Re: Network setup with Cisco ASA 5510

kingnation · ‎09-14-2017

Hello guys,

i need your help and idea to setup a network for a small company. Right now the company having a internet connection from an ISP using the ISP's modem. They would like to place a Cisco ASA 5510 after the modem and would like to connect the Cisco ASA to a switch and from switch will go to LAN.Below is the idea to setup the network connection. Please let me know if it is possible to setup like this.

Seb Rupik · ‎09-14-2017

Hi there,

That would be a fairly standard setup, although ASA are typically deployed at 'large' branch sites (going by Cisco design docs). You state this is for a small company.

Unless you have have already purchased the 5510 perhaps look at using an ISR router and configuring Zone Based Firewalling on it.

cheers,

Seb.

kingnation · ‎09-14-2017

Hey thanks for the reply. Actually they already purchase a ASA 5510 and they ask me to setup connection based on the diagram. The ISP has given a /30 ip. Can u guide me on how to start? im not good in cisco commands.Is there any doc that i can refer?

Seb Rupik · ‎09-14-2017

You know the 5510 has been EOL'd:

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html

For starters, take the time to upgrade its software:

https://software.cisco.com/download/release.html?mdfid=279916854&flowid=4373&softwareid=280775065&release=9.1.7%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

We can then use this for reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config.html

What are the IP address details of the internal network?

cheers,

Seb.

kingnation · ‎09-14-2017

Ok thank you sir. Im not sure about the public the ISP provide them. They didnt tell me about it. What they told me is that the ISP gives them a /30. While for internal network they plan to use private ip 192.168.10.0/24. The want all the lan connected pc has ip from this range.

So basically what they want is to have a outside public connection and inside private connection. Thank you

Seb Rupik · ‎09-14-2017

Connecting ASA Gi0/0 to the ISP router and Gi0/1 to the HP switch (to an access mode switchport), try this config:

!
interface GigabitEthernet0/0
  nameif OUTSIDE
  security-level 0
  ip address <ISP_SUBNET> 255.255.255.252
  no shutdown
!
interface GigabitEthernet0/1
  nameif INSIDE
  security-level 100
  ip address 192.168.10.254 255.255.255.0
  no shutdown 
!
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
!
dhcpd address 192.168.10.1-192.168.10.253 INSIDE
dhcpd dns 8.8.8.8
dhcpd option 3 ip 192.168.10.254
dhcpd enable INSIDE
!
aaa authentication ssh console LOCAL
!
ssh 192.168.10.0 255.255.255.0 INSIDE
!
route OUTSIDE 0.0.0.0 0.0.0.0 <ISP_ROUTER_IP>
!

You may want ot consider using ASDM if you've never configred an ASA before.

cheers,

Seb.

kingnation · ‎09-14-2017

ok thank you so much sir...i will try and will let you know if it works. Thank you for your time

kingnation · ‎09-14-2017

Between i dont understand this line

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

can you explain to me sir?

Seb Rupik · ‎09-14-2017

It will perform dynamic PAT for any device behind the INSIDE interface which is being routed via the OUTSIDE interface.

I have added the after-auto command to ensure that this NAT rule is one of the last to be hit, assuming you add object NAT rules at a later date.

You ISP router probably has NAT funationality, but you would need to add static routes to so that to it could route packets back to the ASA for the 192.168.10.0/24 subnet. By doing the NAT on the ASA we do not need to adjust the configuration the ISP router.

Please rate helpful posts :)

kingnation · ‎09-14-2017

Ok thank you sir.. I will try and let u know through this post. Thank you

kingnation · ‎09-15-2017

Hello Sir,

If im done with the config one ASA what should do on switch side. Is it i just need to create a vlan and connect it using switchport mode access? should i assign any ip on the switch side and on the interface from cisco asa that connects to switch? Thank you sir

Seb Rupik · ‎09-15-2017

Hi there,

Just conenct the switch to Gi0/1 on the ASA with switchport mode access. No need to configure an IP for the VLAN on the switch. The switch will just operate at Layer2 for the VLAN, the ASA will be the gateway.

cheers,

Seb.

kingnation · ‎11-13-2017

Hello Sir,

Sorry for my very late reply. I was out for a business trip. Im going to install the Cisco ASA this week and before that i tried the setup using cisco packet tracer. I use a easy setup and yet there is a log error message in cisco asa. Attached is the picture for the error and the network diagram. Please assist me on this. Thank you

kingnation · ‎11-13-2017

I able to ping ASA's local internal ip from PC, but i couldn't ping 192.168.200.21/30 ip which i assigned to Router and 192.168.200.22/30 which is the ASA. Is there anything i need to do? or should i do a routing from router to another router using ospf or rip to simulate the real time scenario? Please let me know sir. Thank you.

Seb Rupik · ‎11-14-2017

Hi there,

What is the configuration for Fa0/1 on Switch3 and Eth0/1 on the ASA?

Regarding the the issue of not being able to ping interfaces on the 192.168.200.20 /30 subnet, issue the following command on the ASA:

!
fixup protocol icmp
!

...to allow inspection of ICMP traffic and permit its flow through the ASA.

cheers,

Seb.