01-29-2017 08:36 AM - edited 03-08-2019 09:06 AM
I was wondering if someone could look over this config and see if anything is missing for a simple basic setup? Just need the routers to access the internet (ISP uses DHCP, no static address)
Also attached a diagram of my network layout.
10.1.10.0 > ASA Network
10.2.20.0 > Office LAN
10.3.30.0 > Home LAN
10.4.40.0 > Test LAN
hostname ASA_Main
!
username XXXXXXX password XXXXXXXXX privilege 15
interface vlan 10
ip address 10.1.10.1 255.255.255.224
nameif outside
!
interface vlan 20
ip address 10.2.20.1 255.255.255.224
nameif inside
!
interface vlan 30
ip address 10.3.30.1 255.255.255.224
nameif inside
!
interface vlan 40
ip address 10.4.40.1 255.255.255.224
nameif inside
!
interface ethernet0/0
switchport access vlan 10
nameif outside
no shut
!
interface Ethernet0/1
switchport access vlan 20
nameif inside
no shut
!
interface Ethernet0/2
switchport access vlan 30
nameif inside
no shut
!
interface Ethernet0/3
switchport access vlan 40
nameif inside
no shut
!
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco
!
router ospf 1
network 10.1.10.0 255.255.255.224 area 10
network 10.2.20.0 255.255.255.224 area 20
network 10.3.30.0 255.255.255.224 area 30
network 10.4.40.0 255.255.255.224 area 40
!
global (outside) 10 interface
nat (inside) 10 10.1.10.0 255.255.255.224
nat (inside) 10 10.2.20.0 255.255.255.224
nat (inside) 10 10.3.30.0 255.255.255.224
nat (inside) 10 10.4.40.0 255.255.255.224
!
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
ssh 10.3.30.0 255.255.255.224 inside
ssh 10.2.20.0 255.255.255.224 inside
http server enable
aaa authentication http console LOCAL
http 10.3.30.0 255.255.255.224 inside
http 10.2.20.0 255.255.255.224 inside
!
route outside 0.0.0.0 0.0.0.0 24.255.160.1
!
end
!
Thanks for your time, I look forward to hearing back from anyone.
01-29-2017 11:15 AM
Hello
int vlan 10
nameif outside
security level 0
ip address dhcp
int vlan 20/30/40
nameif inside
security level 100
object network STAN_LAN_NAT
subnet 10.2.20.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
object-group network STAN_PAT
network-object object STAN_LAN_NAT
nat (Inside,outside) after-auto source dynamic STAN_PAT interface
no route outside 0.0.0.0 0.0.0.0 204.255.160.1
route outside 0.0.0.0 0.0.0.0 dhcp
dhcprelay server x.x.x.x outside
dhcprelay enable inside
dhcprelay setroute inside
res
Paul
01-29-2017 11:15 AM
dhcprelay server x.x.x.x outside
How do I get the dhcp relay info? I have a standard cable internet connection, with a dynamic IP.
Thanks
01-29-2017 11:24 AM
Hello
Just had a thought - If you really need this, How do you clients receive their addressing, if its internally then there is no need for the relay config
res
Paul
01-29-2017 11:25 AM
Each router (10.2.20.0 / 10.3.30.0) will handle the DHCP for the clients, the ASA will have a direct connection via cable modem (with dynamic address from ISP).
Does that make sense, I am explaining it right? New-ish to the ASA.
01-29-2017 11:30 AM
Hello
Okay then - you dont need the relay cfg.
res
Paul
01-29-2017 11:32 AM
Thanks Paul, so here is what I have, just to be sure I have updated it correctly.
hostname ASA_Main
!
username XXXXXXX password XXXXXXXXX privilege 15
!
interface vlan 10
nameif outside
security-level 0
ip address dhcp setroute
!
interface vlan 20
ip address 10.2.20.1 255.255.255.224
nameif inside
security-level 100
!
interface vlan 30
ip address 10.3.30.1 255.255.255.224
nameif inside
security-level 100
!
interface vlan 40
ip address 10.4.40.1 255.255.255.224
nameif inside
security-level 100
!
interface ethernet0/0
switchport access vlan 10
nameif outside
no shut
!
interface Ethernet0/1
switchport access vlan 20
nameif inside
no shut
!
interface Ethernet0/2
switchport access vlan 30
nameif inside
no shut
!
interface Ethernet0/3
switchport access vlan 40
nameif inside
no shut
!
object-group network STAN_PAT
network-object object STAN_LAN_NAT
nat (Inside,Outside) after-auto source dynamic STAN_PAT interface
!
router ospf 1
network 10.1.10.0 255.255.255.224 area 10
network 10.2.20.0 255.255.255.224 area 20
network 10.3.30.0 255.255.255.224 area 30
network 10.4.40.0 255.255.255.224 area 40
!
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
ssh 10.3.30.0 255.255.255.224 inside
ssh 10.2.20.0 255.255.255.224 inside
http server enable
aaa authentication http console LOCAL
http 10.3.30.0 255.255.255.224 inside
http 10.2.20.0 255.255.255.224 inside
!
route outside 0.0.0.0 0.0.0.0 dhcp
!
I will update ASA tonight and post results.
01-29-2017 02:56 PM
Hello
You are missing this config:
object network STAN_LAN_NAT
subnet 10.2.20.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
Please review again the config i posted minus the dhcp relay stuff
res
Paul
02-01-2017 11:18 AM
So the NAT config didn't take, here is what I have. Just going back to basic setup simply want internet access from behind the ASA inside network.
I need some help configuring NAT so I can access the internet. I would greatly appreciate it.
Ethernet 0/0 is plugged into my modem which is assign a DHCP IP, the default route is the gateway I grabbed from my ISP. NAT should be the last part in getting access to the internet, correct?
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 7.5(1)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 43 mins 41 secs
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
Slot 1: ATA Compact Flash, 1024MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Ext: Ethernet0/0 : address is 0023.5ee5.d996, irq 9
1: Ext: Ethernet0/1 : address is 0023.5ee5.d997, irq 9
2: Ext: Ethernet0/2 : address is 0023.5ee5.d998, irq 9
3: Ext: Ethernet0/3 : address is 0023.5ee5.d999, irq 9
4: Ext: Management0/0 : address is 0023.5ee5.d99a, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
VPN Peers : 250
WebVPN Peers : 2
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
ASA Version 8.0(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.29 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 24.255.160.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username woodjl1650 password IYD1wu7sEjGmHAyj encrypted
!
!
prompt hostname context
Cryptochecksum:a073a8df2ff63281168b273e40d7259a
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide