Comments on: Cisco Router with Cisco ASA for Internet Access http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/ Technology in the 21st Century Mon, 06 Feb 2012 17:21:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Fernando http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14350 Fernando Fri, 26 Aug 2011 05:20:19 +0000 http://www.tech21century.com/?p=240#comment-14350 @BlogAdmin, thanks. I did try that but still no luck. Any more ideas? I can authenticate from FTP client but I do not get the list of folders... @BlogAdmin,
thanks. I did try that but still no luck. Any more ideas? I can authenticate from FTP client but I do not get the list of folders…

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14302 BlogAdmin Tue, 23 Aug 2011 10:50:35 +0000 http://www.tech21century.com/?p=240#comment-14302 Hi Fernando, Have you enabled FTP inspection on the ASA. Do the following: <strong>ASA(config)#policy-map global_policy ASA(config-pmap)#class inspection_default ASA(config-pmap-c)#inspect FTP</strong> If the above does not work, then try the following command: <strong>ASA(config)#ftp mode passive</strong> Hi Fernando,

Have you enabled FTP inspection on the ASA.

Do the following:

ASA(config)#policy-map global_policy
ASA(config-pmap)#class inspection_default
ASA(config-pmap-c)#inspect FTP

If the above does not work, then try the following command:

ASA(config)#ftp mode passive

]]> By: Fernando http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14297 Fernando Tue, 23 Aug 2011 06:43:43 +0000 http://www.tech21century.com/?p=240#comment-14297 @BlogAdmin, Hi, i used this article as a guide and got my network up and running properly. I have now discoverd a problem with FTP. I have an FTP server in my inside network in passive mode. On the ASA i have static NAT translations- port 21 and 20 to my internal server- also have port 20 and 21 open on the outside interface. Problem is when I connect from a FTP client from outside I can connect to the server just fine- I get asked for authentication but then the connection breaks. For what I;ve been reading it's because the server in passive mode uses random ports to transmit the data, and those ports are obviously not allowed on my ASA. The asa should be able to inspect the data and let it through.. any ideas of how to do this? I've been looking everywhere and can't get it tow work. A bit of help would be greatly appreciated. Kind regards Fernando @BlogAdmin,

Hi, i used this article as a guide and got my network up and running properly. I have now discoverd a problem with FTP. I have an FTP server in my inside network in passive mode. On the ASA i have static NAT translations- port 21 and 20 to my internal server- also have port 20 and 21 open on the outside interface. Problem is when I connect from a FTP client from outside I can connect to the server just fine- I get asked for authentication but then the connection breaks. For what I;ve been reading it’s because the server in passive mode uses random ports to transmit the data, and those ports are obviously not allowed on my ASA. The asa should be able to inspect the data and let it through.. any ideas of how to do this? I’ve been looking everywhere and can’t get it tow work. A bit of help would be greatly appreciated.
Kind regards

Fernando

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14045 BlogAdmin Mon, 01 Aug 2011 06:46:07 +0000 http://www.tech21century.com/?p=240#comment-14045 Jack, As I have already said on my previous comment, it would be better and easier to disable NAT on the ASA. This will make the ASA work like a router but still inspecting traffic and applying firewall rules to traffic. Connect the outside interface of ASA to the inside of router, and the inside interface of ASA to vlan1 of the 4006 switch. You will need to introduce a new layer3 subnet to accommodate let say the subnet between outside ASA and inside of router. The inside of ASA and vlan1 can stay as 172.16.1.0/24. On the ASA, router and 4006 you will need to add the required static and default routes. Jack,

As I have already said on my previous comment, it would be better and easier to disable NAT on the ASA. This will make the ASA work like a router but still inspecting traffic and applying firewall rules to traffic. Connect the outside interface of ASA to the inside of router, and the inside interface of ASA to vlan1 of the 4006 switch. You will need to introduce a new layer3 subnet to accommodate let say the subnet between outside ASA and inside of router. The inside of ASA and vlan1 can stay as 172.16.1.0/24. On the ASA, router and 4006 you will need to add the required static and default routes.

]]> By: Jack http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14037 Jack Sat, 30 Jul 2011 14:16:28 +0000 http://www.tech21century.com/?p=240#comment-14037 I purchased the book and it is very informative. My understanding of the ASA is better but I still have a question for the particular setup I want to do. I have a 2651XM with ADSL wic and a /29 from my ISP. The router is configured for nat and the dialer is is configured for the public pool. The router inside interface is connected to a Catalyst 4006 with a supervisor 4 WS-X4515. I have numerous vlans configured on the 4006 in the range of 172.16.0.x - 172.16.31.x. The loaded the latest 8.4 software on the ASA. The router inside interface is 172.16.1.1 /24 and I have the following routes ip route 0.0.0.0 0.0.0.0 Dialer1 permanent and ip route 172.16.0.0 255.255.224.0 172.16.1.2 The 4006 vlan1 ip is 172.16.1.2 /24 and I have the following routes ip default-gateway 172.15.1.1 ip route 0.0.0.0 0.0.0.0 172.16.1.1. What would be the best way to insert the ASA between the router and the layer 3 switch? I purchased the book and it is very informative. My understanding of the ASA is better but I still have a question for the particular setup I want to do. I have a 2651XM with ADSL wic and a /29 from my ISP. The router is configured for nat and the dialer is is configured for the public pool. The router inside interface is connected to a Catalyst 4006 with a supervisor 4 WS-X4515. I have numerous vlans configured on the 4006 in the range of 172.16.0.x – 172.16.31.x. The loaded the latest 8.4 software on the ASA. The router inside interface is 172.16.1.1 /24 and I have the following routes ip route 0.0.0.0 0.0.0.0 Dialer1 permanent and ip route 172.16.0.0 255.255.224.0 172.16.1.2 The 4006 vlan1 ip is 172.16.1.2 /24 and I have the following routes ip default-gateway 172.15.1.1 ip route 0.0.0.0 0.0.0.0 172.16.1.1. What would be the best way to insert the ASA between the router and the layer 3 switch?

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14019 BlogAdmin Wed, 27 Jul 2011 05:20:13 +0000 http://www.tech21century.com/?p=240#comment-14019 Jack, You will disable NAT completely on the ASA (so there will not be any static NAT to itself like my example above). Think about it as if you are placing a normal router in front of the switch. Jack,

You will disable NAT completely on the ASA (so there will not be any static NAT to itself like my example above). Think about it as if you are placing a normal router in front of the switch.

]]> By: Jack http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-14016 Jack Tue, 26 Jul 2011 15:01:15 +0000 http://www.tech21century.com/?p=240#comment-14016 So I guess one of the places I am confused is with the static nat to itself. The inside interface of the ASA is pointing to the native vlan 1 of a 4006 with sup 4. There are several vlans on the 4006 all in the range of 172.16.0.x to 172.16.31.x so wouldn't I change this static nat to 172.16.0.0 172.16.0.0 netmask 255.255.224.0 or do I need to create a static nat for each of the class C vlans? So I guess one of the places I am confused is with the static nat to itself. The inside interface of the ASA is pointing to the native vlan 1 of a 4006 with sup 4. There are several vlans on the 4006 all in the range of 172.16.0.x to 172.16.31.x so wouldn’t I change this static nat to 172.16.0.0 172.16.0.0 netmask 255.255.224.0 or do I need to create a static nat for each of the class C vlans?

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-13998 BlogAdmin Mon, 25 Jul 2011 05:12:23 +0000 http://www.tech21century.com/?p=240#comment-13998 Crash5050, Didn't understand exactly what you want to achieve. Be more specific please Crash5050,

Didn’t understand exactly what you want to achieve. Be more specific please

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-13997 BlogAdmin Mon, 25 Jul 2011 05:10:43 +0000 http://www.tech21century.com/?p=240#comment-13997 Fernando, I suggest to disable NAT on the ASA ("no nat-control") and do all the NAT on the router. This will be the simplest scenario. You can have a static NAT on the router mapping one static public IP to the internal server 192.168.1.100. Then have the ASA control the traffic to the internal server with access list applied on its outside interface. You must put the proper static route also on the router for the internal servers which are behind the ASA. Fernando,

I suggest to disable NAT on the ASA (“no nat-control”) and do all the NAT on the router. This will be the simplest scenario. You can have a static NAT on the router mapping one static public IP to the internal server 192.168.1.100. Then have the ASA control the traffic to the internal server with access list applied on its outside interface. You must put the proper static route also on the router for the internal servers which are behind the ASA.

]]> By: BlogAdmin http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/comment-page-1/#comment-13996 BlogAdmin Mon, 25 Jul 2011 05:04:25 +0000 http://www.tech21century.com/?p=240#comment-13996 Jack, I think it would be easier for your scenario if you disable NAT completely on ASA (using "no nat-control") and you have the ASA working as a router. Ofcouerse it will continue inspecting traffic and doing its firewall job, but it will not do any NAT. Since all the nat is done on your border router, you don't need another NAT device. You will have to control traffic on the ASA just by using Access Lists. Jack,

I think it would be easier for your scenario if you disable NAT completely on ASA (using “no nat-control”) and you have the ASA working as a router. Ofcouerse it will continue inspecting traffic and doing its firewall job, but it will not do any NAT. Since all the nat is done on your border router, you don’t need another NAT device. You will have to control traffic on the ASA just by using Access Lists.

]]>