want to remove the other nat rule as it is redundant as you have the more specific rules

 

object network obj_any
 no nat (any,outside) dynamic interface

 

amh4y0001
Level 3
Level 3

‎03-30-2022 02:42 AM

@Rob Ingram Do you think it is worthy to start over with a fresh configuration?

Best practice is to define DNS for each interface or can define for multiple interfaces? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card