ASA 5510 Simple Config

woodjl16501 · ‎01-29-2017

I was wondering if someone could look over this config and see if anything is missing for a simple basic setup? Just need the routers to access the internet (ISP uses DHCP, no static address)

Also attached a diagram of my network layout.

10.1.10.0 > ASA Network

10.2.20.0 > Office LAN

10.3.30.0 > Home LAN

10.4.40.0 > Test LAN

hostname ASA_Main
!
username XXXXXXX password XXXXXXXXX privilege 15
interface vlan 10
ip address 10.1.10.1 255.255.255.224
nameif outside
!
interface vlan 20
ip address 10.2.20.1 255.255.255.224
nameif inside
!
interface vlan 30
ip address 10.3.30.1 255.255.255.224
nameif inside
!
interface vlan 40
ip address 10.4.40.1 255.255.255.224
nameif inside
!
interface ethernet0/0
switchport access vlan 10
nameif outside
no shut
!
interface Ethernet0/1
switchport access vlan 20
nameif inside
no shut
!
interface Ethernet0/2
switchport access vlan 30
nameif inside
no shut
!
interface Ethernet0/3
switchport access vlan 40
nameif inside
no shut
!
ospf authentication message-digest
ospf message-digest-key 1 md5 cisco
!
router ospf 1
network 10.1.10.0 255.255.255.224 area 10
network 10.2.20.0 255.255.255.224 area 20
network 10.3.30.0 255.255.255.224 area 30
network 10.4.40.0 255.255.255.224 area 40
!
global (outside) 10 interface
nat (inside) 10 10.1.10.0 255.255.255.224
nat (inside) 10 10.2.20.0 255.255.255.224
nat (inside) 10 10.3.30.0 255.255.255.224
nat (inside) 10 10.4.40.0 255.255.255.224
!
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
ssh 10.3.30.0 255.255.255.224 inside
ssh 10.2.20.0 255.255.255.224 inside
http server enable
aaa authentication http console LOCAL
http 10.3.30.0 255.255.255.224 inside
http 10.2.20.0 255.255.255.224 inside
!
route outside 0.0.0.0 0.0.0.0 24.255.160.1
!
end
!

Thanks for your time, I look forward to hearing back from anyone.

paul driver · ‎01-29-2017

Hello

int vlan 10
nameif outside
security level 0
ip address dhcp

int vlan 20/30/40
nameif inside
security level 100

object network STAN_LAN_NAT
subnet 10.2.20.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224

object-group network STAN_PAT
network-object object STAN_LAN_NAT

nat (Inside,outside) after-auto source dynamic STAN_PAT interface
no route outside 0.0.0.0 0.0.0.0 204.255.160.1
route outside 0.0.0.0 0.0.0.0 dhcp

dhcprelay server x.x.x.x outside
dhcprelay enable inside
dhcprelay setroute inside

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

woodjl16501 · ‎01-29-2017

dhcprelay server x.x.x.x outside

How do I get the dhcp relay info? I have a standard cable internet connection, with a dynamic IP.

Thanks

paul driver · ‎01-29-2017

Hello

Just had a thought - If you really need this, How do you clients receive their addressing, if its internally then there is no need for the relay config

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

woodjl16501 · ‎01-29-2017

Each router (10.2.20.0 / 10.3.30.0) will handle the DHCP for the clients, the ASA will have a direct connection via cable modem (with dynamic address from ISP).

Does that make sense, I am explaining it right? New-ish to the ASA.

paul driver · ‎01-29-2017

Hello

Okay then - you dont need the relay cfg.

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

woodjl16501 · ‎01-29-2017

Thanks Paul, so here is what I have, just to be sure I have updated it correctly.

hostname ASA_Main
!
username XXXXXXX password XXXXXXXXX privilege 15
!
interface vlan 10
nameif outside
security-level 0
ip address dhcp setroute
!
interface vlan 20
ip address 10.2.20.1 255.255.255.224
nameif inside
security-level 100
!
interface vlan 30
ip address 10.3.30.1 255.255.255.224
nameif inside
security-level 100
!
interface vlan 40
ip address 10.4.40.1 255.255.255.224
nameif inside
security-level 100
!
interface ethernet0/0
switchport access vlan 10
nameif outside
no shut
!
interface Ethernet0/1
switchport access vlan 20
nameif inside
no shut
!
interface Ethernet0/2
switchport access vlan 30
nameif inside
no shut
!
interface Ethernet0/3
switchport access vlan 40
nameif inside
no shut
!
object-group network STAN_PAT
network-object object STAN_LAN_NAT
nat (Inside,Outside) after-auto source dynamic STAN_PAT interface
!
router ospf 1
network 10.1.10.0 255.255.255.224 area 10
network 10.2.20.0 255.255.255.224 area 20
network 10.3.30.0 255.255.255.224 area 30
network 10.4.40.0 255.255.255.224 area 40
!
crypto key generate rsa modulus 1024
aaa authentication ssh console LOCAL
ssh 10.3.30.0 255.255.255.224 inside
ssh 10.2.20.0 255.255.255.224 inside
http server enable
aaa authentication http console LOCAL
http 10.3.30.0 255.255.255.224 inside
http 10.2.20.0 255.255.255.224 inside
!
route outside 0.0.0.0 0.0.0.0 dhcp

!

I will update ASA tonight and post results.

paul driver · ‎01-29-2017

Hello

You are missing this config:
object network STAN_LAN_NAT
subnet 10.2.20.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224
subnet 10.3.30.0 255.255.255.224

Please review again the config i posted minus the dhcp relay stuff

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

woodjl16501 · ‎02-01-2017

So the NAT config didn't take, here is what I have. Just going back to basic setup simply want internet access from behind the ASA inside network.

I need some help configuring NAT so I can access the internet. I would greatly appreciate it.

Ethernet 0/0 is plugged into my modem which is assign a DHCP IP, the default route is the gateway I grabbed from my ISP. NAT should be the last part in getting access to the internet, correct?

Cisco Adaptive Security Appliance Software Version 8.0(4)

Device Manager Version 7.5(1)

Compiled on Thu 07-Aug-08 20:53 by builders

System image file is "disk0:/asa804-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 43 mins 41 secs

Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

Slot 1: ATA Compact Flash, 1024MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Ext: Ethernet0/0 : address is 0023.5ee5.d996, irq 9

1: Ext: Ethernet0/1 : address is 0023.5ee5.d997, irq 9

2: Ext: Ethernet0/2 : address is 0023.5ee5.d998, irq 9

3: Ext: Ethernet0/3 : address is 0023.5ee5.d999, irq 9

4: Ext: Management0/0 : address is 0023.5ee5.d99a, irq 11

5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11

6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 50

Inside Hosts : Unlimited

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has a Base license.

ASA Version 8.0(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.29 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-751.bin

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 24.255.160.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username woodjl1650 password IYD1wu7sEjGmHAyj encrypted

!

prompt hostname context

Cryptochecksum:a073a8df2ff63281168b273e40d7259a

: end