cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6008
Views
20
Helpful
9
Replies

Configure ASA5506-X w/Outside Static IP (from ISP) & Inside LAN of 192.168.2.x

KP_CBCL
Level 1
Level 1

I have an ASA 5506-X that I need configured for an outside static IP on GigabitEthernet1/1, as provided by my ISP.

IP: xxx.xxx.xxx.118

SUB: 255.255.255.252

GATEWAY: xxx.xxx.xxx.117

DNS1: yyy.yyy.yyy.yyy

DNS2: zzz.zzz.zzz.zzz

ISP modem does not provide IP via DHCP. The static IP NEEDS to be input into the ASA.

 

My LAN (inside) needs to be configured for 192.168.2.x , 255.255.255.0. All devices are already setup with static IPs to be on this subnet, the only piece missing is the ASA to tie them all together. So the ASDM manager (and therefore the 5506-X) will also need to have an IP of 192.168.2.1.

 

I also assume the ASA FirePOWER Management port will also need a new IP or 192.168.2.2. How is this accomplished?

 

I am programming via the GUI, as I have limited experience with HyperTerminal, but I can program with HyperTerminal if absolutely required. I've been trying for a day now and seem to be getting nowhere.

9 Replies 9

Thank you, the second Link was very useful when used in combination with Paul Driver's suggestions.

I am now able to connect the computer and receive an IP via DHCP and connect to the internet. But now I can't access the ASDM GUI from the computer.

 

Here is what I did... 

factory-default completed from CLI

connected to ADSM, started wizard, steps 1-8 left default, step 9 I changed the ASA FirePower address to 192.168.2.2 / 255.255.255.0 / 192.168.2.1 step 10 - 12 left default

closed ADSM, connected to console for CLI

**see attached HyperTerminal_4.txt file for complete list of commands**

 

How do can I configure the ASA to allow access to the ASDM from the 192.168.2.0 subnet on the connected computer?

Hello

 

object network NATLAN
subnet 192.168.2.0 255.255.255.0

object-group network DEFAULT-PAT
network-object object NATLAN

access-list 100 extended permit icmp any object-group NATLAN echo-reply <------------allow echo-reply from WAN

nat (inside,outside) after-auto source dynamic DEFAULT-PAT interface
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0  xxx.xxx.xxx.118


For DHCP
dhcpd address 192.168.2.100-192.168.2.200 inside
dhcpd option 3 ip 192.168.2.254
dhcpd lease 7200 
dhcpd domain yourdomain.local
dhcp dns yyy.yyy.yyy.yyy  xxx.xxx.xxx.xxx
dhcpd enable inside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul


@paul driver wrote:

Hello

 

object network NATLAN
subnet 192.168.2.0 255.255.255.0

object-group network DEFAULT-PAT
network-object object NATLAN

access-list 100 extended permit icmp any object-group NATLAN echo-reply <------------allow echo-reply from WAN

nat (inside,outside) after-auto source dynamic DEFAULT-PAT interface
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0  xxx.xxx.xxx.118


For DHCP
dhcpd address 192.168.2.100-192.168.2.200 inside
dhcpd option 3 ip 192.168.2.254
dhcpd lease 7200 
dhcpd domain yourdomain.local
dhcp dns yyy.yyy.yyy.yyy  xxx.xxx.xxx.xxx
dhcpd enable inside


Paul, thank you for the detailed reply. I was using HyperTerminal and got some of the commands to work, but not all. I got an error back saying the NATLAN wasn't created and I couldn't create the new DHCP of xxx.xxx.2.0. Below is the text copy of my session, maybe you can see the error. I used back-space to correct spelling errors.. does that matter?

"

object network NATLAN
ciscoasa(config-network-object)# subnet 192.168.2.0 255.255.255.0
ciscoasa(config-network-object)# object-group network DEFAULT-PAT
ciscoasa(config-network-object-group)# network-object object NATLAN
ciscoasa(config-network-object-group)# access-list 100 extended permit icmp any$rmit icmp any object-group NATLAN echo-$ NATLAN echo-r eplyaccess-list 100 extended permit icmp an$
ERROR: specified object group <NATLAN> not found
ciscoasa(config)# access-list 100 extended permit icmp any object-group NATLAN $rmit icmp any object-group NATLAN e cho-replyaccess-list 100 extended permit icmp any object-group NATLAN$
ERROR: specified object group <NATLAN> not found
ciscoasa(config)# nat )inside       (inside,outside) after-auto source dymanaic      namoic   ic DEFAULT-PAT in$auto source dynamic DEFAULT-PAT int erfacenat (inside,outside) after-auto source dynamic DEFAULT-PAT i$

nat (inside,outside) after-auto source dynamic DEFAULT-PAT interface
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# nat(inside        inside      (inside,
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# nat (inside,outside) after-auto source dynamic DEFAULT-PAT in$auto source dynamic DEFAULT-PAT int erfacenat (inside,outside) after-auto source dynamic DEFAULT-PAT i$

nat (inside,outside) after-auto source dynamic DEFAULT-PAT interface
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)# access-group 100 in interaf  face outside
ERROR: access-list <100> does not exist
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.118  [the xxx's i added back to keep the IP anonymous]
ciscoasa(config)# dhcpd address 192.168.2.100-192.168.2.200 inside
Address range subnet 192.168.2.100 or 192.168.2.200 is not the same as inside interface subnet 192.168.1.1"

Can you copy suggest config to notepad see any special characters before you paste config on the device.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello

 

Apologies typo in my OP config - however make sure you change the subnets and ip address to accommodate your network, also your internal and external interface naming conventions should also match.

 

example:

int x/x
description lan interface
nameif inside
ip address 192.168.2.254 255.255.255.0

 

 

int x/x
description wan interface
nameif outside
ip address 1.1.1.117 255.255.255.252

 

 

object network NATLAN
subnet 192.168.2.0 255.255.255.0

object-group network DEFAULT-PAT
network-object object NATLAN

access-list 100 extended permit icmp any object-group DEFAULT-PAT echo-reply

nat (inside,outside) after-auto source dynamic DEFAULT-PAT interface
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.118

 

dhcpd address 192.168.2.100-192.168.2.200 inside
dhcpd option 3 ip 192.168.2.254
dhcpd lease 7200 
dhcpd domain yourdomain.local
dhcp dns yyy.yyy.yyy.yyy  xxx.xxx.xxx.xxx
dhcpd enable inside


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for all your help so far, I am getting closer...

I am now able to connect the computer and receive an IP via DHCP and connect to the internet. But now I can't access the ASDM GUI from the computer.

 

Here is what I did... 

factory-default completed from CLI

connected to ADSM, started wizard, steps 1-8 left default, step 9 I changed the ASA FirePower address to 192.168.2.2 / 255.255.255.0 / 192.168.2.1 step 10 - 12 left default

closed ADSM, connected to console for CLI

**see attached HyperTerminal_4.txt file for complete list of commands**

 

How do can I configure the ASA to allow access to the ASDM from the 192.168.2.0 subnet on the connected computer?

Hello


@KP_CBCL wrote:

How do can I configure the ASA to allow access to the ASDM from the 192.168.2.0 subnet on the connected computer?


conf t

http server enable 443
http 192.16.2.0 255.255.255.0 inside

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

When attempting to enable, I get the following error (see below). And after some searching, I'm not sure how to correct the Ambiguous command error.

 

ciscoasa# config t
ciscoasa(config)#
ciscoasa(config)# http server enable 443
ciscoasa(config)# http 192.168.2.0 255.255.255.0 inside
ERROR: % Ambiguous command: "http 192.168.2.0 255.255.255.0 inside"

FIXED IT.. using 'http 192.168.2.0 255.255.255.0 ?'

It showed me the inside_1 - inside_7 were the available options, so i set all of them and now i can connect.