cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2110
Views
0
Helpful
3
Replies

ASA 5505 behind Router

Karsten Kemper
Level 1
Level 1

Hello togehter,

i have following setup at the moment:

Modem -> ASA 5505 -> LAN

where the ASA is on the

outside : DHCP configured, getting route and dns via DHCP, dynamic Wan IP

inside : 192.168.10.1 ( dhcp server enabled for lan side connected clients )

A site-to-site VPN is configured ( dynamic to static IP ) on the ASA.

Everything is working fine.

Due to an ISP change the modem is getting replaced with a FritzBox Cable 6320 ( Router with integrated modem )

So the setup will look like this afterwards:

Router Fritzbox-> ASA 5505->LAN

where the desired IP's should look like this:

Fritzbox LAN -> 192.168.20.1 ( dhcp server enabled for connected clients, here only the ASA )

ASA outside : DHCP configured, getting route and dns via DHCP

ASA inside : 192.168.10.1 ( dhcp server enabled for lan side connected clients)

I am getting on the ASA outside an ip from the Fritzbox, including a correct route

ASA

outside : 192.168.20.0 directly connected

inside : 192.168.10.0 directly connected

0.0.0.0 0.0.0.0 via 192.168.20.1. outside

But i cannot interact from the ASA inside with the fritzbox, whereas i can ping from the CLI the 192.168.20.1

I honestly don't know where the problem is nor how to setup NAT and Routes and where, who needs to do natting and routing in the new setup

The relevant sections from the working config of the ASA

---interfaces

!

interface Ethernet0/0

switchport access vlan 2

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

----network objects

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network VPN-SITE

subnet 172.20.0.0 255.255.0.0

object network 192.168.10.0

subnet 192.168.10.0 255.255.255.0

ACL and Cryptomap

access-list outside_cryptomap extended permit ip object 192.168.10.0 object VPN-SITE

access-list inside_access_in extended permit ip any any

NAT

nat (inside,outside) source static 192.168.10.0 192.168.10.0 destination static VPN-SITE VPN-SITE no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

I would be very thankful for schematic explanation or some useful links!

With kind regards

Karsten Kemper

3 Replies 3

Paul Heilmeier
Level 1
Level 1

Hi,

are youe add the ASA inside IP as an route to Fritzbox, so the Fritzbox knows with which way they can reach the ASA?

If you are able to configure the Fritz.box, you could try to use the fritz.box as an Modem, and use the PPPOE from ASA,

so the ASA gets direct an public IP on the outside interface.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello

Add:

FIxup protocol ICMP

then test?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for taking the time to answer, i did'nt see em due to landing into the spam folder=/

Yes the route on the FritzBox to the ASA was set.

The problem was that the FritzBox was doing some "parental control checks" on the clients connected behind the ASA. This traffic was blocked on the ASA which lead to the FritzBox blocking connections from these hosts.

With kind regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: