04-11-2018 08:05 PM - edited 03-08-2019 02:37 PM
So I have my configuration able to Ping from the Router itself (GBit 1/1 using a Static IP set for PPPoE) and I see GBit 1/2 is the LAN 192.168.1.1 but I am having a heck of a time removing the DHCP / Nat and being able to use, at random (to be specificed on the device) my Block Of Static IP’s. I currently have no running-config that differs from default aside from the WAN but I am going in circles. I am using my Cisco 891f (which is set the way I liked it) as a reference and with an open mind to the fact this is far more technical but I am just lost.
Solved! Go to Solution.
05-09-2018 01:42 PM
Hello
Well I got everything set up and verified receiving and sending email.. Had to create a new rule with specified port 993 as default rule sets only have imap4 (143) but that is fine. All of my devices are up and running and I see no issues.
I will look into that link you sent me about pinging.
Trying to look back... When I manually set route and the PPPoE was enabled, it would not let me use .182 as the Gateway. Only when I had 1/1 disabled and manually created the set route and then enabled it would it stick.
The link you initially gave me had utilized NAT to open which port for email and so on but I chose to have NAT simply be "this outside ip goes to this inside ip" and did not specify any ports, simply translate. I am using the ACL's to control all and any ports. Hope this is also another way of doing the same thing (by not utilizing the ports in NAT).
Are there any recommended next steps once it is all configured fr that extra protection?
I can not thank you enough for your support and encouragement as well as guidance. You made someone who was more or less defeated into someone who achieved the goal he set out to do.
Really, there are not enough thank you's.
I am sure I will be back soon as to how to implement my Internet-Connecting-To-home VPN to access my videos on my NAS from an anywhere... But that's another time.
05-16-2018 07:53 AM
Matt
If both interfaces are level 100 have you used the command to permit same security level inter interface? By default the ASA will not send traffic from one interface to another interface at the same security level. So you need to specifically allow this.
HTH
Rick
04-11-2018 11:32 PM - edited 04-11-2018 11:33 PM
Hi,
I didn't get your question.
If I am not wrong, You are trying to set a fixed IP on PPOE connection after that there is no internet.
Can you perform some tests:
1. Is there any Default configured on the router? If yes then check the next hop reachability, if no then adds a default route:
As you are using PPOE then you have dialer interface, If yes then make this default route to dialer interface as:
"route 0.0.0.0 0.0.0.0 dialer 1"
2. Is the NAT configured Properly?
check with below command:
"sho nat statistics"
3. If this will not work then share the running configuration with below command output:
"Sho route"
"sho nat statistics"
"Sho inter brief"
Regards,
Deepak Kumar
04-12-2018 02:36 AM
Hello
I will try to be more specific, I apologize.
What I am trying to do is this; I have a Block of 8 Static IP's, 5 Usable.
My 5508-X is configured for PPPoE on Gigabit 1/1 and as indeed grabbing the Static IP from my ISP which is also the Gateway IP for the Block, as well as the Gateway on the Router.
The 5508 is set to have Gigabit 1/3-1/8 disabled but 1/2 is set for LAN serving a DHCP IP which is also used to manage the Router via ASDM.
On my current 891f, I have DHCP OFF and NAT OFF because I have 5 STATIC IP's I am assigning to my devices which uses the Gateway (the 5508) as the Route to the Internet. I was to assume (if I was to leave Gigabit 1/2 as is for DHCP to the Router for ASDM) that 1/3-1/8 would all be active and whatever was plugged into them (would be set statically on the device) and would route through the 5508 Gateway to the Internet.
On this 5508, I used https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110322-asa-pppoe-00.html but this does not have any mention of Dialer 1. Also,
"sho nat statistics" and "Sho inter brief" are invalid, but here is what my "show running-config says;
show running-config : Saved : : Serial Number: JAD192402FY : Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores) : ASA Version 9.6(2)2 ! hostname ciscoasa enable password $sha512$5000$VxGVpbbYO1zrechJNeV1wg==$GTQ23G8/TbyeZGPCsWdOjA== pbkdf2 names ! interface GigabitEthernet1/1 nameif outside security-level 0 pppoe client vpdn group pppoeauthentication ip address pppoe setroute ! interface GigabitEthernet1/2 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface GigabitEthernet1/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/5 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/6 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/7 shutdown no nameif no security-level no ip address ! interface GigabitEthernet1/8 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only no nameif no security-level no ip address ! ftp mode passive object network obj_any subnet 0.0.0.0 0.0.0.0 pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 ! object network obj_any nat (any,outside) dynamic interface timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact service sw-reset-button crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 vpdn group pppoeauthentication request dialout pppoe vpdn group pppoeauthentication localname <username> vpdn group pppoeauthentication ppp authentication chap vpdn username <username> password ***** dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-access-policy-record DfltAccessPolicy ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home reporting anonymous prompt 1 Cryptochecksum:f1034ad7d227e8d3665fe330e64a0d0e : end
If it helps, here is my Cisco 891f configuration, which is set up the way I was mentioning and working. I am basically just trying to recreate my 891f configuration onto my 5508..As best I am able.
version 15.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CiscoHOM ! boot-start-marker boot system flash:c800-universalk9-mz.SPA.153-3.M10.bin boot-end-marker ! aqm-register-fnf ! no logging console ! aaa new-model ! ! aaa authentication login default local aaa authentication login VPN local aaa authorization exec default local aaa authorization network EzVPN local ! aaa session-id common ! ip domain name hom.org ip name-server 209.244.0.3 ip name-server 205.171.3.65 ip cef no ipv6 cef ! parameter-map type inspect global log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group 1 ! license udi pid C891F-K9 sn FGL212791GJ ! ! username sshuser privilege 15 secret 5 $1$n/X1$fAlQj2XWR1Vha5hIgPAC3. username CiscoAdmin privilege 15 secret 5 $1$kzwV$LjaRJE9oEKkVzbPrx1kUm. ! class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS match access-group name INSIDE-TO-OUTSIDE class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS match access-group name OUTSIDE-TO-INSIDE class-map type inspect match-all OUT-TO-SELF match access-group name outsideacl class-map type inspect match-any SELF-TO-OUT match protocol tcp match protocol udp match protocol icmp class-map type inspect match-any All_Protocols match protocol tcp match protocol udp match protocol icmp ! policy-map type inspect VPN class type inspect All_Protocols inspect class class-default drop policy-map type inspect OUT-TO-SELF class type inspect OUT-TO-SELF inspect class class-default drop policy-map type inspect INSIDE-TO-OUTSIDE-POLICY class type inspect INSIDE-TO-OUTSIDE-CLASS inspect class class-default drop policy-map type inspect OUTSIDE-TO-INSIDE-POLICY class type inspect OUTSIDE-TO-INSIDE-CLASS inspect class class-default drop policy-map type inspect SELF-TO-OUT class type inspect SELF-TO-OUT inspect class class-default drop ! zone security INSIDE zone security OUTSIDE zone security Ezvpn zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE service-policy type inspect INSIDE-TO-OUTSIDE-POLICY zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE service-policy type inspect OUTSIDE-TO-INSIDE-POLICY zone-pair security Self->Internet source self destination OUTSIDE service-policy type inspect SELF-TO-OUT zone-pair security Internet->Self source OUTSIDE destination self service-policy type inspect OUT-TO-SELF zone-pair security Ezvpn->INSIDE source Ezvpn destination INSIDE description LAN to INSIDE traffic service-policy type inspect VPN zone-pair security Ezvpn->Self source Ezvpn destination self service-policy type inspect VPN zone-pair security Self->Ezvpn source self destination Ezvpn service-policy type inspect VPN zone-pair security INSIDE->Ezvpn source INSIDE destination Ezvpn description LAN to Ezvpn traffic service-policy type inspect VPN ! crypto isakmp policy 1 ! crypto isakmp policy 2 encr aes 256 hash sha256 authentication pre-share group 14 crypto isakmp client configuration address-pool local POOLVPN crypto isakmp xauth timeout 60 ! crypto isakmp client configuration group EzVPN key C1sc0123# dns 8.8.8.8 domain hom.org pool POOLVPN acl 150 netmask 255.255.255.0 crypto isakmp profile EzVPN-PROFILE match identity group EzVPN client authentication list VPN isakmp authorization list EzVPN client configuration address respond client configuration group EzVPN virtual-template 99 ! crypto ipsec transform-set IPTRANSFORM esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile PROFILE-IPSEC-EZVPN set transform-set IPTRANSFORM set isakmp-profile EzVPN-PROFILE ! interface Loopback99 ip address 10.252.0.254 255.255.255.0 zone-member security Ezvpn ! interface BRI0 no ip address encapsulation hdlc shutdown isdn termination multidrop ! interface FastEthernet0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 description TPLink Wireless no ip address zone-member security INSIDE ! interface GigabitEthernet1 description Email Server no ip address zone-member security INSIDE ! interface GigabitEthernet2 description Web Site no ip address zone-member security INSIDE ! interface GigabitEthernet3 no ip address ! interface GigabitEthernet4 no ip address ! interface GigabitEthernet5 no ip address ! interface GigabitEthernet6 no ip address ! interface GigabitEthernet7 no ip address ! interface GigabitEthernet8 description PPPoE xDSL WAN no ip address no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no cdp enable ! interface Virtual-Template99 type tunnel ip unnumbered Loopback99 zone-member security Ezvpn tunnel source Dialer1 tunnel mode ipsec ipv4 tunnel protection ipsec profile PROFILE-IPSEC-EZVPN ! interface Vlan1 ip address x.x.x.182 255.255.255.248 ip virtual-reassembly in zone-member security INSIDE ! interface Async3 no ip address encapsulation slip ! interface Dialer1 description PPPoE xDSL WAN Dialer ip address negotiated no ip unreachables ip mtu 1460 zone-member security OUTSIDE encapsulation ppp ip tcp adjust-mss 1420 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ppp chap password 0 ppp pap sent-username password 0 ppp ipcp route default no cdp enable ! ip local pool POOLVPN 10.252.0.1 10.252.0.200 recycle delay 30 ip forward-protocol nd ip http server ip http authentication local no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 192.168.0.0 255.255.255.0 x.x.x.177 ip ssh version 2 ! ip access-list extended INSIDE-TO-OUTSIDE permit ip host x.x.x.176 any permit ip host x.x.x.177 any permit ip host x.x.x.178 any permit ip host x.x.x.179 any permit ip host x.x.x.180 any permit ip host x.x.x.181 any permit ip host x.x.x.182 any permit tcp host x.x.x.180 any eq smtp permit tcp host x.x.x.180 any eq 993 ip access-list extended OUTSIDE-TO-INSIDE permit icmp any host x.x.x.176 permit icmp any host x.x.x.177 permit icmp any host x.x.x.178 permit icmp any host x.x.x.179 permit icmp any host x.x.x.180 permit icmp any host x.x.x.181 permit icmp any host x.x.x.182 permit tcp any host x.x.x.180 eq 993 permit tcp any host x.x.x.180 eq smtp permit tcp any host x.x.x.180 eq 66 ip access-list extended outsideacl permit icmp any host x.x.x.182 echo-reply permit icmp any host x.x.x.182 echo permit icmp any host x.x.x.182 traceroute permit icmp any host x.x.x.182 time-exceeded permit icmp any host x.x.x.182 unreachable permit tcp any host x.x.x.182 eq 22 permit udp any host x.x.x.182 eq isakmp permit udp any host x.x.x.182 eq non500-isakmp permit esp any host x.x.x.182 deny ip any host x.x.x.182 ! dialer-list 1 protocol ip permit no cdp run ! access-list 150 permit ip 192.168.0.0 0.0.0.255 any access-list 150 permit ip 10.252.0.0 0.0.0.255 any ! control-plane ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default !
04-12-2018 10:55 AM - edited 04-13-2018 08:58 AM
I Just seem to have a hard time for this to click with me. I know what I want (and have on my 891f) but I am getting lost on this device.
What I want is my WAN (Gigabit 1/1) as a PPPoE Client which grabs automatically the Gateway Static IP of my Subnet from my ISP. I want my LAN to be able to hand out (per setting up manually on each device) the 5 Usable Static IPS which use the Cisco Gigabit 1/1 PPPoE as the Gateway. I assume they’re would be an overall general 0.0.0.0 0.0.0.0 Route directed towards the GBit 1/1 for that?
I do not use DHCP or any 192.168.x.x scenario in my setup nor do I use NAT. As I said, each device manually gets its IP configured s via the Cisco Gateway.
‘But with this 5508-X I see that Gigabit 1/2 is the only LAN enabled and had DHCP 192.168.x.x for access to configure via ASDM.
That sort of confuses me. Can I leave 1/2 as is DHCP for ASDM management but enable either Gigabit 1/3-1/7 and connect each Port to its associated device for the statics or enable 1/3 and connect to a Unmanaged switch and have each device plug into that?
On my 891, as mentioned earlier, has a Dialer set up for PPPoE but the 5508 does not, yet it does (WAN) connect and Incan pint outside Internet. I also have on the 891 a vlan2 which is also set as the Router Gateway address (I assume in this case the vlan of the Gateway would then allow me to use the ip Block under it).
Really, I know I want for the WAN and LAN I am just having absolutely no success in configuring them to talk to each other.
04-16-2018 09:28 AM - edited 04-16-2018 09:29 AM
Any suggestions on the error of my ways? As I said, I feel it’s something somewhat simple to do it’s just I am havig a hard time with it “clicking” and connecting the dots.
04-16-2018 10:50 AM
Hi,
That sort of confuses me. Can I leave 1/2 as is DHCP for ASDM management but enable either Gigabit 1/3-1/7 and connect each Port to its associated device for the statics or enable 1/3 and connect to a Unmanaged switch and have each device plug into that?
The issue is that you have one public segment and the problem is that you can only assign that segment to one interface and not multiple. If I remember correctly, you could do this with the old firewall because you could create a vlan and just add 1/3-1/7 and also 1/2 but the new X series use only routed ports and so, you can't assign the same subnet to 2 different interfaces.
I that what you are asking?
HTH
04-16-2018 11:15 AM
Good morning!
As you say, the X series is different and for the novice in me, it is really different.
I am am seeing what you are saying in regards to 1 segment (subnet as in my IP Block?) to one Interface. That makes sense..
Being that Gigabit 1/1 is my WAN Port configured as PPPoE and is indeed grabbing the [gateway IP FOR my Block (as it should)] would I then create a, let’s say, vlan 1/1.1 and assign it to physical port 1/3 and plug in an unmanaged switch and then connect whatever devices I want to have static ips (from the block via Gigabit 1/1) and do it that way? Or am I still not getting it?
I am not good at explaining what I am wanting but based on your response I feel that you are understanding my intentions, and I am hoping my 891f ‘show running-config’ shows my intentions.
As as far as leaving 1/2 as DHCP for ASD, I only mention that because that is its default configuration and I’d hate to mess around with configurations and lose the ability to use 1/2 to connect via https.
On the 891 I simply used my Gateway IP (Router ip) to configure via https but this is def Italy a different approach in this model.
04-16-2018 12:40 PM - edited 04-16-2018 12:43 PM
then create a, let’s say, vlan 1/1.1 and assign it to physical port 1/3 and plug in an unmanaged switch and then connect whatever devices I want to have static ips (from the block via Gigabit 1/1) and do it that way? Or am I still not getting it?
I think here is what you can do.
Change the gateway IP to be in a completely different segment. For this, to work you have to talk to your provider to give you a /30 for connectivity between you and them. This will free up you public segment. After that, you can assign a public IP to one of the interfaces on the firewall and connect an unmanaged switch/hub to it and connect all your end device to that.
ISP--------FW-------hub-------laptop/desktop
The /30 would be applied to ISP and the FW.
HTH
04-16-2018 01:35 PM
Unless I am wrong, I thought that was what I have.
It is a Block if 8 Static IPS, 5 Usable;
1 x.x.x.176 Reserved
2 x.x.x.177 (Used for my TPLink WiFi)
3 x.x.x.178 (Unused)
4 x.x.x.179 (Unused)
5 x.x.x.180 (Email Server)
6 x.x.x.181 (Web Server)
7 x.x.x.182 (Gateway from ISP for IP’s)
8 x.x.x.183 (Brodcast)
I think that this is how it’s set, .182 is my IP given by my ISP for “the device” (My Router) and then .177-.181 are usable when using .182 as gateway.
My ISP only sells 1, 8, 16 and so on IP Blocks.
04-16-2018 02:25 PM
So, the mask is /29 right?
The useable IPs are 177-182 (6 IPs) and 182 is assigned to Gateway from ISP which is your interface facing the ISP. If this is the case, then all of your IPs are in the same segment. If the ISP can give you a /30 for the gateway on your side (1 IP) and 1 on their side, then you can use the /29 for the LAN side and do what I noted in the previous post.
Does this make sense?
HTH
04-16-2018 02:50 PM
I completely get what you are saying but I know for a fact my ISP will not do this, as I work for the ISP (though I am a field technician).
This 5508-X is clearly different than the 891f and that is ok, but the 891f is indeed working as I need it to and was hoping the 5508 could do as well but clearly not.
On the 891f I am using a VLan for the .177 - .182 but the vlan ip itself is also the WAN (ISP facing) IP so I was just assuming that I could make a 1/1.2 vlan with a 0.0.0.0 route pointing towards the Gigabit 1/1 Interface and then assign manually the devices and connect them to a switch which then connects to Gigabit 1/3 (which is assigned to vlan 1/1.2 which routes to 1/1).
it seems that this can not be the case.
I just as well return the 5508 because my current scenario does not work with it.
I do do thank you for your assistance.
04-16-2018 02:59 PM
Maybe you can use a bridge group to do this. Have a look this sample config.
HTH
04-16-2018 03:09 PM
04-17-2018 04:37 PM
Well, neither my method (unless I compiled it wrong) worked nor did the link. I am at the belief that what I want is either ridiculous (though it works on my current Cisco) or it simply can not be done on this particular model.
I tried and I thank you for your assistance.
04-25-2018 04:28 PM
I just can not seem to let this go.
I am baffled as to why I can not (or clearly how to) assign any one of my devices it’s Static IP from the Block of 5 that is given to me via my Gateway IP (not one of the 5 usable but one of the 8 total (the given Gateway from ISP as well as 5508 Gateway via PPPoE on Gigabit 0/0)) through any of the remaining Gigabit Ports. 0/1 is currently by default set as “inside” and used DHCP.
There has to be a way to assign a static to my devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide