Cisco Router with Cisco ASA for Internet Access
A classic network scenario for many enterprises is to have a Cisco border router for internet access and a Cisco ASA firewall behind this router for protection of the internal LAN or for building a DMZ network. This scenario is shown in the figure below:
Assume that our enterprise is assigned a public IP address range of 50.50.50.0/27 (that is a 32 address subnet). The usable addresses in this subnet range between 50.50.50.1 and 50.50.50.30. In our example we assign 50.50.50.1 to the outside interface of the Cisco router and 50.50.50.2 is the ISP gateway router. Also, we need to use address 50.50.50.3 for accessing a DMZ web server which has a real private address of 10.10.10.1.
Between the Cisco Router and the outside interface of the Cisco ASA we have a private subnet 10.0.0.0/24. Also, the inside internal LAN subnet is 192.168.1.0/24. The inside IP address of the ASA is 192.168.1.1.
Traffic Flow:
We need to achieve the following traffic flow:
1) All Internal LAN hosts (192.168.1.0) should be able to access the Internet (outbound communication). No access initiated from the Internet should be allowed towards the Internal LAN network.
2) Also, we need to allow access from the Internet towards our DMZ Web Server (inbound communication).
Implementation:
There are a few ways you can follow to achieve the functionality above. For sure we need to perform NAT on the border Cisco Router to translate our internal private addresses to public addresses assigned by our ISP. We have the option also to perform additional NAT on the ASA firewall, which however I wouldn’t recommend.
The way I would configure such a scenario is the following:
- 1) For outbound communication (Internal LAN towards the Internet), do not translate the network 192.168.1.0/24 on the Cisco ASA. Rather create a static mapping of 192.168.1.0 to itself (will see this below) and configure NAT overload on the Cisco Router for the network 192.168.1.0/24.
- 2) For inbound communication (Internet towards Web Server), create again a static mapping on the ASA for address 10.10.10.1 to itself, and perform static NAT on the Cisco Router to map 10.10.10.1 to 50.50.50.3
Configuration:
Below I will show you snapshots of the configuration for both the Cisco Router and the Cisco ASA that will achieve the functionality above.
Cisco ASA:
ciscoasa(config)# interface GigabitEthernet0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip address 10.0.0.2 255.255.255.0
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# ip address 10.10.10.2 255.255.255.0
ciscoasa(config-if)# security-level 50
ciscoasa(config-if)# no shutdown
! Now create a static NAT mapping of 192.168.1.0 to itself
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
! Create also a static NAT mapping of 10.10.10.1 Web Server to itself
ciscoasa(config)# static (DMZ , outside) 10.10.10.1 10.10.10.1 netmask 255.255.255.255
! Create an access-list to allow Inbound traffic to Web server only
ciscoasa(config)# access-list OUTSIDE-IN extended permit tcp any host 10.10.10.1 eq 80
ciscoasa(config)# access-group OUTSIDE-IN in interface outside
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 10.0.0.1
Cisco Router:
interface ethernet 0
ip address 50.50.50.1 255.255.255.224
ip nat outside
!
interface ethernet 1
ip address 10.0.0.1 255.255.255.0
ip nat inside
!Assume the router uses address 50.50.50.4 for all outbound communication
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255
!Configure Static NAT to map 10.10.10.1 to 50.50.50.3
ip nat inside source static 10.10.10.1 50.50.50.3
ip route 0.0.0.0 0.0.0.0 50.50.50.2
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 10.10.10.0 255.255.255.0 10.0.0.2
Related posts:
- Configure Cisco ASA 5505 to allow Remote Desktop access from Internet
- Access To Hosts from Outside a Cisco ASA
- Access Lists and NAT on Cisco ASA Firewalls. Some Clarifications
Tagged with: asa dmz web server • cisco asa internet access • cisco router with asa
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
I see the configuration here, but wonder why you would not put the ASA between the border router and the ISP? The only scenario I can envision the router in front of the firewall is where you are running BGP because of multiple links to the Internet.
Can you elaborate on this?
Thanks!
Hello Chris, thanks for stopping by and for commenting.
Your point is valid as long as the physical connection to the ISP is Ethernet (the ASA supports ONLY ethernet network interfaces). Having a router in front gives you the flexibility to have various types of WAN network interfaces such as T1/E1, Frame Relay, ATM etc. There are still several countries in the world that have not yet adopted Ethernet as a WAN connectivity, so they still use the legacy WAN technologies. That is why I suggested to have a border router in front of the ASA. Another advantage of having a front end router is the flexibility you can get in terms of link-redundancy and routing protocols supported. You could have for example a T1 as a main line and a Frame Relay as a backup line to the ISP.
Anyhow, it all depends to the specific network needs, budget etc. If the ISP provides full Ethernet connectivity you could go with just an ASA firewall only without even using a router. There is nothing wrong with this approach either.
if i want to put video conference in inside private network is there any extra configuration other than static nat from inside to outside.
can u say about bidirectional nat?
By default, Cisco ASA inspects H323 H225 to allow multimedia traffic. You should configure an access-list which will allow all required ports to pass from outside to inside. Then, apply this ACL on the outside interface. Depending on the video conferencing brand and model, the ports needed to open are different.
Hi,
Nice work. Is there a possibility to ‘enhance’ the Cisco ASA with router functionality with an additional card? So that the ASA does both firewalling and routing?
Hello Peter,
The limitation of ASA compared with a router is that the ASA ONLY supports Ethernet network interfaces (with either UTP cables or Fiber optic cables), so if your WAN connection towards the ISP is a different Layer 2 technology (e.g ATM, Frame Relay, T1,E1 etc) then you can not use a firewall in place of the router.
However if the connection towards the ISP is Ethernet, then yes you can go ahead and get rid of the border router and have only the ASA in place.
The border router also adds an extra layer of security. And with multiple WAN links, load balancing, and using BGP, I find a border router/s work best.
I don’t like having unauthorized users stress testing my ASA outside interface. They need to get through the edge router first.
What do you recommend the best way to ssh into the router from inside the of the network? Currently, I have multiple public address subnets on one border router and I’m using subinterfaces on the “inside” interface of the border router.
Hello Chris,
I agree with you regarding the border router in front of the firewall. It is your first line of defense. For ssh into the router, just pick one inside subinterface and use that one for CLI management. Since your communication using SSH is encrypted you don’t have any problems to ssh anywhere on an inside IP address of the router. Just make sure to use an access-class on the vty lines of the router to allow only the internal management station
I have a similar configuration at a client, everything works fine except SVC connections to the ASA. I’ve opened UDP ports 500 and 4500 as well as ESP to no avail. The ASA log shows the WebVPN connection happening and the authentication of the user, but the logon screen reports that the session failed – any ideas?
Hello there,
Try to configure a static NAT on the router for the outside IP address of ASA (10.0.0.2) to be mapped to a public IP and then configure an access list on the router to permit the required ports towards the mapped public IP. For WebVPn you just need port 443 to be opened and nothing else. WebVPN does not use ESP (it uses SSL)
Hello,
Thank you for this wonderful resource. I am building a SMB network using this as my guide. One question – I don’t quite understand the purpose of the following lines on the Cisco Router:
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
So far I see you have used up:
50.50.50.1 as Company Router’s IP Address
50.50.50.2 as ISP Router’s IP
50.50.50.3 as Web Server Public IP
50.50.50.4 ??
Hello there,
Regarding your question about 50.50.50.4, this is the NAT overload for the internal network 192.168.1.0/24. According to my scenario (see the “Implementation” section on my post above), we want outbound communication for the internal network using NAT overload on the Cisco Router. NAT overload is also called PAT (Port Address Translation). That is, a single IP address (50.50.50.4) is used to translated all internal addresses in network 192.168.1.0. Again, what I describe above is just a scenario. You can modify according to your own needs. You can use also the outside IP address of the Cisco Router (50.50.50.1) as the NAT overload address. Using NAT overload is a common practice if you just need outbound communication for your internal users (e.g browsing the internet, sending emails etc).
Regards
Harris
Is it possible to configure if I get only one Static IP from my isp using pat and redirection for Webserver and email server.
James,
Yes sure. If you only have lets say IP 50.50.50.1 (on the outside of the router), you can configure port forwarding on the router using the IOS command: ip nat inside source static tcp [local ip] [port] [global ip] [port]
Example:
ip nat inside source static tcp 10.10.10.1 80 50.50.50.1 80
What does a static NAT on to itself accomplishes
A static NAT to itself is actually a no-NAT statement (i.e the address will not be translated), BUT by doing that you enable also bi-directional access for the hosts that you do static NAT. That is, access from a lower security to a higher security is now allowed (if the proper access control list is in place).
Hi,
Thank you for helping us out. I wanted some help on my new ASA5510. I’m very much familiar with routers, but this is the first time I’ve got myself a ASA to play with.
I need to setup a network where I have a Cisco 800 series DSL router on a static IP. That would be my border router and my ASA would sit in between the router and the clients.
I’ve set things up and i’m able to ping the local lan ips thru the terminal, but as soon as i connect a network cable to my laptop, i’m no longer able to ping the local lan even from the terminal. I can ping ip of google, so internet is up as well.
Would you be able to help out in a basic configuration ?
Thanks and waiting.
Aj.
I guess that the problem is that the IP address of your laptop conflicts with the IP address of the internal interface of the ASA. Thats my assumption from the little information you are giving. Maybe a configuration snapshot of the ASA would make things more clear.
Hi and thank you for your reply. I’m new to this so don’t go about the newbee thing. Herez the config, it’s all cluttered but….
The router ASA is connected to is a cisco 800 seriers DSL router. And it’s configured on one of the real static ips assigned by the isp. Vlan ip on the router is 192.9.201.100.
Once i connect the network cable from eth0/1 on the asa to my laptop, i’m no longer able to ping any LAN ips from the terminal, but i’m able to ping any other ip of say google or any other site.
On the laptop i’m able to ping the 192.9.201.1 which is configured on the ASA, but no other ip on the lan nor of google or any other.
Sorry for the trouble, but i’m still very new to ASAz.
Scenario is exactly as it’s shown in the image above, but instead of assigning lan ip to the asa, i’m using a real static ip on the outside interface.
Thanks in advance for the help.
Aj.
DC-HQ-ASA(config)# sh run
: Saved
:
ASA Version 7.0(8)
!
hostname DC-HQ-ASA
enable password F.vbdOfAHUE/IXAw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.6 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.9.201.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns name-server xxx.xxx.xxx.7
dns name-server xxx.xxx.xxx.8
access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 xxx.xxx.xxx.5 netmask 255.255.255.248
nat (inside) 1 access-list inside_lan outside
route outside 0.0.0.0 0.0.0.0 217.145.245.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.9.201.112 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:b9e730f98fdc9bbcd7c6eac33d5016ef
: end
Hello Aj,
One mistake that I found on your configuration is that you don’t have an access-group applied on the inside interface. You must configure this as following:
access-group inside_lan in interface inside
Also, you say that the Cisco 800 Router Vlan IP is 192.9.201.100. Also, your internal network range (connected on ASA inside interface) are also in the same network subnet 192.9.201.0/24. If this is the case, then it is wrong. You can not have the same network range on the inside of ASA and on the router vlan. You must change the network subnet between “ASA outside and Router Inside” to be a different subnet than 192.9.201.x.
Hi and thanks again for the help.
Well if i cannot have the same IP range on my router and the ASA than the best way to go would be the config that you have mentioned here above.
Your config above would be perfect for me, i’ll give it a go and let you know how it goes.
One more thing, you mentioned that the IPz should be different. If i change the inside IP on the ASA to say 10.0.0.0/24 would that work ? leaving the outside interface to be connected on my real static ip subnet ?
Thanks again.
Aj.
Aj,
Yes, you can change the inside IP on the ASA to be in the range 10.0.0.0/24 and leave the outside address in the real IP subnet. However, you must have the proper NAT translations on the outside router to translate the private addresses into public addresses.
Hi,
Can i just assign a real ip on the router and on ASA outside interface and assign the 192.9.201.0/24 on asa inside ? that should work right ? ofcourse with the right nat and acl ?
Aj.
Hi,
I’m going into loops over here, I really have no idea what’s going on. I’m trying everything but nothing seems to be working, I’m looking into topics over at Cisco, here and other places and I find so many variations of the config.
Today I tried a different setup with no avail.
I’ve got a 3G connection, I tried configuring the ASA to it, but nothing. here’s what i did.
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.60.111 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.9.201.222 255.255.255.0
access-list inside_lan extended permit ip 192.9.201.0 255.255.255.0 any
access-group inside_lan in interface inside
icmp permit any outside
icmp permit any inside
global (outside) 1 192.168.60.1 netmask 255.255.255.0
nat (inside) 1 access-list inside_lan outside
route outside 0.0.0.0 0.0.0.0 192.168.60.1 1
The 3G modem has a dynamically assigned WAN IP. And the inside eth ip on the modem is 192.168.60.1.
Once configured, I’m able to ping the IP of the laptop which is configured (192.9.201.112) from the ASA and i’m able to ping the inside IP of the ASA from the laptop.
I’m able to ping IPs of google or any other and I’m also able to ping IPs of any other devices connected to the 3G modem, via ASA thru terminal, But from the laptop i’m unable to ping anything.
Any ideas ?
Aj.
Aj,
It depends on what you want to achieve. You have multiple options, but you did not explain what exactly you want to achieve here? Just outbound communication from inside to outside? You need also access from outside to inside?
Anyways, you can assign the public range 192.9.201.0/24 on the ASA inside and since this is already a publicly routable address range, you can ommit the NAT translation on both the ASA and the router. On ASA you can have:
static (inside,outside) 192.9.201.0 192.9.201.0 netmask 255.255.255.0
Then on the outside router ommit the “ip nat” commands because the public range will be routed as is without translation. You need ofcourse to have the proper routing on the outside router for the inside public range:
ip route 192.9.201.0 255.255.255.0 10.0.0.2
Between Router and outside ASA interface you can leave the private addresses (10.0.0.1, 10.0.0.2) as the diagram above.
Thanks and sorry if I have not been clear.
What I really want to achieve is internet access and able to access any other PC on the network connected via the ASA. And later configure VPN for some of the sites.
I’ll try what you’ve mentioned above and let you know. What is strange is when I can ping IPs via the terminal connected to ASA, why not via PC connected via network cable ?
Aj.
How do you implement “ip nat pool IP-POOL” when your outside address is DHCP? Normally I just do “ip nat inside source list 1 interface GigabitEthernet0/0 overload” and add a ACL for my inside networks. But now that I’ve added a ASA into the mix this doesn’t seem to work?
Aaron,
If the router is getting its outside IP dynamically (via DHCP), then obviously you don’t know the exact IP so you must do the NAT overload on the interface (exactly as you describe above). This scenario will work fine with the ASA into the mix, I don’t see any problems. Have you tried it and having issues?
No, its fine now. The problem wasn’t actually that statement, it was me cloning the ASA mac address to the g0/0 on the router. But now that i’m up and running i’m trying to tweak and get the most out of this hardware.
Hi there,
i am a bit confused. Well, you explained why you are using a router in your edge instead of a firewall which i totally agree. But in our company the situation is like this: Computers/servers/etc. -> Switch -> Router -> (our internal/edge)Firewall 1 -> (ISP/Customer/etc.) Firewall 2 . And it is like 1 month i am struggling to be able to ping and NAT in this situation, but i cannot. To be more specific:
I must be able to ping the second firewall via one of my computers with the ip address of 192.168.3.4 which i cannot!!!
How does it effect the security if i want to put the router at the edge point? our routers are 6509 !!
Give me some suggestions please. This ASA is skinning me alive!
thank you 
Look, there is never a totally right and totally wrong scenario. It all depends on what you want to achieve and what the business needs are. Usually the 6509 switch/router is suited for internal data center applications and not for edge router. What I suggest is to configure “no nat-control” on the internal Firewall1 so that you do not have to perform any NAT on this firewall. It will essentially work like a routing device. Then you need to configure “nat-control” on the external Firewall2 which will be translating the internal private addresses to public addresses.
Hi,
very good tutorial. I was looking for a similar configuration, but I want to do the opposite. I mean, I want that the router forwards all incoming traffic to 50.50.50.0/27 to the firewall ASA and I do the access-list and nat on the firewall, having the router in “transparent mode” just forwarding traffic without NAT.
Is it this possible ?
Which configuration must to do on the router ? Just routing ?
Thanks.
Hi Oscar,
If lets say you are assigned a whole public IP range 50.50.50.0/27, then you can assign this subnet on the network which is between the router and ASA firewall. Lets say you can assign address 50.50.50.1 to the inside interface of router and 50.50.50.2 to the outside interface of ASA. Also, the outside interface of router (between router and ISP) must be a different public IP address. Then the router DOES NOT need to do any translation, ONLY routing.
Bonjour
J’ai la même architecture que la votre.
Mais, mon routeur de tête à l’IP privée 10.101.101.5
et le routeur de tête de l’ISP à l’adresse IP 10.101.101.254
Après avoir faire exactement la configuration telle que présentée,
je n’arrive pas à sortir des communication du LAN.
Est-ce l’adresse privée du ISP qui en et la cause.
merci déjà pour ce merveilleur document.
Hello
I have the same architecture as yours.
But my head to the router private IP 10.101.101.5
and the router head of the ISP’s IP address 10,101,101,254
After doing the exact configuration as presented,
I can not get out of the LAN communication.
Is the private address of that ISP and the cause.
thank you for this already merveilleur document
If the subnet of your router’s outside address is class C (255.255.255.0), then you should not have any problem
Hi,
Overall the setup is good, But I think these much complication (Router in front of the Internet) is not required to achieve the goal as expected,
Nowadays media converters are available in the market to convert any kind of interface to Ethernet (Like E1 to Ethernet, T1 To Ethernet, Serial to Ethernet ,Etc..),
You can reduce one hop by using these kind of media convertors and it’s much easier in terms of troubleshooting the accessibility,
Static one to one NAT is enough on ASA side to achieve the requirement, Please explore some other options comment if i am wrong.
Some types of Convertors :
http://www.oriontelecom.com/converters/ethernet-e1.html
http://www.rad.com/10/T1-Serial-and-Ethernet-Interface-Converter/3214/#
Hello,
This is a great comment. I agree with you if you only need to have single internet access connectivity. However, if you start thinking about load balancing between ISPs and some other fancy staff, then a router is more flexible than the ASA.
I like this design and have gotten it it to work with this example. I have one question though that I’m having trouble with. I want to set up remote access vpn on the border router. I would like to do the NATing and VPN termination on the router and just use the asa for firewall. How do I get that IPSEC traffic to go through the ASA to the internal subnets?
Mike,
What you describe is doable with no problems. You will need to assign a specific IP address range to the remote VPN clients (you configure an IP pool on the terminating vpn router which will be used for assigning addresses to the remote clients). Then you will need to allow this address range via the ASA (the outside access list on ASA must allow this address range to access internal resources). Note that the encrypted IPSEC traffic will terminate on the outside interface of router. This means that the traffic reaching the ASA will be unencrypted.
I have added the VPN subnet access into the ASA from the outside interface coming in. In fact I opened it wide open for testing. I have a permit ip any any statement at the end of the ACL, but it is not working. The VPN connects, but it is not encrypting the traffic or allowing the encrypted traffic through to the local subnets.
Sorry, it is encrypting the traffic it just is not decrypting it.
The problem is probably on the access list you have on the router which is responsible for selecting the “vpn interesting traffic”. In this access list you should include all the internal subnets which are behind the ASA. The problem is on the router vpn configuration, not on the ASA.
So, I think I got it to work. At least for the first connection. I can see the packets encrypt and decrypt, I can access other machines on other internal subnets, but after I disconnect from the VPN and reestablish a new VPN on the same machine. I get a new conn-id with a new IP address (172.25.1.2 instead of 172.25.1.1), but I am not able to ping any machines on the internal subnets anymore. From the client it show the packets being encrypted, but not decrypted. It only happens after I disconnect from that very first connection after I rebuild the VPN server. To make it work again I have to completely remove the VPN server and rebuild it.
any insight? It’s gotta be something simple.
Hi Aaron,
I have exactly the same issue. Recently we switched from g0/0 (serial) to Fast Ethernet ISP connection. Exactly after that i got the same issue what u had, please help me with the solution with the below your comment
cloning the ASA mac address to the g0/0 on the router
Mike,
Very strange problem. Can you post a part of your configuration to take a look. I really can not help you without seeing a configuration.
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 16000 informational
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2663147481
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2663147481
revocation-check none
rsakeypair TP-self-signed-2663147481
!
!
crypto pki certificate chain TP-self-signed-2663147481
certificate self-signed 01
voice-card 0
!
!
!
!
!
!
license udi pid CISCO2921/K9 sn FTX1437AHJL
hw-module pvdm 0/0
!
!
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh source-interface Loopback0
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group TEST
key testtest
dns 4.2.2.2
pool SDM_POOL_1
acl 102
crypto isakmp profile ciscocp-ike-profile-1
match identity group TEST
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 300
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
description \\ Main Loopback Address //
ip address 10.1.1.254 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ntp disable
!
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description \\ Ext Interface //$ETH-WAN$$FW_OUTSIDE$
ip address 66..xxx.xxx.xxx 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
no ip route-cache cef
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1.100
description $FW_INSIDE$
encapsulation dot1Q 100 native
ip address 192.168.100.1 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
!
interface GigabitEthernet0/2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 172.25.1.1 172.25.1.254
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 66.xxx.xxx.1
ip route 10.4.4.0 255.255.255.0 192.168.100.2
ip route 10.255.0.0 255.255.255.252 192.168.100.2
ip route 172.20.0.0 255.255.0.0 192.168.100.2
ip route 192.168.10.0 255.255.255.0 192.168.100.2
!
access-list 1 remark *** Permit only Inside Subnets ***
access-list 1 permit 172.20.0.0 0.0.255.255
access-list 1 permit 10.4.4.0 0.0.0.255
access-list 99 remark *** Remote Network Access ***
access-list 100 remark *** Control inbound traffic from Internet ***
access-list 100 remark CCP_ACL Category=17
access-list 100 permit udp any host 66.xxx.xxx.xxx eq non500-isakmp
access-list 100 permit udp any host 66.xxx.xxx.xxx eq isakmp
access-list 100 permit esp any host 66.xxx.xxx.xxx
access-list 100 permit ahp any host 66.xxx.xxx.xxx
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 deny ip 172.16.0.0 0.15.255.255 any
access-list 100 deny ip 169.254.0.0 0.0.255.255 any
access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip host 0.0.0.0 any
access-list 100 deny icmp any any redirect
access-list 100 deny icmp any any echo
access-list 100 deny icmp any any mask-request
access-list 100 permit ip any any
access-list 101 remark *** Controls outbound traffic to Internet ***
access-list 101 remark CCP_ACL Category=17
access-list 101 permit udp any host 192.168.100.1 eq non500-isakmp
access-list 101 permit udp any host 192.168.100.1 eq isakmp
access-list 101 permit esp any host 192.168.100.1
access-list 101 permit ahp any host 192.168.100.1
access-list 101 permit ip 192.168.100.0 0.0.0.3 any
access-list 101 permit ip 172.20.0.0 0.0.255.255 any
access-list 101 permit ip 10.4.4.0 0.0.0.255 any
access-list 101 permit ip 10.255.0.0 0.0.0.3 any
access-list 101 permit ip 172.25.1.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
!
no cdp run
!
!
!
!
!
control-plane
!
Hi BlogAdmin,
Can you help me?
Mike,
I identified a couple of issues. On the router you must exclude from NAT traffic going between internal subnets and the vpn clients pool.
ip nat inside source list 111 interface GigabitEthernet0/0 overload
access-list 111 remark *** NAT Traffic ***
access-list 111 deny ip 172.20.0.0 0.0.255.255 172.25.1.0 0.0.0.255
access-list 111 deny ip 10.4.4.0 0.0.0.255 172.25.1.0 0.0.0.255
access-list 111 permit ip 172.20.0.0 0.0.255.255 any
access-list 111 permit ip 10.4.4.0 0.0.0.255 any
Also, you might need to put “ip nat inside” in the loopback interface as well (not sure about that though).
Another thing, put a “permit ip any any” on ACL 100 while doing testing because that ACL might be blocking you some traffic (remove that permit statement after you finish troubleshooting ofcourse).
Abhi,
Help you for what thing???????
Hi Admin,
I am facing an issue with ASA.
Our network infrastructure is as follows:
1. Cisco 2800 router ->FastEthernet0/1 (213.42.224.178/30)-> connected to ISP
FastEthernet0/0 (213.42.235.33/28)connected to ASA
2. ASA Version 8.0 -> interface Ethernet0/0 (213.42.235.34/28)->connected to Router
-> interface Ethernet0/1(92.168.1.18 255.255.255.0->connected to Local LAN
We recently changed from serial to Fast Ethernet for leased line upgrade in router. Before this change done on router everything was working perfectly. After migration we are unable to browse internet from LAN. We are able to ping google.com from ASA terminal. I connected one laptop directly to router port FastEthernet0/0 and I am able to browse internet, it conformed it’s not problem with router.
From ADSM I am able to ping to any public domains. We have not changed any settings in ASA after migration done on router side.
Please help me to get this issue resolved
Blogadmin,
Thanks, I’ve done that and still no joy. Like I said, it works for the very first user who establishes a vpn, but any subsequent connection fails to communicate with the internal subnets.
The “ip nat inside” on the loopback did not work either.
Abhi,
It seems to me that the problem is related to ASA NAT. Since you can browse Internet from the subnet between ASA and Router, it means that routing towards internet is working fine. If the ASA was doing proper NAT translation of the private subnet (192.168.1.0/24) to the outside public IP then it should work.
Please send me config of ASA to take a look.
Mike,
What I would do is to isolate the problem. Try to do a VPN for accessing only the subnet between ASA and router.
No Joy Blogadmin, can’t get to the subnet between the router and ASA (192.168.100.0 /30). Like I said, it works only for the very first client who connects after the VPN server is built. After that first client disconnects, no other clients who connect cannot access anything.
Hi Admin,
Below is my ASA configuration
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
enable password SZl.qUrMhOHKx encrypted
passwd SZl.qUrMhOHKx encrypted
names
name 213.xx.xxx.36 citrix1 description citrix server 1
name 213.xx.xxx.37 citrix2 description citrix 2nd
name 192.168.1.12 citrix2_lanip description lanip2
name 192.168.1.11 citrix_lan_ip description citrix lan ip
name 213.xx.xxx.38 ssdserver description SSD Ulysses Server
name 192.168.1.14 ssdserver_lanip description SSD Qms Server
name 213.xx.xxx.39 xenapp1_wanip description XenApp Server-1 WAN
name 192.168.1.32 xenapp1_lanip description XenApp Server-1 LAN
name 192.168.1.33 xenapp2_lanip description XenApp Server LAN
name 213.xx.xxx.40 xenapp2_wanip description XenApp Server WAN
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 213.xx.xxx.34 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.18 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 99
no ip address
management-only
!
ftp mode passive
clock timezone GST 4
access-list outside_access_in remark web access
access-list outside_access_in extended permit tcp any host citrix1 eq www
access-list outside_access_in remark citrix ica
access-list outside_access_in extended permit tcp any host citrix1 eq citrix-ica
access-list outside_access_in remark we access
access-list outside_access_in extended permit tcp any host citrix2 eq www
access-list outside_access_in remark citrix access
access-list outside_access_in extended permit tcp any host citrix2 eq citrix-ica
access-list outside_access_in remark ping
access-list outside_access_in extended permit icmp any 192.168.1.0 255.255.255.0
access-list outside_access_in remark PDA Gateway
access-list outside_access_in extended permit tcp any host ssdserver eq www
access-list outside_access_in remark Web access
access-list outside_access_in extended permit tcp any host xenapp1_wanip eq www
access-list outside_access_in remark web access
access-list outside_access_in extended permit tcp any host xenapp2_wanip eq www
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.240 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.224
access-list success_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list sales_manager_splitTunnelAcl standard permit any
access-list sales_manager2_splitTunnelAcl standard permit any
access-list xyz_ajman_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ippoolipsec 192.168.1.236-192.168.1.246 mask 255.255.255.0
ip local pool ipool2 192.168.1.247-192.168.1.249 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xenapp1_wanip-213.xx.xxx.46 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) citrix1 citrix_lan_ip netmask 255.255.255.255
static (inside,outside) citrix2 citrix2_lanip netmask 255.255.255.255
static (inside,outside) ssdserver ssdserver_lanip netmask 255.255.255.255
static (inside,outside) xenapp1_wanip xenapp1_lanip netmask 255.255.255.255
static (inside,outside) xenapp2_wanip xenapp2_lanip netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.xx.xxx.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 213.xx.xxx.34 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet 213.xx.xxx.34 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec webvpn
group-policy xyz_ajman internal
group-policy xyz_ajman attributes
dns-server value 213.xx.xx.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value xyz_ajman_splitTunnelAcl
group-policy xyzgrouppolicy internal
group-policy xyzgrouppolicy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
username test password 274Y4GRAbNElaCoV encrypted privilege 0
username test attributes
vpn-group-policy xyzgrouppolicy
username deir password OR8GoXReK1v12Mv2 encrypted privilege 0
username deir attributes
vpn-group-policy xyz_ajman
service-type remote-access
username gup password UrGmZJT9TvPa2v2T encrypted privilege 0
username gup attributes
vpn-group-policy xyz_ajman
service-type remote-access
username khal password QoizGV6JcKfiL9Z8 encrypted privilege 0
username khal attributes
vpn-group-policy xyz_ajman
username abd password ZC7GwYYKFFkTwS1R encrypted privilege 0
username abd attributes
vpn-group-policy xyz_ajman
service-type remote-access
username rav password tehyrO8jnVlyN3kT encrypted privilege 0
username rav attributes
vpn-group-policy xyz_ajman
username abr password AMDqAIVHRN3qFa5j encrypted privilege 0
username abr attributes
vpn-group-policy xyz_ajman
username xyzssl password 8mNRV0/YzVBVmSVn encrypted
username xyzssl attributes
vpn-group-policy xyzgrouppolicy
service-type remote-access
username user1 password TTNKHqfM6YyTcEzA encrypted privilege 15
username user1 attributes
vpn-group-policy xyz_ajman
username reham password KFEdDYpxHdKFGcV/ encrypted privilege 0
username reham attributes
vpn-group-policy xyz_ajman
service-type remote-access
username elissa password b3O8bZLlxdzn3/X6 encrypted privilege 0
username elissa attributes
vpn-group-policy xyz_ajman
service-type remote-access
username ahmed password 8kVoQ/7XzoNywxkI encrypted privilege 0
username ahmed attributes
vpn-group-policy xyz_ajman
service-type remote-access
username hadi password wP90.CKYALtEA5Yb encrypted privilege 0
username hadi attributes
vpn-group-policy xyz_ajman
service-type remote-access
username neev password aZkvwbNl1/v1Ny7F encrypted privilege 0
username neev attributes
vpn-group-policy xyz_ajman
service-type remote-access
username zahir password gvT50mVpA4ZB/g3d encrypted privilege 0
username zahir attributes
vpn-group-policy xyz_ajman
service-type remote-access
username rysil password d8SLIW06yG6IqZNP encrypted privilege 0
username rysil attributes
vpn-group-policy xyz_ajman
service-type remote-access
username roy3i password sqftrCgAkwmit7mx encrypted privilege 0
username roy3i attributes
vpn-group-policy xyz_ajman
service-type remote-access
username anoop password FjjbALxryh0I1h/H encrypted privilege 0
username anoop attributes
vpn-group-policy xyz_ajman
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool ippoolipsec
address-pool ipool2
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group xyz_ajman type remote-access
tunnel-group xyz_ajman general-attributes
address-pool ippoolipsec
default-group-policy xyz_ajman
tunnel-group xyz_ajman ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:38764d9d1a56d83f2aa3581198d2157f
: end
Abhi,
You don’t have a dynamic NAT rule for the internal network. You need to configure it as below:
nat (inside) 1 192.168.1.0 255.255.255.0
Mike,
Obviously the problem is on VPN configuration on the router. Unfortunately I have not configured IPSEC remote access vpn on IOS version 15.0. If I were you I would remove ALL vpn configuration on router and redo it from scratch.
thanks Blogadmin,
I opened up a TAC case and cisco said there was a workaround in 15.0 for the VPN. I had to use the crypto Map and apply it to the outside interface of the router to get it to work.
Now I’m having problems with the ASA side now. I know the VPN works because I configured an inside port on the router and it works perfectly. Can you help me out with the ASA side now. Is there anything different on the ASA that you have to do now that I’m using a crypto map
Mike,
I assume that the Internal LAN network (behind the ASA) is passing untranslated to the outside of the ASA using the command below:
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
If that is the case, then on your router VPN configuration you need to include this internal network in the VPN interesting traffic access-list. Then, on the outside access list of the ASA firewall you need to allow the network pool range which is assigned for the vpn clients.
Hi Admin,
Please advice regarding ASA & Internet Router configuration, if
My LAN has multiple VLAN, and Interface VLAN 1 is SHUT DOWN for security reason.
What I should configure in my ASA as well as Route and Layer3 Core Switch which is connected to my ASA Inside Interface.
Sujit,
I assume that you have multiple internal subnets (lets say 192.168.1.0/24, 192.168.2.0/24 etc) which are routed by the Layer3 core switch to the ASA internal interface. Then you will have to do multiple static nat on the ASA:
ciscoasa(config)# static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
ciscoasa(config)# static (inside , outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
Also, the router must allow all internal subnets for nat rule:
ip nat pool IP-POOL 50.50.50.4 50.50.50.4 netmask 255.255.255.255
ip nat inside source list 1 pool IP-POOL overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
and also put the correct routing on outside router:
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 192.168.2.0 255.255.255.0 10.0.0.2
Dear Admin,
thanks for your reply…..yes you are right, I hv different VLAN routed in L3 switch…the brief details about the scenario and requirements are as follows
I’m new in ASA configuration, please help me out for my requirement in Campus LAN internet access from different VLAN ( Defalt VLAN 1, is down in all Cisco Switch for security reason, starting from Vlan 2 and so on near about 40 VLANS are there )
The brief scenario are as follows:-
1. In Core Switch 1 ( VTP Server ) all 40 VLANs are created, Core Switch 2 is in standy by ( VTP Mode Client )
2. ASA Outside interface connecetd with Internet Router’s Fa0/1, I don’t know what IP should I give in both of the Router & ASA interface.
3. Internet Router Fa0/0 ( 111.93.160.38/30 ) connected with ISP 3 MB Internet link, Gateway Next Hop 111.93.160.37/30
4. ISP has given me 6 more Public IP for my Web Server in DMZ Lan, out of 6 I need atleast 4 ip for those server, maximum 2 I can use for any other purpose like if required in ASA & Router Interface or Nat pooling etc. The segment is 111.93.161.16/29
5. ISP provided me the Public DNS as 121.242.190.210 & 181
6. Core1 connected to Firewall with a /30 IP, Core switch side 20.20.20.2/30 and ASA inside interface 20.20.20.1/30
7. The DMZ switch is L2 Cisco switch 2960 with no IP address, ASA Outside interface 192.20.20.1/24
8. All the DMZ server IP in 192.20.20.0/24 segment
9. All VLANs are Routed through Inter VLAN routing in L3 Switch ( IP Routing )….no dynamic routing used.
10. The Inside ( 172.16.34.0, 172.16.100.0, 172.20.40.0 ) LAN and DMZ ( 192.20.20.0 ) are configured and working fine with required NAT, Access Rule, Routing etc….
11. The current ASA configuration is also attached for your ready ref.
12. The Core switch VLAN segments like as below:—-
Interface VLAN 1 is DOWN
172.18.18.0/24, 172.16.10.0/24 – 45.0/24, 172.20.20.0/24, 176.20.30.0/24, 176.20.20.0/24, 176.20.40.0/24, 172.16.100.0/24
My Requirements:- Please help me with your kind expert advice to configure the following scinario.
1st which is required immediate….
# I need to configure my ASA, Router & L3 in such a way that Internet should be accessed from End user PC, that means from end user PC only the public DNS can be resolved without any Proxy.
2nd which is required later…..
# I will install a Proxy server also Local DNS with in next 30 days, so that user have to use internet thriugh Proxy & URL filtering will be activated, at the same time DNS request will come to Local DNS and then it will get resolved by Public DNS
3rd which is also require ASAP
# The DMZ server can also reach Internet as well from Internet user can get into DMZ server.
The ASA config
: Saved
:
ASA Version 8.0(4)
!
hostname TMCASA
domain-name tmckolkata.com
enable password 1ArkT8tWWgbN73yv encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description Interface Connecting Core_1_Inside LAN
nameif inside
security-level 100
ip address 20.20.20.1 255.255.255.252
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Interface Connecting DMZ Segment Server
nameif dmz
security-level 80
ip address 192.20.20.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name tmckolkata.com
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp eq domain
service-object tcp eq 50636
service-object tcp eq imap4
service-object tcp eq ldap
service-object tcp eq pop3
service-object tcp eq smtp
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3268
port-object eq ldap
port-object eq 88
access-list dmz-acl extended permit ip 192.20.20.0 255.255.255.0 172.16.34.0 255.255.255.0
access-list dmz-acl extended permit icmp any any
access-list dmz-acl extended permit object-group DM_INLINE_SERVICE_1 192.20.20.0 255.255.255.0 176.20.40.0 255.255.255.0
access-list dmz-acl extended permit tcp 192.20.20.0 255.255.255.0 172.16.100.0 255.255.255.0 object-group DM_INLINE_TCP_1
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
static (inside,dmz) 176.20.40.0 176.20.40.0 netmask 255.255.255.0
static (inside,dmz) 172.16.34.0 172.16.34.0 netmask 255.255.255.0
static (inside,dmz) 172.16.100.0 172.16.100.0 netmask 255.255.255.0
access-group dmz-acl in interface dmz
route inside 172.16.34.0 255.255.255.0 20.20.20.2 1
route inside 172.16.100.0 255.255.255.0 20.20.20.2 1
route inside 176.20.40.0 255.255.255.0 20.20.20.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.30.28.10 source inside prefer
username ASAadmin password WxD.X5KCKtDOvv1s encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2f9c89a686b8f059d25320cde06d3aa
: end
asdm image disk0:/asdm-613.bin
no asdm history enable
I have followed the setup above, but I cannot seem to ping the private ip of the ASA from the router, can anyone please help
Many Thanks
You can not ping the inside IP of the ASA from the outside
Can you advise how I would go about updating the IOS on the router in this type of setup
Thanks
Hello Mr. BlogAdmin! I have question regards border router and ASA. Now I using ASA outside interface direct connection to DSL modem static IP. I have only VPN terminate on this ASA outside interface, internet not needed for inside ASA so no split tunnel necessity. I see your border router and like this ideas. I like to have DSL connect to 831 router and make inside interface connect to ASA outside. Can I do it the 831 to NAT or PAT the VPN traffics to the ASA outside, maybe like ports forward? I never trying this yet, but I liking your border ideas. Also, if I make another DSL and 831 router, can I do the same ports forward VPN traffics from 831 #2 to the same ASA outside? Reason for these thinkings is because I liking your ideas of border router for less abusing of ASA and I liking to load balancing and redundantly for VPN. Sorry for my poor Ingles. Thanks you.
Hello Mr. BlogAdmin! Maybe I not clear for you. I make text diagramas.
Now I have: DSL -> ASA Outside ASA Inside
I want to make: DSL -> 831 Outside 831 Inside -> ASA Outside ASA Inside
For redundantly I like to doing:
DSL #1 -> 831 #1 Outside 831 #1 Inside -> Switch -> ASA Outside ASA Inside
DSL #2 -> 831 #2 Outside 831 #2 Inside -> Switch -> ASA Outside ASA Inside
I like to use the switch for connect ASA outside interface to 831 #1 and 831 #2 inside interfaces. Is this logics make the senses? Thanks you.
Hello Mr. BlogAdmin! The text diagramas not working properly. Should be like this:
DSL -> 831 Outside (NAT or PAT) 831 Inside -> ASA Outside (VPN) ASA Inside
same for the redundantly ideas. Thanks you.
Henrico,
You can do the above scenario with no problem. You will have to do a full static nat on the 831 router so that all traffic coming to the outside interface of 831 to be forwarded to the outside interface of ASA. If the outside interface of 831 has IP address 50.50.50.1 and outside interface of ASA has IP 10.0.0.2, then you can do the following (on the router):
ip nat inside source static 10.0.0.2 50.50.50.1
With the above you can terminate the VPN on the ASA
For the redundancy, it is better if you configure HSRP on the inside interfaces of the 831 routers. The ASA will have as default gateway the HSRP virtual address.
Phillip,
I do not understand your question. What does the router IOS update have to do with the network scenario above?
If I have configured the router the same way in the above scenario
I would like to know how to perform the router upgrade, because as I said earlier I cannot reach the inside network (TFTP Server) from the router
Hello Sir,
Can I configure all incoming traffic to our 7204 router instead to the ASA firewall.. This is sample config that I am going configure in the router.
#static (DMZ, outside) 102.1.1.1 10.0.0.1 netmask 255.255.255.255
#static (DMZ, outside) 102.1.1.2 10.0.0.2 netmask 255.255.255.255
#access-list OUTSIDE-IN extended permit tcp any host 102.1.1.1 eq 80
#access-list OUTSIDE-IN extended permit tcp any host 102.1.1.2 eq 25
#access-group OUTSIDE-IN in interface outside
#access-list DMZ-IN extended deny ip any any log
access-group DMZ-IN in interface DMZ
I want to know if this configuration above can be apply in the router.. the DMZ of course is connected to the ASA firewall.
Or I will configure the said configuration into the ASA firewall and apply static or dynamic routing on the router to all the private IP addresses to access the internet.
And I got confused with the static mapping to itself, same as your configurations. The inside and the outside interface have same network range. I just want to know, how does it works? In your diagram you have sa different network on the inside and the outside. Please clear on this matter.
Thank you.
Phillip,
Since the internal network 192.168.1.0 has static NAT translation as identity NAT (i.e the network appears on the outside of the ASA without change), you can install a TFTP server on this network and access if from the router. Assume the TFTP server is 192.168.1.10. You will just have to allow this on the OUTSIDE-IN access list of the ASA:
ciscoasa(config)# access-list OUTSIDE-IN extended permit udp host 10.0.0.1 host 192.168.1.10 eq 69
Simon,
Its not very clear what you want to achieve.
Regarding the static mapping to itself, this is also called “identity static nat”. Basically you do not translate the inside network, but you create static nat mapping to the outside of the ASA so that you can access this internal network (192.168.1.0) from the outside of the ASA. You protect this network by the proper access list entries that you configure on the OUTSIDE-IN acl.
Hello Sir,
I have a router between ISP and the ASA. I was asking if this configuration below is configurable in the router? Because this configuration is for the ASA. I want to know if this is applicable in the router also.
#static (DMZ, outside) 102.1.1.1 10.0.0.1 netmask 255.255.255.255
#static (DMZ, outside) 102.1.1.2 10.0.0.2 netmask 255.255.255.255
#access-list OUTSIDE-IN extended permit tcp any host 102.1.1.1 eq 80
#access-list OUTSIDE-IN extended permit tcp any host 102.1.1.2 eq 25
#access-group OUTSIDE-IN in interface outside
#access-list DMZ-IN extended deny ip any any log
access-group DMZ-IN in interface DMZ
Thanks for clearing me about the Static Nat to itself.
Simon,
The exact commands as you have put them above are NOT applicable for routers. Cisco router IOS configuration is different than ASA configuration. However you can configure similar functionality on IOS router just like the static NAT of the ASA.
Hello Mr. BlogAdmin! Maybe I no explain it right. After read HSRP infos from Cisco I ask you mistake. I don’t look for the redundancy I need it the load balance. If I have it the FTP server inside VPN and the clients outstide making the upload to the FTP I need it the bandwidth for the downloading at ASA. I want to make it 2 DSL with 2 831 like the funnel to 1 ASA for VPN. I can make it the assignment of VPN address for DSL1 to client1, DSL2 for client2, DSL1 to client3, DSL2 to client4, so on so on. I just need it the VPN traffics from 2 831 routers going to 1 ASA for the VPNs. But if I also need it HTTP server(10.10.10.3) outside of VPN but inside the 831#1 and 831#2 can I do it with some modificationing of this instructions you give it to me?
831#1
ip nat inside source static 10.0.0.2 50.50.50.1
ip nat inside source static 10.0.0.3 50.50.50.1 eq 80
831#2
ip nat inside source static 10.0.0.2 60.60.60.1
ip nat inside source static 10.0.0.3 60.60.60.1 eq 80
Maybe I make it more confuse! Thanks you.
Henrico,
Yes, you confused me even more!!! Anyhow, load balancing on the Cisco ASA does not work, especially when you have a VPN. You will need to install a dedicated load balancer (like the F5 load balancer or the Cisco ACE) in order to load balance traffic.
Blog Admin,
We are going to use BGP in our routing, we are going to use dynamic routing. Should I configure NAT or PAT on the router? If I am going to configure both BGP and PAT on the router. Will there be no conflict on the configurations?
GBU
For what reason are you going to use BGP on the router? For ISP load balancing or for advertising internal subnets? ?If its for advertising internal networks, then there is no point of using NAT/PAT because with network translation you are basically hiding the internal networks and you don’t want to advertise them to the outside world.
I have a ASA 5505 that connects directly to my ISP. My links look like they are up but when I connect my Cisco switch to the ASA and plug my PC in to connect it doesn’t seem to like the IP. I assign a static to the ASA and the Switch. Ran ASDM sucessfully and looks good.
I will be installing a brand new SBS 2008 (wants to be DHCP) server and a LAN. My config is below and any information is appreciated since this must be done ASAP.
Thanks
Jim
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasaZON
domain-name ZONWIB
enable password 8C9myjbXYNhN4I0J encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.242.53.121 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name ZONWIB
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.242.53.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e6cc35fbd6054b86c04b31af1827886b
: end
Jim,
You will need to disable DHCP server on the ASA:
“no dhcpd address 192.168.1.5-192.168.1.254 inside”
Also, another issue I see in your config is the default route:
route outside 0.0.0.0 0.0.0.0 72.242.53.121 1
You should change the default route gateway address to point to your ISP and not to your ASA interface.
The correct is:
route outside 0.0.0.0 0.0.0.0 [ISP gateway IP]
Dear BlogAdmin,
Thank you for your technical insights.
I am trying to configure an ASA 5505 behind Cisco 1700 and/or 800 Series router(s) for simple internet browsing and email.
I have two questions on the sample config you gave above in your scenario example (with diagram):
1) static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 – what does it achieve? cant this be achieved by “same-security-traffic permit intra-interface”?
2)route outside 0.0.0.0 0.0.0.0 10.0.0.1 – My reading is that 10.0.0.1 is the inside interface of your gateway router; but in your most recent reply to Jim, you are proposing “route outside 0.0.0.0 0.0.0.0 [ISP gateway IP]“; please, clarify.
Rgds
Izoj
1) the command static (inside , outside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 basically disables NAT for the inside network, so that traffic from 192.168.1.0 going to the outside of the ASA will not be translated. The NAT translation is offered by the router. The command “same-security-traffic permit intra-interface” basically allows traffic to enter and exit the same interface (something which is not normally allowed).
2) Jim stated that his ASA connects directly to the ISP (without an extra router as in my scenario), so thats why I’m saying [ISP gateway IP].
Dear BlogAdmin,
Thank u for the clarification.
I have managed to get my internal users browse the internet through:
CLOUDCisco800RTRASA5505LAN.
key lines in my configs:
ASA 5505:
access-list outside_access_in extended permit tcp host ISP_GW host 192.168.1.2 eq pop3
access-list outside_access_in extended permit tcp host ISP_GW 192.168.1.0 255.255.255.0 eq www
access-list outside_access_in extended permit icmp any 192.168.1.0 255.255.255.0 echo-reply
———————————————————————–
static (inside,outside) tcp ISP_GW smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp 192.168.1.0 domain 192.168.1.0 www netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.16.0.1 1
=======================================================================
Cisco RTR:
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.2 25 interface FastEthernet0 25
ip nat inside source static tcp 192.168.1.2 110 interface FastEthernet0 110
=====================================================================
Internal users can browse and send emails (thru local SMTP server); but cannot receive any reply. Its like POP3 server not getting incoming messages thru ASA 5505. What I am missing?
Regds
Izoj
Dear BlogAdmin,
Currently I have a PIX connected to the ISP without router and this works perfect. For loadbalancing/PBR I want to put a border router inbetween, like your scenario. I have multiple vpn-tunnels configured to the PIX. Is it correct they have to be terminated on the border router, as the endpoint of the vpn-tunnel has to be a public ip-address and the pix will have a private ip-adddress, or is there a way around?
Regards,
Perry
Perry,
Depends if you only have one public IP address from the ISP. If this is the case, then its better to terminate all VPN tunnels on Router. If you can get more public IP addresses, you can assign one on the outside ASA interface and terminate everything on the ASA
Dear BlogAdmin,
I have CISCO ASA5505 behind Netgear MBR1210 Modem/Router. Since I couldn’t put Netgear on bridge mode, I am trying set up VPN via enabling port forwarding on Netgear. I forwarded UDP port 500 on Netgear to ASA’s outside interface.
The issue I have here is, I was able to VPN in to ASA from remote client but couldn’t access inside network of ASA (LAN). But when I VPN from ASA’s outside network (between Netgear and ASA), it works fine. Could you please help me on this.
Following is my setup.
Internet———Netgear Modem/Router ————CISCOASA——-LAN
IP:
Netgear WAN —-Public Static from ISP
Netgear LAN —-192.168.0.1
ASA Outside—-192.168.0.2
ASA Inside —-192.168.3.1
LAN network: 192.168.3.0/24
Below is config:
: Saved
:
ASA Version 8.0(2)
!
hostname CISCOASA
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
access-list split_Tunn extended permit ip 192.168.3.0 255.255.255.0 any
access-list ping extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnremotepool 10.10.10.50-10.10.10.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
access-group ping in interface outside
access-group ping out interface outside
access-group ping in interface inside
access-group ping out interface inside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map dynomap 10 set transform-set myset
crypto map IPSec_map 65535 ipsec-isakmp dynamic dynomap
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy RecoKen internal
group-policy RecoKen attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_Tunn
username tester password 4wnTeFxxdAfxRa94 encrypted
username tester attributes
vpn-group-policy RecoKen
tunnel-group remKenn type remote-access
tunnel-group remKenn general-attributes
address-pool vpnremotepool
default-group-policy RecoKen
tunnel-group remKenn ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:4cf427e6faa9c3e6163afebb00019a9e
: end
CISCOASA#
UDP port 500 is NOT enough for establishing a VPN tunnel. You need also the IP protocols AH and ESP. Forwarding only UDP 500 from Netgear will not work. You must have a way to do a FULL IP NAT (one to one static NAT) from netgear towards the outside interface of ASA, otherwise it will not work.
@BlogAdmin
I want to set up a network for a small hotel and i have made some recommendations as to the equipments needed to ensure maximum security.The network is somewhat similar to what you have up there.My problem is now the security aspect of the implementation.I have no knowledge of PIX/ASA configurations until 3days ago by playing around with GNS3 ASA. Although, i have been reading a book on firewall,i understand some part but not all. My question is this, in securing this network from the outside, what are the specific things i need to target? What essential configuration is necessary on the firewall and where do i need to place the firewall to ensure maximum security? i know i can use the urlfiler command to restrict websites but what about yahoo IM and MSN IM?
Does this configuration allow for VPN connectivity for Remote Access VPN ? Since the Outside address is Private ? Does this not matter since all outbound traffic is being natted by the public address on the Router ?
NM, I didn’t read the full blog.
Charles,
The configuration above as it is shown now it does not allow for VPN termination on the ASA outside interface. If you want to do this you must create a static one-to-one NAT from an outside public IP towards the outside private IP of the ASA
Dear Cisco Lord,
I have read through all of these posts, and let me just thank you so much!! You are a saint, not only helping people on your own time, but doing so in an actually HELPFUL manner unlike some of those who get paid to do so!
I am in a situation where I have to temporarily get off of an MPLS ISP so we can drop them (terrible company). I have an Internet DS1 here, connected to a serial interface (CSU/DSU) on a 1700. The 1700 then connects to the outside interface on an ASA. What I really need to do is establish a site-to-site IPSEC VPN between the ASA here and the ASA at the home office. I tried to modify some of the above examples to fit the scenario, but it is not working. I have a /29 subnet to work with, and right now only 2 of the IPs are in use (the ISP router to us, and then our serial interface). I then have the routers ethernet interface connected to the ASA on a private network (Router: 10.204.0.254 – ASA: 10.204.0.253). I am running into double natting issues, and I am just not entirely sure what to do. I tried static NAT and that did work, but then the NAT on the ASA and the NAT on the router were conflicting. The simplest solution would be to bridge or otherwise have the router simply send everything it receives to the ASA… we don’t have any special needs other than Internet access and the VPN tunnel. I can also use one of the free IP addresses to static NAT that traffic to the ASA, but I am not sure how the rest of the translation needs to be performed on either end. Would forwarding just the ports required for IPSEC/IKE/etc to the ASA and handle internet routing via the router be easiest? My other option is to set up an IOS to ASA VPN between here and the home office (which as two ASA 5510s) but I have never done that before… I have configuration examples, but I was worried that others issues might arise… probably just paranoid, but again I just don’t have the experience to make that call in confidence.
I guess given the choice, I would like to have the router basically just act as a media converter for the serial interface to the ethernet interface and do everything I need to do on the ASA itself and just take the router out of the mix as it is over complicating things (at least for my sleep deprived brain haha).
Thank you so much, I owe you a beer just for the reading material already on this page.
Rich,
Thanks for your nice words.
My suggestion is the following:
Use one of the free public IP addresses that you have (under the /29 subnet) and do a static NAT on the router, thus mapping this public IP to the ASA private outside IP address. ( Assume the public IP is 50.50.50.3).
e.g (Router Config) ip nat inside source static 10.204.0.253 50.50.50.3
The outbound communication from the internal hosts (for accessing the Internet) will be carried out by doing NAT overload (i.e Port Address Translation) on the ASA’s outside address. This traffic will then go out via the static NAT that you have on the router.
The remote IP Sec peer will use the public IP that you have mapped before in order to terminate the vpn tunnel.
Is the above clear?
Let me know for more info.
You, my good man, are a gentleman and a scholar.
I was on the right track with my original configuration, but there was an earlier static entry that I removed last night… along with some fairly important settings (ip nat inside on the FA interface, etc) which I forgot to replace.
The kicker was the PAT on the ASA and translating to that external port… that did the trick, tunnel is up, Internet is accessible, you are the man.
I really want to repay you somehow, your response time is amazing and your skill set is excellent, not to mention your ability to communicate the material.
Thank you so very much.
Mr. Blogadmin, I have no hair left, and I am bleeding from my ears, from the beating of my head againdst the wall. I will have nightmares about wr er reload!!! Anyway, to the problem at hand, I want to do a setup just like your picture, but I have 4 vlans being routed by a 2600 router, going into a stack of 2950′s, connected to two virtual stacks with 3500 series l3 switches. I would be happy to post configs if you would be willing to look at them.