Solved: Internet Routing for Firewall

Senbonzakura · ‎04-01-2020

Alright, what I'm trying to do is receive an address from port E0/0 from the modem which is handing out a 10.0.0.1 /24 then try to do NAT/PAT so I can use internet through the firewall. The problem is...

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

above, these commands are not recognized so I'm not sure how to make this work. Below between the lines are what options are being shown.

--------------------------------------------------------------------------------------------------

ciscoasa(config)# object ?

configure mode commands/options:
icmp-type Specifies a group of ICMP types, such as echo
network Specifies a group of host or subnet IP addresses
protocol Specifies a group of protocols, such as TCP, etc
service Specifies a group of TCP/UDP ports/services
ciscoasa(config)# object

ciscoasa(config)# object network obj_any
ciscoasa(config-network)# ?

description Specify description text
group-object Configure an object group as an object
help Help for network object-group configuration commands
network-object Configure a network object
no Remove an object or description from object-group
ciscoasa(config-network)#

--> object network inside-subnet
--> subnet 192.168.50.0 255.255.255.0
--> nat (inside,outside) dynamic interface

Dont even exist for me either... so I'm lost on what to do. When I try to do nat (inside,outside) it only lets me do either nat (inside) or nat (outside) but not together.

----------------------------------------------------------------------------------------------

below is the running configuration for the asa firewall currently.

ciscoasa# show run
: Saved
:
: Serial Number: JMX0949K0DM
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 8.2(5)59
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif manage
security-level 100
ip address 192.168.100.2 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-subnet
object-group network obj_any
access-list LAN standard permit 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu manage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.100.0 255.255.255.0 manage
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
!
dhcpd address 192.168.10.10-192.168.10.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username ryan password 6j/YDjhwvohLfNZU encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bf29234b062c86613c41aafd624e515d
: end

Francesco Molino · ‎04-01-2020

Hi

The command you're looking for isn't working because you're running 8.2 version which is very old.
I would suggest upgrading to latest available software for your 5510 which is 9.1.7. The requirement would be to have 1G RAM and based on your output, you have it. Afterwards, you will be able to configure your ASA with commands you're talking about.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-01-2020

Hi

The command you're looking for isn't working because you're running 8.2 version which is very old.
I would suggest upgrading to latest available software for your 5510 which is 9.1.7. The requirement would be to have 1G RAM and based on your output, you have it. Afterwards, you will be able to configure your ASA with commands you're talking about.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Senbonzakura · ‎04-01-2020

Ill upgrade it right now :) and ill get back to you.

Senbonzakura · ‎04-01-2020

It worked, why did

--> object network inside-subnet
--> subnet 192.168.50.0 255.255.255.0
--> nat (inside,outside) dynamic interface

not give me internet access but

but this one did?

object network obj_any

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic interface

Francesco Molino · ‎04-01-2020

Using 192.168.50.0/24 doesn't work because on your config, your inside network is 192.168.10.0/24.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question