Cisco Router with Cisco ASA for Internet Access

"Sponsored Links"

A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:

Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.

Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.

Traffic Flow:

We need to achieve the following traffic flow:

1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.

2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).

Implementation:

There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.

The way I would configure such a scenario is the following:

  • 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
  • 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3

Configuration:

Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.

Cisco ASA:

ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown

ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown

! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255

EDIT: NAT Commands For Cisco ASA version 8.3 and later:

object network web_server_static
 host 10.10.10.1
 nat (DMZ,outside) static 10.10.10.1

object network inside_mapped
 subnet 192.168.1.0 255.255.255.0

object network internal-lan
 subnet 192.168.1.0 255.255.255.0
 nat (inside,outside) static inside_mapped

 

! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside

ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1

Cisco Router:

interface ethernet 0
ip address 50.50.50.1 255.255.255.224
ip nat outside

!
interface ethernet 1
ip address 10.0.0.1 255.255.255.0
ip nat inside

!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255

!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3

ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2

"Sponsored Links"

Comments

  1. says

    I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet.

    Can you elaborate on this?

    Thanks!

  2. BlogAdmin says

    Hello Chris, thanks for stopping by and for commenting.
    Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP.

    Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either.

  3. harindra says

    if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside.

  4. BlogAdmin says

    By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different.

  5. Peter says

    Hi,

    Nice work. Is there a possibility to ‘enhance’ the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing?

  6. BlogAdmin says

    Hello Peter,

    The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router.

    However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place.

  7. Chris says

    The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best.

    I don’t like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first.

    What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I’m using subinterfaces on the “inside” interface of the border router.

  8. BlogAdmin says

    Hello Chris,

    I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don’t have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station

  9. Huge Mutha says

    I have a similar configuration at a client, everything works fine except SVC connections to the ASA. I’ve opened UDP ports 500 and 4500 as well as ESP to no avail. The ASA log shows the WebVPN connection happening and the authentication of the user, but the logon screen reports that the session failed – any ideas?

  10. BlogAdmin says

    Hello there,

    Try to configure a static NAT on the router for the outside IP address of ASA (10.0.0.2) to be mapped to a public IP and then configure an access list on the router to permit the required ports towards the mapped public IP. For WebVPn you just need port 443 to be opened and nothing else. WebVPN does not use ESP (it uses SSL)

  11. RSXAdmin says

    Hello,
    Thank you for this wonderful resource. I am building a SMB network using this as my guide. One question – I don’t quite understand the purpose of the following lines on the Cisco Router:

    ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
    ip nat inside source list 1 pool IP-POOL overload

    So far I see you have used up:
    50.50.50.1 as Company Router’s IP Address
    50.50.50.2 as ISP Router’s IP
    50.50.50.3 as Web Server Public IP
    50.50.50.4 ??

  12. BlogAdmin says

    Hello there,

    Regarding your question about 50.50.50.4, this is the NAT overload for the internal network 192.168.1.0/24. According to my scenario (see the “Implementation” section on my post above), we want outbound communication for the internal network using NAT overload on the Cisco Router. NAT overload is also called PAT (Port Address Translation). That is, a single IP address (50.50.50.4) is used to translated all internal addresses in network 192.168.1.0. Again, what I describe above is just a scenario. You can modify according to your own needs. You can use also the outside IP address of the Cisco Router (50.50.50.1) as the NAT overload address. Using NAT overload is a common practice if you just need outbound communication for your internal users (e.g browsing the internet, sending emails etc).

    Regards

    Harris

  13. James says

    Is it possible to configure if I get only one Static IP from my isp using pat and redirection for Webserver and email server.

  14. BlogAdmin says

    James,

    Yes sure. If you only have lets say IP 50.50.50.1 (on the outside of the router), you can configure port forwarding on the router using the IOS command: ip nat inside source static tcp [local ip] [port] [global ip] [port]

    Example:
    ip nat inside source static tcp 10.10.10.1 80 50.50.50.1 80

  15. BlogAdmin says

    A static NAT to itself is actually a no-NAT statement (i.e the address will not be translated), BUT by doing that you enable also bi-directional access for the hosts that you do static NAT. That is, access from a lower security to a higher security is now allowed (if the proper access control list is in place).

  16. Aj Qureshi says

    Hi,

    Thank you for helping us out. I wanted some help on my new ASA5510. I’m very much familiar with routers, but this is the first time I’ve got myself a ASA to play with.

    I need to setup a network where I have a Cisco 800 series DSL router on a static IP. That would be my border router and my ASA would sit in between the router and the clients.

    I’ve set things up and i’m able to ping the local lan ips thru the terminal, but as soon as i connect a network cable to my laptop, i’m no longer able to ping the local lan even from the terminal. I can ping ip of google, so internet is up as well.

    Would you be able to help out in a basic configuration ?

    Thanks and waiting.
    Aj.

  17. BlogAdmin says

    I guess that the problem is that the IP address of your laptop conflicts with the IP address of the internal interface of the ASA. Thats my assumption from the little information you are giving. Maybe a configuration snapshot of the ASA would make things more clear.

  18. Aj Qureshi says

    Hi and thank you for your reply. I’m new to this so don’t go about the newbee thing. Herez the config, it’s all cluttered but….

    The router ASA is connected to is a cisco 800 seriers DSL router. And it’s configured on one of the real static ips assigned by the isp. Vlan ip on the router is 192.9.201.100.

    Once i connect the network cable from eth0/1 on the asa to my laptop, i’m no longer able to ping any LAN ips from the terminal, but i’m able to ping any other ip of say google or any other site.

    On the laptop i’m able to ping the 192.9.201.1 which is configured on the ASA, but no other ip on the lan nor of google or any other.

    Sorry for the trouble, but i’m still very new to ASAz.

    Scenario is exactly as it’s shown in the image above, but instead of assigning lan ip to the asa, i’m using a real static ip on the outside interface.

    Thanks in advance for the help.
    Aj.

    DC-HQ-ASA(config)# sh run
    : Saved
    :
    ASA Version 7.0(8)
    !
    hostname DC-HQ-ASA
    enable password F.vbdOfAHUE/IXAw encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address xxx.xxx.xxx.6 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.9.201.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    dns domain-lookup outside
    dns domain-lookup inside
    dns name-server xxx.xxx.xxx.7
    dns name-server xxx.xxx.xxx.8
    access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
    pager lines 24
    logging asdm informational
    mtu management 1500
    mtu outside 1500
    mtu inside 1500
    icmp permit any outside
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 xxx.xxx.xxx.5 netmask 255.255.255.248
    nat (inside) 1 access-list inside_lan outside
    route outside 0.0.0.0 0.0.0.0 217.145.245.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
    timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet 192.9.201.112 255.255.255.255 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd lease 3600
    dhcpd ping_timeout 50
    dhcpd enable management
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map global_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    Cryptochecksum:b9e730f98fdc9bbcd7c6eac33d5016ef
    : end

  19. BlogAdmin says

    Hello Aj,

    One mistake that I found on your configuration is that you don’t have an access-group applied on the inside interface. You must configure this as following:

    access-group inside_lan in interface inside

    Also, you say that the Cisco 800 Router Vlan IP is 192.9.201.100. Also, your internal network range (connected on ASA inside interface) are also in the same network subnet 192.9.201.0/24. If this is the case, then it is wrong. You can not have the same network range on the inside of ASA and on the router vlan. You must change the network subnet between “ASA outside and Router Inside” to be a different subnet than 192.9.201.x.

  20. Aj Qureshi says

    Hi and thanks again for the help.

    Well if i cannot have the same IP range on my router and the ASA than the best way to go would be the config that you have mentioned here above.

    Your config above would be perfect for me, i’ll give it a go and let you know how it goes.

    One more thing, you mentioned that the IPz should be different. If i change the inside IP on the ASA to say 10.0.0.0/24 would that work ? leaving the outside interface to be connected on my real static ip subnet ?

    Thanks again.
    Aj.

  21. BlogAdmin says

    Aj,

    Yes, you can change the inside IP on the ASA to be in the range 10.0.0.0/24 and leave the outside address in the real IP subnet. However, you must have the proper NAT translations on the outside router to translate the private addresses into public addresses.

  22. Aj Qureshi says

    Hi,
    Can i just assign a real ip on the router and on ASA outside interface and assign the 192.9.201.0/24 on asa inside ? that should work right ? ofcourse with the right nat and acl ?

    Aj.

  23. Aj Qureshi says

    Hi,
    I’m going into loops over here, I really have no idea what’s going on. I’m trying everything but nothing seems to be working, I’m looking into topics over at Cisco, here and other places and I find so many variations of the config.

    Today I tried a different setup with no avail.
    I’ve got a 3G connection, I tried configuring the ASA to it, but nothing. here’s what i did.

    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 192.168.60.111 255.255.255.0

    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.9.201.222 255.255.255.0

    access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
    access-group inside_lan in interface inside

    icmp permit any outside
    icmp permit any inside

    global (outside) 1 192.168.60.1 netmask 255.255.255.0

    nat (inside) 1 access-list inside_lan outside

    route outside 0.0.0.0 0.0.0.0 192.168.60.1 1

    The 3G modem has a dynamically assigned WAN IP. And the inside eth ip on the modem is 192.168.60.1.

    Once configured, I’m able to ping the IP of the laptop which is configured (192.9.201.112) from the ASA and i’m able to ping the inside IP of the ASA from the laptop.

    I’m able to ping IPs of google or any other and I’m also able to ping IPs of any other devices connected to the 3G modem, via ASA thru terminal, But from the laptop i’m unable to ping anything.

    Any ideas ?
    Aj.

  24. BlogAdmin says

    Aj,

    It depends on what you want to achieve. You have multiple options, but you did not explain what exactly you want to achieve here? Just outbound communication from inside to outside? You need also access from outside to inside?

    Anyways, you can assign the public range 192.9.201.0/24 on the ASA inside and since this is already a publicly routable address range, you can ommit the NAT translation on both the ASA and the router. On ASA you can have:

    static (inside,outside) 192.9.201.0 192.9.201.0 netmask 255.255.255.0

    Then on the outside router ommit the “ip nat” commands because the public range will be routed as is without translation. You need ofcourse to have the proper routing on the outside router for the inside public range:

    ip route 192.9.201.0 255.255.255.0 10.0.0.2
    Between Router and outside ASA interface you can leave the private addresses (10.0.0.1, 10.0.0.2) as the diagram above.

  25. Aj Qureshi says

    Thanks and sorry if I have not been clear.

    What I really want to achieve is internet access and able to access any other PC on the network connected via the ASA. And later configure VPN for some of the sites.

    I’ll try what you’ve mentioned above and let you know. What is strange is when I can ping IPs via the terminal connected to ASA, why not via PC connected via network cable ?

    Aj.

  26. Aaron says

    How do you implement “ip nat pool IP-POOL” when your outside address is DHCP? Normally I just do “ip nat inside source list 1 interface GigabitEthernet0/0 overload” and add a ACL for my inside networks. But now that I’ve added a ASA into the mix this doesn’t seem to work?

  27. BlogAdmin says

    Aaron,

    If the router is getting its outside IP dynamically (via DHCP), then obviously you don’t know the exact IP so you must do the NAT overload on the interface (exactly as you describe above). This scenario will work fine with the ASA into the mix, I don’t see any problems. Have you tried it and having issues?

  28. Aaron says

    No, its fine now. The problem wasn’t actually that statement, it was me cloning the ASA mac address to the g0/0 on the router. But now that i’m up and running i’m trying to tweak and get the most out of this hardware.

  29. Shahriyar says

    Hi there,
    i am a bit confused. Well, you explained why you are using a router in your edge instead of a firewall which i totally agree. But in our company the situation is like this: Computers/servers/etc. -> Switch -> Router -> (our internal/edge)Firewall 1 -> (ISP/Customer/etc.) Firewall 2 . And it is like 1 month i am struggling to be able to ping and NAT in this situation, but i cannot. To be more specific:
    I must be able to ping the second firewall via one of my computers with the ip address of 192.168.3.4 which i cannot!!!
    How does it effect the security if i want to put the router at the edge point? our routers are 6509 !!

    Give me some suggestions please. This ASA is skinning me alive! 😀 thank you 😀

  30. BlogAdmin says

    Look, there is never a totally right and totally wrong scenario. It all depends on what you want to achieve and what the business needs are. Usually the 6509 switch/router is suited for internal data center applications and not for edge router. What I suggest is to configure “no nat-control” on the internal Firewall1 so that you do not have to perform any NAT on this firewall. It will essentially work like a routing device. Then you need to configure “nat-control” on the external Firewall2 which will be translating the internal private addresses to public addresses.

  31. Oscar Nogales says

    Hi,

    very good tutorial. I was looking for a similar configuration, but I want to do the opposite. I mean, I want that the router forwards all incoming traffic to 50.50.50.0/27 to the firewall ASA and I do the access-list and nat on the firewall, having the router in “transparent mode” just forwarding traffic without NAT.

    Is it this possible ?
    Which configuration must to do on the router ? Just routing ?

    Thanks.

  32. BlogAdmin says

    Hi Oscar,

    If lets say you are assigned a whole public IP range 50.50.50.0/27, then you can assign this subnet on the network which is between the router and ASA firewall. Lets say you can assign address 50.50.50.1 to the inside interface of router and 50.50.50.2 to the outside interface of ASA. Also, the outside interface of router (between router and ISP) must be a different public IP address. Then the router DOES NOT need to do any translation, ONLY routing.

  33. raïsi says

    Bonjour

    J’ai la même architecture que la votre.
    Mais, mon routeur de tête à l’IP privée 10.101.101.5
    et le routeur de tête de l’ISP à l’adresse IP 10.101.101.254
    Après avoir faire exactement la configuration telle que présentée,
    je n’arrive pas à sortir des communication du LAN.

    Est-ce l’adresse privée du ISP qui en et la cause.

    merci déjà pour ce merveilleur document.

  34. raïsi says

    Hello

    I have the same architecture as yours.
    But my head to the router private IP 10.101.101.5
    and the router head of the ISP’s IP address 10,101,101,254
    After doing the exact configuration as presented,
    I can not get out of the LAN communication.

    Is the private address of that ISP and the cause.

    thank you for this already merveilleur document

  35. BlogAdmin says

    If the subnet of your router’s outside address is class C (255.255.255.0), then you should not have any problem

  36. Thiyagarajan.N says

    Hi,

    Overall the setup is good, But I think these much complication (Router in front of the Internet) is not required to achieve the goal as expected,
    Nowadays media converters are available in the market to convert any kind of interface to Ethernet (Like E1 to Ethernet, T1 To Ethernet, Serial to Ethernet ,Etc..),
    You can reduce one hop by using these kind of media convertors and it’s much easier in terms of troubleshooting the accessibility,
    Static one to one NAT is enough on ASA side to achieve the requirement, Please explore some other options comment if i am wrong.

    Some types of Convertors :

    http://www.oriontelecom.com/converters/ethernet-e1.html

    http://www.rad.com/10/T1-Serial-and-Ethernet-Interface-Converter/3214/#

  37. BlogAdmin says

    Hello,

    This is a great comment. I agree with you if you only need to have single internet access connectivity. However, if you start thinking about load balancing between ISPs and some other fancy staff, then a router is more flexible than the ASA.

  38. Mike says

    I like this design and have gotten it it to work with this example. I have one question though that I’m having trouble with. I want to set up remote access vpn on the border router. I would like to do the NATing and VPN termination on the router and just use the asa for firewall. How do I get that IPSEC traffic to go through the ASA to the internal subnets?

  39. BlogAdmin says

    Mike,

    What you describe is doable with no problems. You will need to assign a specific IP address range to the remote VPN clients (you configure an IP pool on the terminating vpn router which will be used for assigning addresses to the remote clients). Then you will need to allow this address range via the ASA (the outside access list on ASA must allow this address range to access internal resources). Note that the encrypted IPSEC traffic will terminate on the outside interface of router. This means that the traffic reaching the ASA will be unencrypted.

  40. Mike says

    I have added the VPN subnet access into the ASA from the outside interface coming in. In fact I opened it wide open for testing. I have a permit ip any any statement at the end of the ACL, but it is not working. The VPN connects, but it is not encrypting the traffic or allowing the encrypted traffic through to the local subnets.

  41. BlogAdmin says

    The problem is probably on the access list you have on the router which is responsible for selecting the “vpn interesting traffic”. In this access list you should include all the internal subnets which are behind the ASA. The problem is on the router vpn configuration, not on the ASA.

  42. Mike says

    So, I think I got it to work. At least for the first connection. I can see the packets encrypt and decrypt, I can access other machines on other internal subnets, but after I disconnect from the VPN and reestablish a new VPN on the same machine. I get a new conn-id with a new IP address (172.25.1.2 instead of 172.25.1.1), but I am not able to ping any machines on the internal subnets anymore. From the client it show the packets being encrypted, but not decrypted. It only happens after I disconnect from that very first connection after I rebuild the VPN server. To make it work again I have to completely remove the VPN server and rebuild it.

    any insight? It’s gotta be something simple.

  43. Abhi says

    Hi Aaron,

    I have exactly the same issue. Recently we switched from g0/0 (serial) to Fast Ethernet ISP connection. Exactly after that i got the same issue what u had, please help me with the solution with the below your comment

    cloning the ASA mac address to the g0/0 on the router

  44. BlogAdmin says

    Mike,

    Very strange problem. Can you post a part of your configuration to take a look. I really can not help you without seeing a configuration.

  45. Mike says

    version 15.0
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 16000 informational
    !
    aaa new-model
    !
    !
    aaa authentication login local_authen local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization exec local_author local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    !
    !
    !
    !
    !
    aaa session-id common
    !
    !
    !
    clock timezone NewYork -5
    clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
    !
    no ipv6 cef
    no ip source-route
    ip cef
    !
    !
    !
    !
    no ip bootp server
    no ip domain lookup
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-2663147481
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2663147481
    revocation-check none
    rsakeypair TP-self-signed-2663147481
    !
    !
    crypto pki certificate chain TP-self-signed-2663147481
    certificate self-signed 01
    voice-card 0
    !
    !
    !
    !
    !
    !
    license udi pid CISCO2921/K9 sn FTX1437AHJL
    hw-module pvdm 0/0
    !
    !
    !
    redundancy
    !
    !
    ip tcp synwait-time 10
    ip ssh source-interface Loopback0
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group TEST
    key testtest
    dns 4.2.2.2
    pool SDM_POOL_1
    acl 102
    crypto isakmp profile ciscocp-ike-profile-1
    match identity group TEST
    client authentication list ciscocp_vpn_xauth_ml_1
    isakmp authorization list ciscocp_vpn_group_ml_1
    client configuration address respond
    virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto ipsec profile CiscoCP_Profile1
    set security-association idle-time 300
    set transform-set ESP-3DES-SHA
    set isakmp-profile ciscocp-ike-profile-1
    !
    !
    !
    !
    !
    !
    interface Loopback0
    description \\ Main Loopback Address //
    ip address 10.1.1.254 255.255.255.255
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ntp disable
    !
    !
    interface Null0
    no ip unreachables
    !
    interface GigabitEthernet0/0
    description \\ Ext Interface //$ETH-WAN$$FW_OUTSIDE$
    ip address 66..xxx.xxx.xxx 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip verify unicast reverse-path
    ip nat outside
    ip virtual-reassembly
    no ip route-cache cef
    duplex auto
    speed auto
    no cdp enable
    no mop enabled
    !
    !
    interface GigabitEthernet0/1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no ip route-cache cef
    no ip route-cache
    duplex auto
    speed auto
    no mop enabled
    !
    !
    interface GigabitEthernet0/1.100
    description $FW_INSIDE$
    encapsulation dot1Q 100 native
    ip address 192.168.100.1 255.255.255.252
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no ip route-cache
    !
    interface GigabitEthernet0/2
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    shutdown
    duplex auto
    speed auto
    no mop enabled
    !
    !
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CiscoCP_Profile1
    !
    !
    ip local pool SDM_POOL_1 172.25.1.1 172.25.1.254
    ip forward-protocol nd
    !
    no ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat inside source list 1 interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 66.xxx.xxx.1
    ip route 10.4.4.0 255.255.255.0 192.168.100.2
    ip route 10.255.0.0 255.255.255.252 192.168.100.2
    ip route 172.20.0.0 255.255.0.0 192.168.100.2
    ip route 192.168.10.0 255.255.255.0 192.168.100.2
    !
    access-list 1 remark *** Permit only Inside Subnets ***
    access-list 1 permit 172.20.0.0 0.0.255.255
    access-list 1 permit 10.4.4.0 0.0.0.255
    access-list 99 remark *** Remote Network Access ***
    access-list 100 remark *** Control inbound traffic from Internet ***
    access-list 100 remark CCP_ACL Category=17
    access-list 100 permit udp any host 66.xxx.xxx.xxx eq non500-isakmp
    access-list 100 permit udp any host 66.xxx.xxx.xxx eq isakmp
    access-list 100 permit esp any host 66.xxx.xxx.xxx
    access-list 100 permit ahp any host 66.xxx.xxx.xxx
    access-list 100 deny ip 192.168.0.0 0.0.0.255 any
    access-list 100 deny ip 172.16.0.0 0.15.255.255 any
    access-list 100 deny ip 169.254.0.0 0.0.255.255 any
    access-list 100 deny ip 10.0.0.0 0.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip host 0.0.0.0 any
    access-list 100 deny icmp any any redirect
    access-list 100 deny icmp any any echo
    access-list 100 deny icmp any any mask-request
    access-list 100 permit ip any any
    access-list 101 remark *** Controls outbound traffic to Internet ***
    access-list 101 remark CCP_ACL Category=17
    access-list 101 permit udp any host 192.168.100.1 eq non500-isakmp
    access-list 101 permit udp any host 192.168.100.1 eq isakmp
    access-list 101 permit esp any host 192.168.100.1
    access-list 101 permit ahp any host 192.168.100.1
    access-list 101 permit ip 192.168.100.0 0.0.0.3 any
    access-list 101 permit ip 172.20.0.0 0.0.255.255 any
    access-list 101 permit ip 10.4.4.0 0.0.0.255 any
    access-list 101 permit ip 10.255.0.0 0.0.0.3 any
    access-list 101 permit ip 172.25.1.0 0.0.0.255 any
    access-list 102 remark CCP_ACL Category=4
    access-list 102 permit ip 172.20.0.0 0.0.255.255 any
    !
    no cdp run

    !
    !
    !
    !
    !
    control-plane
    !

  46. BlogAdmin says

    Mike,

    I identified a couple of issues. On the router you must exclude from NAT traffic going between internal subnets and the vpn clients pool.

    ip nat inside source list 111 interface GigabitEthernet0/0 overload

    access-list 111 remark *** NAT Traffic ***
    access-list 111 deny ip 172.20.0.0 0.0.255.255 172.25.1.0 0.0.0.255
    access-list 111 deny ip 10.4.4.0 0.0.0.255 172.25.1.0 0.0.0.255
    access-list 111 permit ip 172.20.0.0 0.0.255.255 any
    access-list 111 permit ip 10.4.4.0 0.0.0.255 any

    Also, you might need to put “ip nat inside” in the loopback interface as well (not sure about that though).

    Another thing, put a “permit ip any any” on ACL 100 while doing testing because that ACL might be blocking you some traffic (remove that permit statement after you finish troubleshooting ofcourse).

  47. Abhi says

    Hi Admin,

    I am facing an issue with ASA.
    Our network infrastructure is as follows:
    1. Cisco 2800 router ->FastEthernet0/1 (213.42.224.178/30)-> connected to ISP
    FastEthernet0/0 (213.42.235.33/28)connected to ASA
    2. ASA Version 8.0 -> interface Ethernet0/0 (213.42.235.34/28)->connected to Router
    -> interface Ethernet0/1(92.168.1.18 255.255.255.0->connected to Local LAN
    We recently changed from serial to Fast Ethernet for leased line upgrade in router. Before this change done on router everything was working perfectly. After migration we are unable to browse internet from LAN. We are able to ping google.com from ASA terminal. I connected one laptop directly to router port FastEthernet0/0 and I am able to browse internet, it conformed it’s not problem with router.
    From ADSM I am able to ping to any public domains. We have not changed any settings in ASA after migration done on router side.

    Please help me to get this issue resolved

  48. Mike says

    Blogadmin,

    Thanks, I’ve done that and still no joy. Like I said, it works for the very first user who establishes a vpn, but any subsequent connection fails to communicate with the internal subnets.

    The “ip nat inside” on the loopback did not work either.

  49. BlogAdmin says

    Abhi,

    It seems to me that the problem is related to ASA NAT. Since you can browse Internet from the subnet between ASA and Router, it means that routing towards internet is working fine. If the ASA was doing proper NAT translation of the private subnet (192.168.1.0/24) to the outside public IP then it should work.

    Please send me config of ASA to take a look.

  50. BlogAdmin says

    Mike,

    What I would do is to isolate the problem. Try to do a VPN for accessing only the subnet between ASA and router.

  51. Mike says

    No Joy Blogadmin, can’t get to the subnet between the router and ASA (192.168.100.0 /30). Like I said, it works only for the very first client who connects after the VPN server is built. After that first client disconnects, no other clients who connect cannot access anything.

  52. Abhi says

    Hi Admin,

    Below is my ASA configuration

    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname ciscoasa
    enable password SZl.qUrMhOHKx encrypted
    passwd SZl.qUrMhOHKx encrypted
    names
    name 213.xx.xxx.36 citrix1 description citrix server 1
    name 213.xx.xxx.37 citrix2 description citrix 2nd
    name 192.168.1.12 citrix2_lanip description lanip2
    name 192.168.1.11 citrix_lan_ip description citrix lan ip
    name 213.xx.xxx.38 ssdserver description SSD Ulysses Server
    name 192.168.1.14 ssdserver_lanip description SSD Qms Server
    name 213.xx.xxx.39 xenapp1_wanip description XenApp Server-1 WAN
    name 192.168.1.32 xenapp1_lanip description XenApp Server-1 LAN
    name 192.168.1.33 xenapp2_lanip description XenApp Server LAN
    name 213.xx.xxx.40 xenapp2_wanip description XenApp Server WAN
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 213.xx.xxx.34 255.255.255.240
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.1.18 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    shutdown
    nameif management
    security-level 99
    no ip address
    management-only
    !
    ftp mode passive
    clock timezone GST 4
    access-list outside_access_in remark web access
    access-list outside_access_in extended permit tcp any host citrix1 eq www
    access-list outside_access_in remark citrix ica
    access-list outside_access_in extended permit tcp any host citrix1 eq citrix-ica
    access-list outside_access_in remark we access
    access-list outside_access_in extended permit tcp any host citrix2 eq www
    access-list outside_access_in remark citrix access
    access-list outside_access_in extended permit tcp any host citrix2 eq citrix-ica
    access-list outside_access_in remark ping
    access-list outside_access_in extended permit icmp any 192.168.1.0 255.255.255.0
    access-list outside_access_in remark PDA Gateway
    access-list outside_access_in extended permit tcp any host ssdserver eq www
    access-list outside_access_in remark Web access
    access-list outside_access_in extended permit tcp any host xenapp1_wanip eq www
    access-list outside_access_in remark web access
    access-list outside_access_in extended permit tcp any host xenapp2_wanip eq www
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.224 255.255.255.224
    access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.240 255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.224
    access-list success_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list sales_manager_splitTunnelAcl standard permit any
    access-list sales_manager2_splitTunnelAcl standard permit any
    access-list xyz_ajman_splitTunnelAcl standard permit any
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    ip local pool ippoolipsec 192.168.1.236-192.168.1.246 mask 255.255.255.0
    ip local pool ipool2 192.168.1.247-192.168.1.249 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 xenapp1_wanip-213.xx.xxx.46 netmask 255.255.255.240
    nat (inside) 0 access-list inside_nat0_outbound
    static (inside,outside) citrix1 citrix_lan_ip netmask 255.255.255.255
    static (inside,outside) citrix2 citrix2_lanip netmask 255.255.255.255
    static (inside,outside) ssdserver ssdserver_lanip netmask 255.255.255.255
    static (inside,outside) xenapp1_wanip xenapp1_lanip netmask 255.255.255.255
    static (inside,outside) xenapp2_wanip xenapp2_lanip netmask 255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 213.xx.xxx.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 213.xx.xxx.34 255.255.255.255 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    telnet 213.xx.xxx.34 255.255.255.255 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    enable outside
    svc enable
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    vpn-tunnel-protocol l2tp-ipsec
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol l2tp-ipsec webvpn
    group-policy xyz_ajman internal
    group-policy xyz_ajman attributes
    dns-server value 213.xx.xx.20
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value xyz_ajman_splitTunnelAcl
    group-policy xyzgrouppolicy internal
    group-policy xyzgrouppolicy attributes
    vpn-tunnel-protocol webvpn
    webvpn
    url-list none
    username test password 274Y4GRAbNElaCoV encrypted privilege 0
    username test attributes
    vpn-group-policy xyzgrouppolicy
    username deir password OR8GoXReK1v12Mv2 encrypted privilege 0
    username deir attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username gup password UrGmZJT9TvPa2v2T encrypted privilege 0
    username gup attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username khal password QoizGV6JcKfiL9Z8 encrypted privilege 0
    username khal attributes
    vpn-group-policy xyz_ajman
    username abd password ZC7GwYYKFFkTwS1R encrypted privilege 0
    username abd attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username rav password tehyrO8jnVlyN3kT encrypted privilege 0
    username rav attributes
    vpn-group-policy xyz_ajman
    username abr password AMDqAIVHRN3qFa5j encrypted privilege 0
    username abr attributes
    vpn-group-policy xyz_ajman
    username xyzssl password 8mNRV0/YzVBVmSVn encrypted
    username xyzssl attributes
    vpn-group-policy xyzgrouppolicy
    service-type remote-access
    username user1 password TTNKHqfM6YyTcEzA encrypted privilege 15
    username user1 attributes
    vpn-group-policy xyz_ajman
    username reham password KFEdDYpxHdKFGcV/ encrypted privilege 0
    username reham attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username elissa password b3O8bZLlxdzn3/X6 encrypted privilege 0
    username elissa attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username ahmed password 8kVoQ/7XzoNywxkI encrypted privilege 0
    username ahmed attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username hadi password wP90.CKYALtEA5Yb encrypted privilege 0
    username hadi attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username neev password aZkvwbNl1/v1Ny7F encrypted privilege 0
    username neev attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username zahir password gvT50mVpA4ZB/g3d encrypted privilege 0
    username zahir attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username rysil password d8SLIW06yG6IqZNP encrypted privilege 0
    username rysil attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username roy3i password sqftrCgAkwmit7mx encrypted privilege 0
    username roy3i attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    username anoop password FjjbALxryh0I1h/H encrypted privilege 0
    username anoop attributes
    vpn-group-policy xyz_ajman
    service-type remote-access
    tunnel-group DefaultRAGroup general-attributes
    address-pool ippoolipsec
    address-pool ipool2
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    authentication pap
    no authentication chap
    no authentication ms-chap-v1
    tunnel-group xyz_ajman type remote-access
    tunnel-group xyz_ajman general-attributes
    address-pool ippoolipsec
    default-group-policy xyz_ajman
    tunnel-group xyz_ajman ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:38764d9d1a56d83f2aa3581198d2157f
    : end

  53. BlogAdmin says

    Abhi,

    You don’t have a dynamic NAT rule for the internal network. You need to configure it as below:

    nat (inside) 1 192.168.1.0 255.255.255.0

  54. BlogAdmin says

    Mike,

    Obviously the problem is on VPN configuration on the router. Unfortunately I have not configured IPSEC remote access vpn on IOS version 15.0. If I were you I would remove ALL vpn configuration on router and redo it from scratch.

  55. Mike says

    thanks Blogadmin,

    I opened up a TAC case and cisco said there was a workaround in 15.0 for the VPN. I had to use the crypto Map and apply it to the outside interface of the router to get it to work.

    Now I’m having problems with the ASA side now. I know the VPN works because I configured an inside port on the router and it works perfectly. Can you help me out with the ASA side now. Is there anything different on the ASA that you have to do now that I’m using a crypto map

  56. BlogAdmin says

    Mike,

    I assume that the Internal LAN network (behind the ASA) is passing untranslated to the outside of the ASA using the command below:
    ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0

    If that is the case, then on your router VPN configuration you need to include this internal network in the VPN interesting traffic access-list. Then, on the outside access list of the ASA firewall you need to allow the network pool range which is assigned for the vpn clients.

  57. Sujit says

    Hi Admin,

    Please advice regarding ASA & Internet Router configuration, if

    My LAN has multiple VLAN, and Interface VLAN 1 is SHUT DOWN for security reason.

    What I should configure in my ASA as well as Route and Layer3 Core Switch which is connected to my ASA Inside Interface.

  58. BlogAdmin says

    Sujit,

    I assume that you have multiple internal subnets (lets say 192.168.1.0/24, 192.168.2.0/24 etc) which are routed by the Layer3 core switch to the ASA internal interface. Then you will have to do multiple static nat on the ASA:

    ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
    ciscoasa(config)# static (inside , outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

    Also, the router must allow all internal subnets for nat rule:

    ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
    ip nat inside source list 1 pool IP-POOL overload
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 1 permit 192.168.2.0 0.0.0.255

    and also put the correct routing on outside router:

    ip route 192.168.1.0 255.255.255.0 10.0.0.2
    ip route 192.168.2.0 255.255.255.0 10.0.0.2

  59. Sujit says

    Dear Admin,

    thanks for your reply…..yes you are right, I hv different VLAN routed in L3 switch…the brief details about the scenario and requirements are as follows

    I’m new in ASA configuration, please help me out for my requirement in Campus LAN internet access from different VLAN ( Defalt VLAN 1, is down in all Cisco Switch for security reason, starting from Vlan 2 and so on near about 40 VLANS are there )

    The brief scenario are as follows:-

    1. In Core Switch 1 ( VTP Server ) all 40 VLANs are created, Core Switch 2 is in standy by ( VTP Mode Client )
    2. ASA Outside interface connecetd with Internet Router’s Fa0/1, I don’t know what IP should I give in both of the Router & ASA interface.
    3. Internet Router Fa0/0 ( 111.93.160.38/30 ) connected with ISP 3 MB Internet link, Gateway Next Hop 111.93.160.37/30
    4. ISP has given me 6 more Public IP for my Web Server in DMZ Lan, out of 6 I need atleast 4 ip for those server, maximum 2 I can use for any other purpose like if required in ASA & Router Interface or Nat pooling etc. The segment is 111.93.161.16/29
    5. ISP provided me the Public DNS as 121.242.190.210 & 181
    6. Core1 connected to Firewall with a /30 IP, Core switch side 20.20.20.2/30 and ASA inside interface 20.20.20.1/30
    7. The DMZ switch is L2 Cisco switch 2960 with no IP address, ASA Outside interface 192.20.20.1/24
    8. All the DMZ server IP in 192.20.20.0/24 segment
    9. All VLANs are Routed through Inter VLAN routing in L3 Switch ( IP Routing )….no dynamic routing used.
    10. The Inside ( 172.16.34.0, 172.16.100.0, 172.20.40.0 ) LAN and DMZ ( 192.20.20.0 ) are configured and working fine with required NAT, Access Rule, Routing etc….
    11. The current ASA configuration is also attached for your ready ref.
    12. The Core switch VLAN segments like as below:—-

    Interface VLAN 1 is DOWN
    172.18.18.0/24, 172.16.10.0/24 – 45.0/24, 172.20.20.0/24, 176.20.30.0/24, 176.20.20.0/24, 176.20.40.0/24, 172.16.100.0/24

    My Requirements:- Please help me with your kind expert advice to configure the following scinario.

    1st which is required immediate….

    # I need to configure my ASA, Router & L3 in such a way that Internet should be accessed from End user PC, that means from end user PC only the public DNS can be resolved without any Proxy.

    2nd which is required later…..

    # I will install a Proxy server also Local DNS with in next 30 days, so that user have to use internet thriugh Proxy & URL filtering will be activated, at the same time DNS request will come to Local DNS and then it will get resolved by Public DNS

    3rd which is also require ASAP

    # The DMZ server can also reach Internet as well from Internet user can get into DMZ server.

    The ASA config

    : Saved
    :
    ASA Version 8.0(4)
    !
    hostname TMCASA
    domain-name tmckolkata.com
    enable password 1ArkT8tWWgbN73yv encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface GigabitEthernet0/0
    description Interface Connecting Core_1_Inside LAN
    nameif inside
    security-level 100
    ip address 20.20.20.1 255.255.255.252
    !
    interface GigabitEthernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface GigabitEthernet0/3
    description Interface Connecting DMZ Segment Server
    nameif dmz
    security-level 80
    ip address 192.20.20.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    ftp mode passive
    clock timezone IST 5 30
    dns server-group DefaultDNS
    domain-name tmckolkata.com
    object-group service DM_INLINE_SERVICE_1
    service-object tcp-udp eq domain
    service-object tcp eq 50636
    service-object tcp eq imap4
    service-object tcp eq ldap
    service-object tcp eq pop3
    service-object tcp eq smtp
    object-group service DM_INLINE_TCP_1 tcp
    port-object eq 3268
    port-object eq ldap
    port-object eq 88
    access-list dmz-acl extended permit ip 192.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0
    access-list dmz-acl extended permit icmp any any
    access-list dmz-acl extended permit object-group DM_INLINE_SERVICE_1 192.20.20.0 255.255.255.0 176.20.40.0 255.255.255.0
    access-list dmz-acl extended permit tcp 192.20.20.0 255.255.255.0 172.16.100.0 255.255.255.0 object-group DM_INLINE_TCP_1
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu dmz 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    static (inside,dmz) 176.20.40.0 176.20.40.0 netmask 255.255.255.0
    static (inside,dmz) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
    static (inside,dmz) 172.16.100.0 172.16.100.0 netmask 255.255.255.0
    access-group dmz-acl in interface dmz
    route inside 172.16.34.0 255.255.255.0 20.20.20.2 1
    route inside 172.16.100.0 255.255.255.0 20.20.20.2 1
    route inside 176.20.40.0 255.255.255.0 20.20.20.2 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 172.30.28.10 source inside prefer
    username ASAadmin password WxD.X5KCKtDOvv1s encrypted privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:d2f9c89a686b8f059d25320cde06d3aa
    : end
    asdm image disk0:/asdm-613.bin
    no asdm history enable

  60. Phillip John Henry Long says

    I have followed the setup above, but I cannot seem to ping the private ip of the ASA from the router, can anyone please help
    Many Thanks

  61. Phillip John Henry Long says

    Can you advise how I would go about updating the IOS on the router in this type of setup
    Thanks

  62. Henrico says

    Hello Mr. BlogAdmin! I have question regards border router and ASA. Now I using ASA outside interface direct connection to DSL modem static IP. I have only VPN terminate on this ASA outside interface, internet not needed for inside ASA so no split tunnel necessity. I see your border router and like this ideas. I like to have DSL connect to 831 router and make inside interface connect to ASA outside. Can I do it the 831 to NAT or PAT the VPN traffics to the ASA outside, maybe like ports forward? I never trying this yet, but I liking your border ideas. Also, if I make another DSL and 831 router, can I do the same ports forward VPN traffics from 831 #2 to the same ASA outside? Reason for these thinkings is because I liking your ideas of border router for less abusing of ASA and I liking to load balancing and redundantly for VPN. Sorry for my poor Ingles. Thanks you.

  63. Henrico says

    Hello Mr. BlogAdmin! Maybe I not clear for you. I make text diagramas.

    Now I have: DSL -> ASA Outside ASA Inside

    I want to make: DSL -> 831 Outside 831 Inside -> ASA Outside ASA Inside

    For redundantly I like to doing:
    DSL #1 -> 831 #1 Outside 831 #1 Inside -> Switch -> ASA Outside ASA Inside
    DSL #2 -> 831 #2 Outside 831 #2 Inside -> Switch -> ASA Outside ASA Inside

    I like to use the switch for connect ASA outside interface to 831 #1 and 831 #2 inside interfaces. Is this logics make the senses? Thanks you.

  64. Henrico says

    Hello Mr. BlogAdmin! The text diagramas not working properly. Should be like this:
    DSL -> 831 Outside (NAT or PAT) 831 Inside -> ASA Outside (VPN) ASA Inside

    same for the redundantly ideas. Thanks you.

  65. BlogAdmin says

    Henrico,

    You can do the above scenario with no problem. You will have to do a full static nat on the 831 router so that all traffic coming to the outside interface of 831 to be forwarded to the outside interface of ASA. If the outside interface of 831 has IP address 50.50.50.1 and outside interface of ASA has IP 10.0.0.2, then you can do the following (on the router):

    ip nat inside source static 10.0.0.2 50.50.50.1

    With the above you can terminate the VPN on the ASA

  66. BlogAdmin says

    For the redundancy, it is better if you configure HSRP on the inside interfaces of the 831 routers. The ASA will have as default gateway the HSRP virtual address.

  67. BlogAdmin says

    Phillip,

    I do not understand your question. What does the router IOS update have to do with the network scenario above?

  68. Phillip John Henry Long says

    If I have configured the router the same way in the above scenario
    I would like to know how to perform the router upgrade, because as I said earlier I cannot reach the inside network (TFTP Server) from the router

  69. simon says

    Hello Sir,

    Can I configure all incoming traffic to our 7204 router instead to the ASA firewall.. This is sample config that I am going configure in the router.

    #static (DMZ, outside) 102.1.1.1 10.0.0.1 netmask 255.255.255.255
    #static (DMZ, outside) 102.1.1.2 10.0.0.2 netmask 255.255.255.255
    #access-list OUTSIDE-IN extended permit tcp any host 102.1.1.1 eq 80
    #access-list OUTSIDE-IN extended permit tcp any host 102.1.1.2 eq 25
    #access-group OUTSIDE-IN in interface outside
    #access-list DMZ-IN extended deny ip any any log
    access-group DMZ-IN in interface DMZ

    I want to know if this configuration above can be apply in the router.. the DMZ of course is connected to the ASA firewall.

    Or I will configure the said configuration into the ASA firewall and apply static or dynamic routing on the router to all the private IP addresses to access the internet.

    And I got confused with the static mapping to itself, same as your configurations. The inside and the outside interface have same network range. I just want to know, how does it works? In your diagram you have sa different network on the inside and the outside. Please clear on this matter.

    Thank you.

  70. BlogAdmin says

    Phillip,

    Since the internal network 192.168.1.0 has static NAT translation as identity NAT (i.e the network appears on the outside of the ASA without change), you can install a TFTP server on this network and access if from the router. Assume the TFTP server is 192.168.1.10. You will just have to allow this on the OUTSIDE-IN access list of the ASA:

    ciscoasa(config)# access-list OUTSIDE-IN extended permit udp host 10.0.0.1 host 192.168.1.10 eq 69

  71. BlogAdmin says

    Simon,

    Its not very clear what you want to achieve.

    Regarding the static mapping to itself, this is also called “identity static nat”. Basically you do not translate the inside network, but you create static nat mapping to the outside of the ASA so that you can access this internal network (192.168.1.0) from the outside of the ASA. You protect this network by the proper access list entries that you configure on the OUTSIDE-IN acl.

  72. simon says

    Hello Sir,

    I have a router between ISP and the ASA. I was asking if this configuration below is configurable in the router? Because this configuration is for the ASA. I want to know if this is applicable in the router also.

    #static (DMZ, outside) 102.1.1.1 10.0.0.1 netmask 255.255.255.255
    #static (DMZ, outside) 102.1.1.2 10.0.0.2 netmask 255.255.255.255
    #access-list OUTSIDE-IN extended permit tcp any host 102.1.1.1 eq 80
    #access-list OUTSIDE-IN extended permit tcp any host 102.1.1.2 eq 25
    #access-group OUTSIDE-IN in interface outside
    #access-list DMZ-IN extended deny ip any any log
    access-group DMZ-IN in interface DMZ

    Thanks for clearing me about the Static Nat to itself.

  73. BlogAdmin says

    Simon,

    The exact commands as you have put them above are NOT applicable for routers. Cisco router IOS configuration is different than ASA configuration. However you can configure similar functionality on IOS router just like the static NAT of the ASA.

  74. Henrico says

    Hello Mr. BlogAdmin! Maybe I no explain it right. After read HSRP infos from Cisco I ask you mistake. I don’t look for the redundancy I need it the load balance. If I have it the FTP server inside VPN and the clients outstide making the upload to the FTP I need it the bandwidth for the downloading at ASA. I want to make it 2 DSL with 2 831 like the funnel to 1 ASA for VPN. I can make it the assignment of VPN address for DSL1 to client1, DSL2 for client2, DSL1 to client3, DSL2 to client4, so on so on. I just need it the VPN traffics from 2 831 routers going to 1 ASA for the VPNs. But if I also need it HTTP server(10.10.10.3) outside of VPN but inside the 831#1 and 831#2 can I do it with some modificationing of this instructions you give it to me?

    831#1
    ip nat inside source static 10.0.0.2 50.50.50.1
    ip nat inside source static 10.0.0.3 50.50.50.1 eq 80

    831#2
    ip nat inside source static 10.0.0.2 60.60.60.1
    ip nat inside source static 10.0.0.3 60.60.60.1 eq 80

    Maybe I make it more confuse! Thanks you.

  75. BlogAdmin says

    Henrico,

    Yes, you confused me even more!!! Anyhow, load balancing on the Cisco ASA does not work, especially when you have a VPN. You will need to install a dedicated load balancer (like the F5 load balancer or the Cisco ACE) in order to load balance traffic.

  76. king says

    Blog Admin,

    We are going to use BGP in our routing, we are going to use dynamic routing. Should I configure NAT or PAT on the router? If I am going to configure both BGP and PAT on the router. Will there be no conflict on the configurations?

    GBU

  77. BlogAdmin says

    For what reason are you going to use BGP on the router? For ISP load balancing or for advertising internal subnets? ?If its for advertising internal networks, then there is no point of using NAT/PAT because with network translation you are basically hiding the internal networks and you don’t want to advertise them to the outside world.

  78. Jim says

    I have a ASA 5505 that connects directly to my ISP. My links look like they are up but when I connect my Cisco switch to the ASA and plug my PC in to connect it doesn’t seem to like the IP. I assign a static to the ASA and the Switch. Ran ASDM sucessfully and looks good.

    I will be installing a brand new SBS 2008 (wants to be DHCP) server and a LAN. My config is below and any information is appreciated since this must be done ASAP.

    Thanks

    Jim

    : Saved
    :
    ASA Version 8.2(1)
    !
    hostname ciscoasaZON
    domain-name ZONWIB
    enable password 8C9myjbXYNhN4I0J encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 72.242.53.121 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ZONWIB
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 72.242.53.121 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address 192.168.1.5-192.168.1.254 inside
    !

    threat-detection basic-threat
    threat-detection statistics port
    threat-detection statistics protocol
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e6cc35fbd6054b86c04b31af1827886b
    : end

  79. BlogAdmin says

    Jim,

    You will need to disable DHCP server on the ASA:
    no dhcpd address 192.168.1.5-192.168.1.254 inside

    Also, another issue I see in your config is the default route:

    route outside 0.0.0.0 0.0.0.0 72.242.53.121 1

    You should change the default route gateway address to point to your ISP and not to your ASA interface.

    The correct is:
    route outside 0.0.0.0 0.0.0.0 [ISP gateway IP]

  80. Izoj says

    Dear BlogAdmin,

    Thank you for your technical insights.

    I am trying to configure an ASA 5505 behind Cisco 1700 and/or 800 Series router(s) for simple internet browsing and email.

    I have two questions on the sample config you gave above in your scenario example (with diagram):
    1) static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 – what does it achieve? cant this be achieved by “same-security-traffic permit intra-interface”?
    2)route outside 0.0.0.0 0.0.0.0 10.0.0.1 – My reading is that 10.0.0.1 is the inside interface of your gateway router; but in your most recent reply to Jim, you are proposing “route outside 0.0.0.0 0.0.0.0 [ISP gateway IP]”; please, clarify.

    Rgds

  81. BlogAdmin says

    Izoj

    1) the command static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 basically disables NAT for the inside network, so that traffic from 192.168.1.0 going to the outside of the ASA will not be translated. The NAT translation is offered by the router. The command “same-security-traffic permit intra-interface” basically allows traffic to enter and exit the same interface (something which is not normally allowed).

    2) Jim stated that his ASA connects directly to the ISP (without an extra router as in my scenario), so thats why I’m saying [ISP gateway IP].

  82. Izoj says

    Dear BlogAdmin,

    Thank u for the clarification.

    I have managed to get my internal users browse the internet through:
    CLOUDCisco800RTRASA5505LAN.

    key lines in my configs:

    ASA 5505:

    access-list outside_access_in extended permit tcp host ISP_GW host 192.168.1.2 eq pop3
    access-list outside_access_in extended permit tcp host ISP_GW 192.168.1.0 255.255.255.0 eq www
    access-list outside_access_in extended permit icmp any 192.168.1.0 255.255.255.0 echo-reply

    ———————————————————————–
    static (inside,outside) tcp ISP_GW smtp 192.168.1.2 smtp netmask 255.255.255.255
    static (inside,outside) tcp 192.168.1.0 domain 192.168.1.0 www netmask 255.255.255.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

    =======================================================================
    Cisco RTR:

    ip nat inside source list 101 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.1.2 25 interface FastEthernet0 25
    ip nat inside source static tcp 192.168.1.2 110 interface FastEthernet0 110

    =====================================================================
    Internal users can browse and send emails (thru local SMTP server); but cannot receive any reply. Its like POP3 server not getting incoming messages thru ASA 5505. What I am missing?

    Regds
    Izoj

  83. Perry says

    Dear BlogAdmin,

    Currently I have a PIX connected to the ISP without router and this works perfect. For loadbalancing/PBR I want to put a border router inbetween, like your scenario. I have multiple vpn-tunnels configured to the PIX. Is it correct they have to be terminated on the border router, as the endpoint of the vpn-tunnel has to be a public ip-address and the pix will have a private ip-adddress, or is there a way around?

    Regards,
    Perry

  84. BlogAdmin says

    Perry,

    Depends if you only have one public IP address from the ISP. If this is the case, then its better to terminate all VPN tunnels on Router. If you can get more public IP addresses, you can assign one on the outside ASA interface and terminate everything on the ASA

  85. Ram says

    Dear BlogAdmin,

    I have CISCO ASA5505 behind Netgear MBR1210 Modem/Router. Since I couldn’t put Netgear on bridge mode, I am trying set up VPN via enabling port forwarding on Netgear. I forwarded UDP port 500 on Netgear to ASA’s outside interface.

    The issue I have here is, I was able to VPN in to ASA from remote client but couldn’t access inside network of ASA (LAN). But when I VPN from ASA’s outside network (between Netgear and ASA), it works fine. Could you please help me on this.

    Following is my setup.
    Internet———Netgear Modem/Router ————CISCOASA——-LAN
    IP:
    Netgear WAN —-Public Static from ISP
    Netgear LAN —-192.168.0.1
    ASA Outside—-192.168.0.2
    ASA Inside —-192.168.3.1
    LAN network: 192.168.3.0/24
    Below is config:
    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname CISCOASA
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 192.168.0.2 255.255.255.0
    !
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/5
    nameif inside
    security-level 100
    ip address 192.168.3.1 255.255.255.0
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot config disk0:/.private/startup-config
    ftp mode passive
    access-list split_Tunn extended permit ip 192.168.3.0 255.255.255.0 any
    access-list ping extended permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip local pool vpnremotepool 10.10.10.50-10.10.10.100 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
    access-group ping in interface outside
    access-group ping out interface outside
    access-group ping in interface inside
    access-group ping out interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
    crypto dynamic-map dynomap 10 set transform-set myset
    crypto map IPSec_map 65535 ipsec-isakmp dynamic dynomap
    crypto map IPSec_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    !
    !
    group-policy RecoKen internal
    group-policy RecoKen attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_Tunn
    username tester password 4wnTeFxxdAfxRa94 encrypted
    username tester attributes
    vpn-group-policy RecoKen
    tunnel-group remKenn type remote-access
    tunnel-group remKenn general-attributes
    address-pool vpnremotepool
    default-group-policy RecoKen
    tunnel-group remKenn ipsec-attributes
    pre-shared-key *
    prompt hostname context
    Cryptochecksum:4cf427e6faa9c3e6163afebb00019a9e
    : end
    CISCOASA#

  86. BlogAdmin says

    UDP port 500 is NOT enough for establishing a VPN tunnel. You need also the IP protocols AH and ESP. Forwarding only UDP 500 from Netgear will not work. You must have a way to do a FULL IP NAT (one to one static NAT) from netgear towards the outside interface of ASA, otherwise it will not work.

  87. Leke says

    @BlogAdmin
    I want to set up a network for a small hotel and i have made some recommendations as to the equipments needed to ensure maximum security.The network is somewhat similar to what you have up there.My problem is now the security aspect of the implementation.I have no knowledge of PIX/ASA configurations until 3days ago by playing around with GNS3 ASA. Although, i have been reading a book on firewall,i understand some part but not all. My question is this, in securing this network from the outside, what are the specific things i need to target? What essential configuration is necessary on the firewall and where do i need to place the firewall to ensure maximum security? i know i can use the urlfiler command to restrict websites but what about yahoo IM and MSN IM?

  88. CharlesG says

    Does this configuration allow for VPN connectivity for Remote Access VPN ? Since the Outside address is Private ? Does this not matter since all outbound traffic is being natted by the public address on the Router ?

  89. BlogAdmin says

    Charles,

    The configuration above as it is shown now it does not allow for VPN termination on the ASA outside interface. If you want to do this you must create a static one-to-one NAT from an outside public IP towards the outside private IP of the ASA

  90. Rich says

    Dear Cisco Lord,

    I have read through all of these posts, and let me just thank you so much!! You are a saint, not only helping people on your own time, but doing so in an actually HELPFUL manner unlike some of those who get paid to do so!

    I am in a situation where I have to temporarily get off of an MPLS ISP so we can drop them (terrible company). I have an Internet DS1 here, connected to a serial interface (CSU/DSU) on a 1700. The 1700 then connects to the outside interface on an ASA. What I really need to do is establish a site-to-site IPSEC VPN between the ASA here and the ASA at the home office. I tried to modify some of the above examples to fit the scenario, but it is not working. I have a /29 subnet to work with, and right now only 2 of the IPs are in use (the ISP router to us, and then our serial interface). I then have the routers ethernet interface connected to the ASA on a private network (Router: 10.204.0.254 – ASA: 10.204.0.253). I am running into double natting issues, and I am just not entirely sure what to do. I tried static NAT and that did work, but then the NAT on the ASA and the NAT on the router were conflicting. The simplest solution would be to bridge or otherwise have the router simply send everything it receives to the ASA… we don’t have any special needs other than Internet access and the VPN tunnel. I can also use one of the free IP addresses to static NAT that traffic to the ASA, but I am not sure how the rest of the translation needs to be performed on either end. Would forwarding just the ports required for IPSEC/IKE/etc to the ASA and handle internet routing via the router be easiest? My other option is to set up an IOS to ASA VPN between here and the home office (which as two ASA 5510s) but I have never done that before… I have configuration examples, but I was worried that others issues might arise… probably just paranoid, but again I just don’t have the experience to make that call in confidence.

    I guess given the choice, I would like to have the router basically just act as a media converter for the serial interface to the ethernet interface and do everything I need to do on the ASA itself and just take the router out of the mix as it is over complicating things (at least for my sleep deprived brain haha).

    Thank you so much, I owe you a beer just for the reading material already on this page.

  91. BlogAdmin says

    Rich,

    Thanks for your nice words.

    My suggestion is the following:

    Use one of the free public IP addresses that you have (under the /29 subnet) and do a static NAT on the router, thus mapping this public IP to the ASA private outside IP address. ( Assume the public IP is 50.50.50.3).

    e.g (Router Config) ip nat inside source static 10.204.0.253 50.50.50.3

    The outbound communication from the internal hosts (for accessing the Internet) will be carried out by doing NAT overload (i.e Port Address Translation) on the ASA’s outside address. This traffic will then go out via the static NAT that you have on the router.

    The remote IP Sec peer will use the public IP that you have mapped before in order to terminate the vpn tunnel.

    Is the above clear?

    Let me know for more info.

  92. Rich says

    You, my good man, are a gentleman and a scholar.

    I was on the right track with my original configuration, but there was an earlier static entry that I removed last night… along with some fairly important settings (ip nat inside on the FA interface, etc) which I forgot to replace.

    The kicker was the PAT on the ASA and translating to that external port… that did the trick, tunnel is up, Internet is accessible, you are the man.

    I really want to repay you somehow, your response time is amazing and your skill set is excellent, not to mention your ability to communicate the material.

    Thank you so very much.

  93. Crash5050 says

    Mr. Blogadmin, I have no hair left, and I am bleeding from my ears, from the beating of my head againdst the wall. I will have nightmares about wr er reload!!! Anyway, to the problem at hand, I want to do a setup just like your picture, but I have 4 vlans being routed by a 2600 router, going into a stack of 2950’s, connected to two virtual stacks with 3500 series l3 switches. I would be happy to post configs if you would be willing to look at them.

  94. Jack says

    This is an awesome post. I am still trying to absorb what I have to change. I have a 2651 with adsl wic and /29 (all PPPOE authentication is being done on the 2651) currently feeding a 4006 with supervisor 4. I recently acquired a 5510 that I want to place between the 2651 and the 4006. I have made a couple attempts but have not yet been successful, not sure where the problem is

  95. Jack says

    So here is my router config

    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.07.24 15:41:50 =~=~=~=~=~=~=~=~=~=~=~=

    C2651#sh run
    Building configuration…

    Current configuration : 2737 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname C2651
    !
    boot-start-marker
    boot-end-marker
    !
    no logging console
    enable secret 5 $1$frux$hI7F0TDJLVfgdNBlFqexk1
    enable password xxxxxxxxxxx
    !
    no aaa new-model
    clock timezone mst -5
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    !
    !
    ip domain name xxxxxxxxxxx
    ip name-server 205.171.3.65
    ip name-server 205.171.2.65
    vpdn enable
    !
    !
    interface ATM0/0
    no ip address
    no ip mroute-cache
    atm restart timer 300
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/32
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0/0
    ip address 172.16.1.1 255.255.255.0
    ip nat inside
    ip tcp adjust-mss 1452
    duplex auto
    speed 100
    !
    interface FastEthernet0/1
    shutdown
    speed 100
    full-duplex
    !
    interface Dialer1
    mtu 1492
    ip address 6x.xxx.xxx.118 255.255.255.248
    no ip redirects
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxxxxxxx
    ppp chap password 0 xxxxxxxxx
    ppp pap sent-username xxxxxxxxx password 0 xxxxxxxxx
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
    ip route 172.16.0.0 255.255.224.0 172.16.1.2
    !
    ip http server
    no ip http secure-server
    ip nat pool mpool 6x.xxx.xxx.113 6x.xxx.xxx.118 netmask 255.255.255.248
    ip nat source static tcp 172.16.26.11 21 6x.xxx.xxx.113 21 extendable
    ip nat inside source list 1 pool mpool overload
    ip nat inside source static tcp 172.16.26.11 21 6x.xxx.xxx.113 21 extendable
    ip nat inside source static tcp 172.16.26.23 25 6x.xxx.xxx.113 25 extendable
    ip nat inside source static tcp 172.16.26.23 443 6x.xxx.xxx.113 443 extendable
    ip nat inside source static tcp 172.16.26.11 3389 6x.xxx.xxx.113 3389 extendable
    ip nat inside source static tcp 172.16.26.42 443 6x.xxx.xxx.115 443 extendable
    ip nat inside source static tcp 172.16.26.17 5090 6x.xxx.xxx.115 5090 extendable
    ip nat inside source static tcp 172.16.26.42 8742 6x.xxx.xxx.115 8742 extendable
    ip nat inside source static tcp 172.16.26.6 443 6x.xxx.xxx.116 443 extendable
    ip nat inside source static tcp 172.16.26.7 25 6x.xxx.xxx.117 25 extendable
    ip nat inside source static tcp 172.16.26.8 80 6x.xxx.xxx.117 80 extendable
    ip nat inside source static tcp 172.16.26.7 443 6x.xxx.xxx.117 443 extendable
    !
    access-list 1 permit 172.16.0.0 0.224.255.255
    snmp-server community public RO
    snmp-server community xxxx RW
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    password xxxxxxxxxx
    login
    !
    !
    end

    C2651#

    So If I follow the above example and change the IP of fa0/0 to 10.0.0.1 and change the route statement to ip route 172.16.0.0 255.255.224.0 10.0.0.2, what else would I need to change. The ASA has been configured per the example with ip changes where applicable

    Thanks

  96. Fernando says

    @BlogAdmin,

    Awesome document. I have a simialr scenario. I’ll be upgrading my company from one Linksys dual WAN router (2 DSL connections) to a Cisco 891 and a ASA 5505 behind it.
    One question, we won’t have a DMZ, just a LAN with a few servers in it, some incoming connections from the internet will need to be forwarded to these internal servers (smtp, rdp, …). I would like to manage all of this port translations on the ASA- how would I need to configure NAT on the edge router? Say my internal server is 192.168.1.100. Would i need to do do a static NAT statement on the router and then be more granular with an access list on the ASA?
    I do not have a pool of WAN ip addresses, i have static IPs from my ISP.
    If you could provide sample statements to accomplish this scenario would be much appreciated. Thanks very much in advance and again, awesome job with this tute. Regards

  97. BlogAdmin says

    Jack,

    I think it would be easier for your scenario if you disable NAT completely on ASA (using “no nat-control”) and you have the ASA working as a router. Ofcouerse it will continue inspecting traffic and doing its firewall job, but it will not do any NAT. Since all the nat is done on your border router, you don’t need another NAT device. You will have to control traffic on the ASA just by using Access Lists.

  98. BlogAdmin says

    Fernando,

    I suggest to disable NAT on the ASA (“no nat-control”) and do all the NAT on the router. This will be the simplest scenario. You can have a static NAT on the router mapping one static public IP to the internal server 192.168.1.100. Then have the ASA control the traffic to the internal server with access list applied on its outside interface. You must put the proper static route also on the router for the internal servers which are behind the ASA.

  99. BlogAdmin says

    Crash5050,

    Didn’t understand exactly what you want to achieve. Be more specific please

  100. Jack says

    So I guess one of the places I am confused is with the static nat to itself. The inside interface of the ASA is pointing to the native vlan 1 of a 4006 with sup 4. There are several vlans on the 4006 all in the range of 172.16.0.x to 172.16.31.x so wouldn’t I change this static nat to 172.16.0.0 172.16.0.0 netmask 255.255.224.0 or do I need to create a static nat for each of the class C vlans?

  101. BlogAdmin says

    Jack,

    You will disable NAT completely on the ASA (so there will not be any static NAT to itself like my example above). Think about it as if you are placing a normal router in front of the switch.

  102. Jack says

    I purchased the book and it is very informative. My understanding of the ASA is better but I still have a question for the particular setup I want to do. I have a 2651XM with ADSL wic and a /29 from my ISP. The router is configured for nat and the dialer is is configured for the public pool. The router inside interface is connected to a Catalyst 4006 with a supervisor 4 WS-X4515. I have numerous vlans configured on the 4006 in the range of 172.16.0.x – 172.16.31.x. The loaded the latest 8.4 software on the ASA. The router inside interface is 172.16.1.1 /24 and I have the following routes ip route 0.0.0.0 0.0.0.0 Dialer1 permanent and ip route 172.16.0.0 255.255.224.0 172.16.1.2 The 4006 vlan1 ip is 172.16.1.2 /24 and I have the following routes ip default-gateway 172.15.1.1 ip route 0.0.0.0 0.0.0.0 172.16.1.1. What would be the best way to insert the ASA between the router and the layer 3 switch?

  103. BlogAdmin says

    Jack,

    As I have already said on my previous comment, it would be better and easier to disable NAT on the ASA. This will make the ASA work like a router but still inspecting traffic and applying firewall rules to traffic. Connect the outside interface of ASA to the inside of router, and the inside interface of ASA to vlan1 of the 4006 switch. You will need to introduce a new layer3 subnet to accommodate let say the subnet between outside ASA and inside of router. The inside of ASA and vlan1 can stay as 172.16.1.0/24. On the ASA, router and 4006 you will need to add the required static and default routes.

  104. Fernando says

    @BlogAdmin,

    Hi, i used this article as a guide and got my network up and running properly. I have now discoverd a problem with FTP. I have an FTP server in my inside network in passive mode. On the ASA i have static NAT translations- port 21 and 20 to my internal server- also have port 20 and 21 open on the outside interface. Problem is when I connect from a FTP client from outside I can connect to the server just fine- I get asked for authentication but then the connection breaks. For what I;ve been reading it’s because the server in passive mode uses random ports to transmit the data, and those ports are obviously not allowed on my ASA. The asa should be able to inspect the data and let it through.. any ideas of how to do this? I’ve been looking everywhere and can’t get it tow work. A bit of help would be greatly appreciated.
    Kind regards

    Fernando

  105. BlogAdmin says

    Hi Fernando,

    Have you enabled FTP inspection on the ASA.

    Do the following:

    ASA(config)#policy-map global_policy
    ASA(config-pmap)#class inspection_default
    ASA(config-pmap-c)#inspect FTP

    If the above does not work, then try the following command:

    ASA(config)#ftp mode passive

  106. Fernando says

    @BlogAdmin,
    thanks. I did try that but still no luck. Any more ideas? I can authenticate from FTP client but I do not get the list of folders…

  107. SF says

    Hi All
    Just wondering whether some one could shed light on this.
    I am currently doing a network upgrade where ASA being installed. Everything is ok apart from proxy configuration.

    WHAT I WOULD LIKE TO DO IS TO HAVE A INTERNAL PROXY SERVER SO THAT ALL CLIENTS GO THROUGH IT. BUT I DONT KNOW WHAT CONFIG NEED TO BE DONE IN ASA>

    secondly for another project I WANT TO USE EXTERNAL PROXY, STILL STUCK WITH CONFIGURATION.

    Appreciate if some one could help me.

  108. BlogAdmin says

    SF,

    What you want to achieve can be done easily with access control lists (ACL). Basically you will need to apply an ACL (inbound direction) on the inside interface of ASA which will allow access to only the IP address of proxy and then deny everything else.

  109. SF says

    Thanks for the prompmt reply

    But still trying to get my head around how to setup the firewall when an internal proxy is being used.

    .The proxy server resides in inside network.
    .All the clients go through it, when accessing web.

    If I only allowed web traffic source from proxy server, would it be the correct way of setting up?

  110. BlogAdmin says

    SF,

    My last comment was about allowing the internal proxy. Basically on the ACL you permit only source IP of proxy to any destination and then deny everything else.

  111. BlogAdmin says

    Max,

    The stating NAT mapping of 192.168.1.0 to itself is basically used to avoid doing dynamic NAT on the ASA, since the dynamic NAT (for outbound communication) is done on the border router. Basically the internal LAN network passes untranslated from the inside of the ASA to its outside and then the border router does NAT to translate this private network into a public IP in order to get routed on the Internet.

  112. Francis Teo says

    Hi – i came across your post and found it very relevant to what i am doing. Except i am no expert here.
    I am not sure if you are still doing this – i do not mind paying for your service to modify my existing Site-To-Site VPN.
    If you are keen we can explore working on it remotely.
    Here are my settings
    NOW –
    ISP Cisco811 (VPN peer running no problem)

    New
    ISP Cisco811CiscoASA5100 (To use VPN Here )
    VPN Peer to move to CiscoASA

    Please let me know if you are keen.
    Thanks
    Francis

  113. BlogAdmin says

    Hi,

    Do you have a static public IP on the outside interface of cisco811? Do you have more public IP addresses to assign to the ASA outside interface?
    Also, what other kind of access do you have? i.e internet users from inside browsing the internet and also what kind of VPN is this?
    Let me know the above and I will tell you how to proceed. I offer a paid service if you want me to connect remotely and fix it for you.

    Harris

  114. Chris Kofon says

    Hi

    This scenario and configuration guide was exactly what I implemented for a client. It was just what I needed. Thanks.

    I would like to know what I would need to do if I wanted to access the ASA via the router using SSH.

    Thank you again

  115. BlogAdmin says

    Hi Chris,

    you can configure port forwarding on the router to forward SSH traffic hitting its public IP address towards the outside address of ASA.

    Example config on router:

    ip nat inside source static tcp 10.0.0.2 22 50.50.50.1 22

    Hitting the router outside address 50.50.50.1 on port 22 (SSH) from outside will redirect traffic to the ASA address 10.0.0.2 port 22.

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>