Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2019
Views
0
Helpful
5
Replies

New ASA 5510 Setup help with NAT

Go to solution
Chris Ivy
Level 1
Level 1

‎11-21-2011 07:39 PM - edited ‎03-11-2019 02:53 PM

Hi all,

I am new to Cisco ASA devices.  I have some experience with Catalyst Switches and with the SA smaller security devices.  I have a new ASA 5510 and I am trying to use the ASDM GUI software to configure it.  I do have a USB to Serial cable thats support Cisco devices so I can use the console to do commands if needed.

Right now I am setting it up and testing it at my home with Comcast for my ISP.  So I don't have a static IP.  I have a standard Surfboard SB6120 Cable Modem.  For right now I am trying to get a very basic config setup with the modem on the 0/0 port for WAN outside and a LAN network inside on the 0/1 port. 

I ran through the setup wizard on the ASDM software.  I selected DHCP for the outside 0/0 interface because I don't have a static IP.  Is there anyway to connect to modem with out DHCP if I use whatever my current IP address is?  I setup a LAN Interface on 0/1 with an IP of 10.10.10.1 with no DHCP.  When the wizard got to the NAT and PAT step it would not let me choose either because I had not entered an IP address for the 0/0 WAN interface.  I chose the 3rd option to not have NAT or PAT enabled. 

Afterwards I can plug my laptop into 0/1 and set a static IP of 10.10.10.xxx with 255.255.255.0 and 10.10.10.1 DG.  It connects fine but I have no Internet when the modem is connected to the 0/0 port.  I'm sure this because there is no NAT/PAT or access rule. 

So how can I setup the ASA to work like a regular router or SA device with a WAN port for a modem that does not have a static IP?  My goal right now is to just get a working WAN/LAN environment and go from there.

Also how do you setup VLANs?  I didn't see anything related ot VLANs in the ASDM, only the physical interfaces.  I will need to create 4 or 5 different IP networks to push out a single port in trunk mode.  I assume that is possible like it is with the SA devices.

Thanks

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajay chauhan
Level 7
Level 7
In response to Chris Ivy

‎11-23-2011 03:30 AM

This should be like this in your configuration.

object network Ubuntu

nat (Ununtu,WAN) dynamic interface

object network Heatbeat

nat (Heartbeat,WAN) dynamic interface

object network MGMT_LAN

nat (LAN_MGMT,WAN) dynamic interface

After changing this internet access should work.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
ajay chauhan
Level 7
Level 7

‎11-22-2011 04:00 AM

This might help.

http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/configuration_guide/nat_objects.html

If still does not work post your configuration.I will let you know what commands are required from CLI.

Thanks

Ajay

0 Helpful

Go to solution
Chris Ivy
Level 1
Level 1
In response to ajay chauhan

‎11-23-2011 03:15 AM

Hi,

I took a look at the link and did some configuring.  I think I'm closer but not exactly sure.  I also updated to ASA 8.4(1) and updated the ASDM.  The newer ASDM seemed a little better to work with.  Anyways below is my current config.

You will see the 3 vlans I created for various things.  I will need the three to be able to talk to eachother and the outside world.  My ISP is Comcast so I set the 0/0 interface to DHCP for the outside that is connected to my modem.

The 0/1 interface with the 3 vlans is connected to a Catalyst 3560-X switch.  It has the same 3 vlans and the ports connected to my servers and ASA are currently in 802.1q Trunk with all vlans accepted and native vlan 1.

Thanks for helping

Chris

ASA Version 8.4(1)

!

hostname MPDCFirewall

domain-name metapower

enable password ac3wyUYtitklff6l encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

no nameif

no security-level

no ip address

!

interface Ethernet0/1.1

vlan 1

nameif LAN_MGMT

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/1.2

vlan 2

nameif Ununtu

security-level 50

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/1.3

vlan 3

nameif Heartbeat

security-level 50

ip address 10.10.11.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name metapower

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Ubuntu

subnet 10.10.10.0 255.255.255.0

description SAN Ubuntu

object network Heatbeat

subnet 10.10.11.0 255.255.255.0

description SAN Heartbeat

object network MGMT_LAN

subnet 192.168.2.0 255.255.255.0

description Management LAN

pager lines 24

logging asdm informational

mtu WAN 1500

mtu management 1500

mtu Heartbeat 1500

mtu LAN_MGMT 1500

mtu Ununtu 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network Ubuntu

nat (any,WAN) dynamic interface

object network Heatbeat

nat (any,WAN) dynamic interface

object network MGMT_LAN

nat (any,WAN) dynamic interface

!

nat (management,WAN) after-auto source dynamic any interface

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd auto_config WAN interface management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password VxZjbyhsFz3cVqCZ encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:f3593ee5a62ecbac8be9717ee1e5c3f6

: end

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Chris Ivy

‎11-23-2011 03:30 AM

This should be like this in your configuration.

object network Ubuntu

nat (Ununtu,WAN) dynamic interface

object network Heatbeat

nat (Heartbeat,WAN) dynamic interface

object network MGMT_LAN

nat (LAN_MGMT,WAN) dynamic interface

After changing this internet access should work.

0 Helpful

Go to solution
Chris Ivy
Level 1
Level 1
In response to ajay chauhan

‎11-24-2011 01:28 AM

Thanks that got me Internet access.  Is there a way to set a DNS IP to use in the ASA that it can broadcast down to the other networks?  Right now I have to set my DNS to something on the network interface of my laptop/devices because I'm using static and no DHCP.

I was also doing some ping tests and noticed I could not ping the other network vlans I setup.  So I'm on 192.168.2.113 network and ping things on that but not on the 10.10.10.1 or 11.1 networks.  I see where I can add an access rule.  Right now there are ones for each network that say they can access any less secure network.  What about same security?  They are all set to 50 right now and was hoping that would let them talk to each other.

Thanks and Happy Thanksgiving!

Chris

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to Chris Ivy

‎11-24-2011 02:54 AM

DNS server it could be internal as well external or you can use any free DNS server like 4.2.2.2. If you configure DHCP you can configure whatever the DNS server you want to use.

Security level if same for multiple interfaces then to communicate within each other one special command is required.

same security traffic permit intra-interface

Rest should be fine.

Thanks

Ajay

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card