Cisco Router with Cisco ASA for Internet Access
A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:
Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.
Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.
Traffic Flow:
We need to achieve the following traffic flow:
1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.
2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).
Implementation:
There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.
The way I would configure such a scenario is the following:
- 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
- 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3
Configuration:
Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.
Cisco ASA:
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown
! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1
Cisco Router:
interface ethernet 0
ip address 50.50.50.1 255.255.255.224
ip nat outside
!
interface ethernet 1
ip address 10.0.0.1 255.255.255.0
ip nat inside
!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255
!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3
ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2
Related posts:
- Configure Cisco ASA 5505 to allow Remote Desktop access from Internet
- Access To Hosts from Outside a Cisco ASA
- Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications
- Configure Static Routing on Cisco ASA Firewall
- Policy NAT on Cisco ASA Firewall
Tagged with: asa dmz web server • cisco asa internet access • cisco router with asa
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet.
Can you elaborate on this?
Thanks!
Hello Chris, thanks for stopping by and for commenting.
Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP.
Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either.
if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside.
can u say about bidirectional nat?
By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different.
Hi,
Nice work. Is there a possibility to ‘enhance’ the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing?
Hello Peter,
The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router.
However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place.
The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best.
I don’t like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first.
What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I’m using subinterfaces on the “inside” interface of the border router.
Hello Chris,
I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don’t have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station
I have a similar configuration at a client, everything works fine except SVC connections to the ASA. I’ve opened UDP ports 500 and 4500 as well as ESP to no avail. The ASA log shows the WebVPN connection happening and the authentication of the user, but the logon screen reports that the session failed – any ideas?
Hello there,
Try to configure a static NAT on the router for the outside IP address of ASA (10.0.0.2) to be mapped to a public IP and then configure an access list on the router to permit the required ports towards the mapped public IP. For WebVPn you just need port 443 to be opened and nothing else. WebVPN does not use ESP (it uses SSL)
Hello,
Thank you for this wonderful resource. I am building a SMB network using this as my guide. One question – I don’t quite understand the purpose of the following lines on the Cisco Router:
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
So far I see you have used up:
50.50.50.1 as Company Router’s IP Address
50.50.50.2 as ISP Router’s IP
50.50.50.3 as Web Server Public IP
50.50.50.4 ??
Hello there,
Regarding your question about 50.50.50.4, this is the NAT overload for the internal network 192.168.1.0/24. According to my scenario (see the “Implementation” section on my post above), we want outbound communication for the internal network using NAT overload on the Cisco Router. NAT overload is also called PAT (Port Address Translation). That is, a single IP address (50.50.50.4) is used to translated all internal addresses in network 192.168.1.0. Again, what I describe above is just a scenario. You can modify according to your own needs. You can use also the outside IP address of the Cisco Router (50.50.50.1) as the NAT overload address. Using NAT overload is a common practice if you just need outbound communication for your internal users (e.g browsing the internet, sending emails etc).
Regards
Harris
Is it possible to configure if I get only one Static IP from my isp using pat and redirection for Webserver and email server.
James,
Yes sure. If you only have lets say IP 50.50.50.1 (on the outside of the router), you can configure port forwarding on the router using the IOS command: ip nat inside source static tcp [local ip] [port] [global ip] [port]
Example:
ip nat inside source static tcp 10.10.10.1 80 50.50.50.1 80
What does a static NAT on to itself accomplishes
A static NAT to itself is actually a no-NAT statement (i.e the address will not be translated), BUT by doing that you enable also bi-directional access for the hosts that you do static NAT. That is, access from a lower security to a higher security is now allowed (if the proper access control list is in place).
Hi,
Thank you for helping us out. I wanted some help on my new ASA5510. I’m very much familiar with routers, but this is the first time I’ve got myself a ASA to play with.
I need to setup a network where I have a Cisco 800 series DSL router on a static IP. That would be my border router and my ASA would sit in between the router and the clients.
I’ve set things up and i’m able to ping the local lan ips thru the terminal, but as soon as i connect a network cable to my laptop, i’m no longer able to ping the local lan even from the terminal. I can ping ip of google, so internet is up as well.
Would you be able to help out in a basic configuration ?
Thanks and waiting.
Aj.
I guess that the problem is that the IP address of your laptop conflicts with the IP address of the internal interface of the ASA. Thats my assumption from the little information you are giving. Maybe a configuration snapshot of the ASA would make things more clear.
Hi and thank you for your reply. I’m new to this so don’t go about the newbee thing. Herez the config, it’s all cluttered but….
The router ASA is connected to is a cisco 800 seriers DSL router. And it’s configured on one of the real static ips assigned by the isp. Vlan ip on the router is 192.9.201.100.
Once i connect the network cable from eth0/1 on the asa to my laptop, i’m no longer able to ping any LAN ips from the terminal, but i’m able to ping any other ip of say google or any other site.
On the laptop i’m able to ping the 192.9.201.1 which is configured on the ASA, but no other ip on the lan nor of google or any other.
Sorry for the trouble, but i’m still very new to ASAz.
Scenario is exactly as it’s shown in the image above, but instead of assigning lan ip to the asa, i’m using a real static ip on the outside interface.
Thanks in advance for the help.
Aj.
DC-HQ-ASA(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname DC-HQ-ASA
enable password F.vbdOfAHUE/IXAw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.6 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.9.201.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server xxx.xxx.xxx.7
dns name-server xxx.xxx.xxx.8
access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 xxx.xxx.xxx.5 netmask 255.255.255.248
nat (inside) 1 access-list inside_lan outside
route outside 0.0.0.0 0.0.0.0 217.145.245.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.9.201.112 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b9e730f98fdc9bbcd7c6eac33d5016ef
: end
Hello Aj,
One mistake that I found on your configuration is that you don’t have an access-group applied on the inside interface. You must configure this as following:
access-group inside_lan in interface inside
Also, you say that the Cisco 800 Router Vlan IP is 192.9.201.100. Also, your internal network range (connected on ASA inside interface) are also in the same network subnet 192.9.201.0/24. If this is the case, then it is wrong. You can not have the same network range on the inside of ASA and on the router vlan. You must change the network subnet between “ASA outside and Router Inside” to be a different subnet than 192.9.201.x.
Hi and thanks again for the help.
Well if i cannot have the same IP range on my router and the ASA than the best way to go would be the config that you have mentioned here above.
Your config above would be perfect for me, i’ll give it a go and let you know how it goes.
One more thing, you mentioned that the IPz should be different. If i change the inside IP on the ASA to say 10.0.0.0/24 would that work ? leaving the outside interface to be connected on my real static ip subnet ?
Thanks again.
Aj.
Aj,
Yes, you can change the inside IP on the ASA to be in the range 10.0.0.0/24 and leave the outside address in the real IP subnet. However, you must have the proper NAT translations on the outside router to translate the private addresses into public addresses.
Hi,
Can i just assign a real ip on the router and on ASA outside interface and assign the 192.9.201.0/24 on asa inside ? that should work right ? ofcourse with the right nat and acl ?
Aj.
Hi,
I’m going into loops over here, I really have no idea what’s going on. I’m trying everything but nothing seems to be working, I’m looking into topics over at Cisco, here and other places and I find so many variations of the config.
Today I tried a different setup with no avail.
I’ve got a 3G connection, I tried configuring the ASA to it, but nothing. here’s what i did.
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.60.111 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.9.201.222 255.255.255.0
access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
access-group inside_lan in interface inside
icmp permit any outside
icmp permit any inside
global (outside) 1 192.168.60.1 netmask 255.255.255.0
nat (inside) 1 access-list inside_lan outside
route outside 0.0.0.0 0.0.0.0 192.168.60.1 1
The 3G modem has a dynamically assigned WAN IP. And the inside eth ip on the modem is 192.168.60.1.
Once configured, I’m able to ping the IP of the laptop which is configured (192.9.201.112) from the ASA and i’m able to ping the inside IP of the ASA from the laptop.
I’m able to ping IPs of google or any other and I’m also able to ping IPs of any other devices connected to the 3G modem, via ASA thru terminal, But from the laptop i’m unable to ping anything.
Any ideas ?
Aj.
Aj,
It depends on what you want to achieve. You have multiple options, but you did not explain what exactly you want to achieve here? Just outbound communication from inside to outside? You need also access from outside to inside?
Anyways, you can assign the public range 192.9.201.0/24 on the ASA inside and since this is already a publicly routable address range, you can ommit the NAT translation on both the ASA and the router. On ASA you can have:
static (inside,outside) 192.9.201.0 192.9.201.0 netmask 255.255.255.0
Then on the outside router ommit the “ip nat” commands because the public range will be routed as is without translation. You need ofcourse to have the proper routing on the outside router for the inside public range:
ip route 192.9.201.0 255.255.255.0 10.0.0.2
Between Router and outside ASA interface you can leave the private addresses (10.0.0.1, 10.0.0.2) as the diagram above.
Thanks and sorry if I have not been clear.
What I really want to achieve is internet access and able to access any other PC on the network connected via the ASA. And later configure VPN for some of the sites.
I’ll try what you’ve mentioned above and let you know. What is strange is when I can ping IPs via the terminal connected to ASA, why not via PC connected via network cable ?
Aj.
How do you implement “ip nat pool IP-POOL” when your outside address is DHCP? Normally I just do “ip nat inside source list 1 interface GigabitEthernet0/0 overload” and add a ACL for my inside networks. But now that I’ve added a ASA into the mix this doesn’t seem to work?
Aaron,
If the router is getting its outside IP dynamically (via DHCP), then obviously you don’t know the exact IP so you must do the NAT overload on the interface (exactly as you describe above). This scenario will work fine with the ASA into the mix, I don’t see any problems. Have you tried it and having issues?