cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11397
Views
23
Helpful
42
Replies

COnfiguring an ASA5506X for NAT

Paul Morris
Level 1
Level 1

Hi

 

I am not sure if this is the correct forum but I need to configure a ASA 5506X to do NAT routing. I think I have successfully configured the internal and external interfaces but so far it is still not working.

 

Any assistance would be appreciated.

42 Replies 42

Hi 

Thank you.

I got it up and running and realised I can use the firewall as my gateway however, is there a way to do this:

1) Not using DHCP on the inside firewall

2) Ensure that all internal traffic is still sent to my internal DNS first. I know I can add it as one of the DNS servers but I am unclear of the implications.

Thank you again for your continued help.

I restarted all devices and now the test machine shows connected but it still cannot browse the internet. I can browse if I connect directly to the other router on the 192.168.0.1.

saif musa
Level 4
Level 4

Paul,

Try to answer the following and I will try to provide you with the full commands you need. you will just copy and past it inside your router. 

1- your Public IP address is __________ with subnet mask is __________.

2- your Public ip gateway is __________.

3- your DNS is _________________.

((( the above addresses is provided to you from your ISP)))

4- How many internet users you have inside your company ??

5- Do you have a specific rang of IP address for you internal network or we can provide you with a standard range ?

6- Do you need a DHCP service to be run on your network or you will distribute static ip addresses to hosts ?

7- There is specific Gig ports on your ASA you need it to work as WAN and LAN or not ?

 

Regards

Hi;

I do not have the public IP address. The way it is configured is as follows:

- DIA with Public IP address which I do not presently know. The connection from the DIA has an IP address of - 192.168.0.1; 255.255.255.0 - That is the Gateway and DHCP server from the DIA connection.

 

Inside users is presently at 20. Internal is 10.0.0.X; subnet 255.255.255.0

There is a DHCP internally

ASA Gigabit 1/1 for Outside; Gigabit 2 is inside.

Paul,

You didn't provide dns address. I already used public one and you can change it anyway.

* for your outside interface use..

      !
      interface gigabitethernet1/1
      nameif outside
      security-level 0
      ip address dhcp setroute
      no shutdown
      !

*for your inside interface use...

    !
    interface gigabitethernet1/2
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    no shutdown
    !

*to enable DHCP service on your internal network use...

   !
  dhcpd dns 4.2.2.2 4.2.2.3
  dhcpd lease 3000
  dhcpd ping_timeout 30
  !
  !
 dhcpd address 10.0.0.100-10.0.0.250 inside
 dhcpd enable inside
  !

* to enable Nat process outside to/from inside use...

   !
   global (outside) 1 interface
   nat (inside) 1 10.0.0.0 255.255.255.0
   access-group 101 in interface outside
   !

* to enable telnet on inside interface use...

   !
   telnet 10.0.0.0 255.255.255.0 inside
   telnet timeout 10
   !

* to save the configurations use ( write ) command.

Also, dont forget to enable password for the device 

 

Regards

 

Please rate helpful posts

 

Hi;

Please clarify :

What are the implications for my existing DHCP server if I enable DHCP as above on my internal network as per the instructions above? Also how will it affect my internal DNS?

It just occured to me that in the proposed configuration the ASA would have to be my gateway. Is this correct?

DIA (192.168.0.1, 255.255.255.0- Provides DHCP) -----> Cisco 3960 ------> (DHCP) ASA 5506 (10.0.0.1, 255.255.255.0) -------> HP Switch -------> Server (DHCP ,DNS 10.0.0.11; 255.255.255.0)

 

 

 

 

Hi

I got it working in my test environment using a combination of information from your thread and the other persons. However, I have a TP Link which is acting as my gateway/switch in my test environment with IP address 10.0.0.2, what would you recommend I use in my live environment?

Hi 

I realise I can use the firewall as my gateway however, is there a way to do this:

1) Not using DHCP on the inside firewall

2) Ensure that all internal traffic is still sent to my internal DNS first. I know I can add it as one of the DNS servers but I am unclear of the implications.

Thank you again for your continued help.

Hi Paul,

the device that holds nat or route or both nat-route process should be the gateway for internal network.

you can choose to run dhcp service on your gateway or any other server on the network. But when using dhcp server other than the gateway you should pay attention that we assign static ip address for the Lan interface of the gateway so we don't want dhcp server to distribute same ip address to the network. Lan interface ip address must be excluded.

Internet frames flow from inside network to outside can not be effected by using internal or or external dns server. But in my opinion, using internal dns server is much secure for the network devices and hosts.

I'm ready for help anytime so don't hesitate to contact. Just don't forget to rate helpful posts

 

Regards

So to be clear. I configured the Firewall with the IP address I have setup in the DHCP as the gateway. 

Is it that you are saying that even if I leave it as is with the external DNS I will not have an issue? If I put the internal DNS on the firewall will I have to configure a forwarder in my DNS server so that it forwards the external traffic and if I do should i use the firewall? 

Sorry about the ratings. Did not pay attention.

 

1) you configured firewall with ip address that must be considered by dhcp server as EXCLUDED. Thus not to be assigned to another device on the network.

2) no implications if you use your dns inside your network or using public one. 

 

 

Greetings

 

Hi

 

I am in the live environment and it is not working.

I am attaching the ASA config and the config I get when I connect to the DIA. I am on site for another 2 hours. Grateful if you can assist.

You didn't apply nat configuration in the right way, chick configuration above.

- did your hosts delivered ip address ? 

 

Review Cisco Networking for a $25 gift card