Solved: ASA5508-X Using Block Of Static IP’s

fbeye · ‎04-11-2018

So I have my configuration able to Ping from the Router itself (GBit 1/1 using a Static IP set for PPPoE) and I see GBit 1/2 is the LAN 192.168.1.1 but I am having a heck of a time removing the DHCP / Nat and being able to use, at random (to be specificed on the device) my Block Of Static IP’s. I currently have no running-config that differs from default aside from the WAN but I am going in circles. I am using my Cisco 891f (which is set the way I liked it) as a reference and with an open mind to the fact this is far more technical but I am just lost.

fbeye · ‎05-09-2018

Hello

Well I got everything set up and verified receiving and sending email.. Had to create a new rule with specified port 993 as default rule sets only have imap4 (143) but that is fine. All of my devices are up and running and I see no issues.

I will look into that link you sent me about pinging.

Trying to look back... When I manually set route and the PPPoE was enabled, it would not let me use .182 as the Gateway. Only when I had 1/1 disabled and manually created the set route and then enabled it would it stick.

The link you initially gave me had utilized NAT to open which port for email and so on but I chose to have NAT simply be "this outside ip goes to this inside ip" and did not specify any ports, simply translate. I am using the ACL's to control all and any ports. Hope this is also another way of doing the same thing (by not utilizing the ports in NAT).

Are there any recommended next steps once it is all configured fr that extra protection?

I can not thank you enough for your support and encouragement as well as guidance. You made someone who was more or less defeated into someone who achieved the goal he set out to do.

Really, there are not enough thank you's.

I am sure I will be back soon as to how to implement my Internet-Connecting-To-home VPN to access my videos on my NAS from an anywhere... But that's another time.

View solution in original post

Richard Burts · ‎05-16-2018

Matt

If both interfaces are level 100 have you used the command to permit same security level inter interface? By default the ASA will not send traffic from one interface to another interface at the same security level. So you need to specifically allow this.

HTH

Rick

HTH

Rick

View solution in original post

Deepak Kumar · ‎04-11-2018

Hi,

I didn't get your question.

If I am not wrong, You are trying to set a fixed IP on PPOE connection after that there is no internet.

Can you perform some tests:

1. Is there any Default configured on the router? If yes then check the next hop reachability, if no then adds a default route:

As you are using PPOE then you have dialer interface, If yes then make this default route to dialer interface as:

"route 0.0.0.0 0.0.0.0 dialer 1"

2. Is the NAT configured Properly?

check with below command:

"sho nat statistics"

3. If this will not work then share the running configuration with below command output:

"Sho route"

"sho nat statistics"

"Sho inter brief"

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

fbeye · ‎04-12-2018

Hello

I will try to be more specific, I apologize.

What I am trying to do is this; I have a Block of 8 Static IP's, 5 Usable.

My 5508-X is configured for PPPoE on Gigabit 1/1 and as indeed grabbing the Static IP from my ISP which is also the Gateway IP for the Block, as well as the Gateway on the Router.

The 5508 is set to have Gigabit 1/3-1/8 disabled but 1/2 is set for LAN serving a DHCP IP which is also used to manage the Router via ASDM.

On my current 891f, I have DHCP OFF and NAT OFF because I have 5 STATIC IP's I am assigning to my devices which uses the Gateway (the 5508) as the Route to the Internet. I was to assume (if I was to leave Gigabit 1/2 as is for DHCP to the Router for ASDM) that 1/3-1/8 would all be active and whatever was plugged into them (would be set statically on the device) and would route through the 5508 Gateway to the Internet.

On this 5508, I used https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110322-asa-pppoe-00.html but this does not have any mention of Dialer 1. Also,

"sho nat statistics" and "Sho inter brief" are invalid, but here is what my "show running-config says;

show running-config
: Saved

:
: Serial Number: JAD192402FY
: Hardware:   ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.6(2)2
!
hostname ciscoasa
enable password $sha512$5000$VxGVpbbYO1zrechJNeV1wg==$GTQ23G8/TbyeZGPCsWdOjA== pbkdf2
names

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 pppoe client vpdn group pppoeauthentication
 ip address pppoe setroute
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
 nat (any,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoeauthentication request dialout pppoe
vpdn group pppoeauthentication localname <username>
vpdn group pppoeauthentication ppp authentication chap
vpdn username <username> password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
Cryptochecksum:f1034ad7d227e8d3665fe330e64a0d0e
: end

If it helps, here is my Cisco 891f configuration, which is set up the way I was mentioning and working. I am basically just trying to recreate my 891f configuration onto my 5508..As best I am able.

version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoHOM
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.153-3.M10.bin
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network EzVPN local
!
aaa session-id common
!
ip domain name hom.org
ip name-server 209.244.0.3
ip name-server 205.171.3.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
!
username sshuser privilege 15 secret 5 $1$n/X1$fAlQj2XWR1Vha5hIgPAC3.
username CiscoAdmin privilege 15 secret 5 $1$kzwV$LjaRJE9oEKkVzbPrx1kUm.
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
class-map type inspect match-all OUT-TO-SELF
match access-group name outsideacl
class-map type inspect match-any SELF-TO-OUT
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any All_Protocols
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect VPN
class type inspect All_Protocols
inspect
class class-default
drop
policy-map type inspect OUT-TO-SELF
class type inspect OUT-TO-SELF
inspect
class class-default
drop
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect SELF-TO-OUT
class type inspect SELF-TO-OUT
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security Ezvpn
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
zone-pair security Self->Internet source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT
zone-pair security Internet->Self source OUTSIDE destination self
service-policy type inspect OUT-TO-SELF
zone-pair security Ezvpn->INSIDE source Ezvpn destination INSIDE
description LAN to INSIDE traffic
service-policy type inspect VPN
zone-pair security Ezvpn->Self source Ezvpn destination self
service-policy type inspect VPN
zone-pair security Self->Ezvpn source self destination Ezvpn
service-policy type inspect VPN
zone-pair security INSIDE->Ezvpn source INSIDE destination Ezvpn
description LAN to Ezvpn traffic
service-policy type inspect VPN
!
crypto isakmp policy 1
!
crypto isakmp policy 2
encr aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp client configuration address-pool local POOLVPN
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group EzVPN
key C1sc0123#
dns 8.8.8.8
domain hom.org
pool POOLVPN
acl 150
netmask 255.255.255.0
crypto isakmp profile EzVPN-PROFILE
match identity group EzVPN
client authentication list VPN
isakmp authorization list EzVPN
client configuration address respond
client configuration group EzVPN
virtual-template 99
!
crypto ipsec transform-set IPTRANSFORM esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE-IPSEC-EZVPN
set transform-set IPTRANSFORM
set isakmp-profile EzVPN-PROFILE
!
interface Loopback99
ip address 10.252.0.254 255.255.255.0
zone-member security Ezvpn
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description TPLink Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
description Web Site
no ip address
zone-member security INSIDE
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Virtual-Template99 type tunnel
ip unnumbered Loopback99
zone-member security Ezvpn
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE-IPSEC-EZVPN
!
interface Vlan1
ip address x.x.x.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username password 0
ppp ipcp route default
no cdp enable
!
ip local pool POOLVPN 10.252.0.1 10.252.0.200 recycle delay 30
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.255.0 x.x.x.177
ip ssh version 2
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host x.x.x.176 any
permit ip host x.x.x.177 any
permit ip host x.x.x.178 any
permit ip host x.x.x.179 any
permit ip host x.x.x.180 any
permit ip host x.x.x.181 any
permit ip host x.x.x.182 any
permit tcp host x.x.x.180 any eq smtp
permit tcp host x.x.x.180 any eq 993
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host x.x.x.176
permit icmp any host x.x.x.177
permit icmp any host x.x.x.178
permit icmp any host x.x.x.179
permit icmp any host x.x.x.180
permit icmp any host x.x.x.181
permit icmp any host x.x.x.182
permit tcp any host x.x.x.180 eq 993
permit tcp any host x.x.x.180 eq smtp
permit tcp any host x.x.x.180 eq 66
ip access-list extended outsideacl
permit icmp any host x.x.x.182 echo-reply
permit icmp any host x.x.x.182 echo
permit icmp any host x.x.x.182 traceroute
permit icmp any host x.x.x.182 time-exceeded
permit icmp any host x.x.x.182 unreachable
permit tcp any host x.x.x.182 eq 22
permit udp any host x.x.x.182 eq isakmp
permit udp any host x.x.x.182 eq non500-isakmp
permit esp any host x.x.x.182
deny ip any host x.x.x.182
!
dialer-list 1 protocol ip permit
no cdp run
!
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip 10.252.0.0 0.0.0.255 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!

fbeye · ‎04-12-2018

I Just seem to have a hard time for this to click with me. I know what I want (and have on my 891f) but I am getting lost on this device.

What I want is my WAN (Gigabit 1/1) as a PPPoE Client which grabs automatically the Gateway Static IP of my Subnet from my ISP. I want my LAN to be able to hand out (per setting up manually on each device) the 5 Usable Static IPS which use the Cisco Gigabit 1/1 PPPoE as the Gateway. I assume they’re would be an overall general 0.0.0.0 0.0.0.0 Route directed towards the GBit 1/1 for that?

I do not use DHCP or any 192.168.x.x scenario in my setup nor do I use NAT. As I said, each device manually gets its IP configured s via the Cisco Gateway.

‘But with this 5508-X I see that Gigabit 1/2 is the only LAN enabled and had DHCP 192.168.x.x for access to configure via ASDM.

That sort of confuses me. Can I leave 1/2 as is DHCP for ASDM management but enable either Gigabit 1/3-1/7 and connect each Port to its associated device for the statics or enable 1/3 and connect to a Unmanaged switch and have each device plug into that?

On my 891, as mentioned earlier, has a Dialer set up for PPPoE but the 5508 does not, yet it does (WAN) connect and Incan pint outside Internet. I also have on the 891 a vlan2 which is also set as the Router Gateway address (I assume in this case the vlan of the Gateway would then allow me to use the ip Block under it).

Really, I know I want for the WAN and LAN I am just having absolutely no success in configuring them to talk to each other.

fbeye · ‎04-16-2018

Any suggestions on the error of my ways? As I said, I feel it’s something somewhat simple to do it’s just I am havig a hard time with it “clicking” and connecting the dots.

Reza Sharifi · ‎04-16-2018

Hi,

That sort of confuses me. Can I leave 1/2 as is DHCP for ASDM management but enable either Gigabit 1/3-1/7 and connect each Port to its associated device for the statics or enable 1/3 and connect to a Unmanaged switch and have each device plug into that?

The issue is that you have one public segment and the problem is that you can only assign that segment to one interface and not multiple. If I remember correctly, you could do this with the old firewall because you could create a vlan and just add 1/3-1/7 and also 1/2 but the new X series use only routed ports and so, you can't assign the same subnet to 2 different interfaces.

I that what you are asking?

HTH

fbeye · ‎04-16-2018

Good morning!

As you say, the X series is different and for the novice in me, it is really different.

I am am seeing what you are saying in regards to 1 segment (subnet as in my IP Block?) to one Interface. That makes sense..

Being that Gigabit 1/1 is my WAN Port configured as PPPoE and is indeed grabbing the [gateway IP FOR my Block (as it should)] would I then create a, let’s say, vlan 1/1.1 and assign it to physical port 1/3 and plug in an unmanaged switch and then connect whatever devices I want to have static ips (from the block via Gigabit 1/1) and do it that way? Or am I still not getting it?

I am not good at explaining what I am wanting but based on your response I feel that you are understanding my intentions, and I am hoping my 891f ‘show running-config’ shows my intentions.

As as far as leaving 1/2 as DHCP for ASD, I only mention that because that is its default configuration and I’d hate to mess around with configurations and lose the ability to use 1/2 to connect via https.

On the 891 I simply used my Gateway IP (Router ip) to configure via https but this is def Italy a different approach in this model.

Reza Sharifi · ‎04-16-2018

then create a, let’s say, vlan 1/1.1 and assign it to physical port 1/3 and plug in an unmanaged switch and then connect whatever devices I want to have static ips (from the block via Gigabit 1/1) and do it that way? Or am I still not getting it?

I think here is what you can do.

Change the gateway IP to be in a completely different segment. For this, to work you have to talk to your provider to give you a /30 for connectivity between you and them. This will free up you public segment. After that, you can assign a public IP to one of the interfaces on the firewall and connect an unmanaged switch/hub to it and connect all your end device to that.

ISP--------FW-------hub-------laptop/desktop

The /30 would be applied to ISP and the FW.

HTH

fbeye · ‎04-16-2018

Unless I am wrong, I thought that was what I have.

It is a Block if 8 Static IPS, 5 Usable;

1 x.x.x.176 Reserved

2 x.x.x.177 (Used for my TPLink WiFi)

3 x.x.x.178 (Unused)

4 x.x.x.179 (Unused)

5 x.x.x.180 (Email Server)

6 x.x.x.181 (Web Server)

7 x.x.x.182 (Gateway from ISP for IP’s)

8 x.x.x.183 (Brodcast)

I think that this is how it’s set, .182 is my IP given by my ISP for “the device” (My Router) and then .177-.181 are usable when using .182 as gateway.

My ISP only sells 1, 8, 16 and so on IP Blocks.

Reza Sharifi · ‎04-16-2018

So, the mask is /29 right?

The useable IPs are 177-182 (6 IPs) and 182 is assigned to Gateway from ISP which is your interface facing the ISP. If this is the case, then all of your IPs are in the same segment. If the ISP can give you a /30 for the gateway on your side (1 IP) and 1 on their side, then you can use the /29 for the LAN side and do what I noted in the previous post.

Does this make sense?

HTH

fbeye · ‎04-16-2018

I completely get what you are saying but I know for a fact my ISP will not do this, as I work for the ISP (though I am a field technician).

This 5508-X is clearly different than the 891f and that is ok, but the 891f is indeed working as I need it to and was hoping the 5508 could do as well but clearly not.

On the 891f I am using a VLan for the .177 - .182 but the vlan ip itself is also the WAN (ISP facing) IP so I was just assuming that I could make a 1/1.2 vlan with a 0.0.0.0 route pointing towards the Gigabit 1/1 Interface and then assign manually the devices and connect them to a switch which then connects to Gigabit 1/3 (which is assigned to vlan 1/1.2 which routes to 1/1).

it seems that this can not be the case.

I just as well return the 5508 because my current scenario does not work with it.

I do do thank you for your assistance.

Reza Sharifi · ‎04-16-2018

Maybe you can use a bridge group to do this. Have a look this sample config.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-transparent.html#24208

HTH

fbeye · ‎04-16-2018

That is definitely worth a try.. I will give it a go and let you know. Thank you

fbeye · ‎04-17-2018

Well, neither my method (unless I compiled it wrong) worked nor did the link. I am at the belief that what I want is either ridiculous (though it works on my current Cisco) or it simply can not be done on this particular model.

I tried and I thank you for your assistance.

fbeye · ‎04-25-2018

I just can not seem to let this go.

I am baffled as to why I can not (or clearly how to) assign any one of my devices it’s Static IP from the Block of 5 that is given to me via my Gateway IP (not one of the 5 usable but one of the 8 total (the given Gateway from ISP as well as 5508 Gateway via PPPoE on Gigabit 0/0)) through any of the remaining Gigabit Ports. 0/1 is currently by default set as “inside” and used DHCP.

There has to be a way to assign a static to my devices.