Configuring Cisco ASA 5505 as Internet Gateway


Configuring Cisco ASA 5505 as your home or small business internet gateway is not that hard. You only need to configure:

Inside and Outside VLAN

In this example, I configured VLAN 1 for my LAN and VLAN 100 for my internet connection. The name of VLAN 1 is inside and the name for VLAN 100 is outside.

sw1> enable

sw1# configure terminal

sw1# interface vlan 1

sw1# nameif inside

sw1# security-level 100

sw1# ip address 10.10.10.1 255.255.255.0

sw1# interface vlan 100

sw1# nameif outside

sw1# security-level 0

sw1# ip address dhcp setroute

Assigning VLAN to Interfaces

After creating VLANs, you can continue by assigning the created VLANs to desired interfaces. In this example, I configured my internet connection (VLAN 100) on port ethernet 0 and other ports are assigned for my LAN (VLAN 1).

sw1# interface ethernet 0/0

sw1# switchport access vlan 100

sw1# interface ethernet 0/1

sw1# switchport access vlan 1

You can repeat configuration on ethernet 0/1 to other interfaces to assign VLAN 1.

DHCP

After assigning ethernet 0/1 to ethernet 0/7 as your LAN ports, then you need to enable DHCP to assign IP for each port.

sw1# dhcpd address 10.10.10.100-10.10.10.130 inside
sw1# dhcpd enable inside

NAT

ASA 5505 on OS version 8.3 has different syntax in configuring NAT, if compared to OS version 8.2 and previous. I will show you how to configure NAT on version 8.2 and 8.3.

OS version 8.2

sw1# global (outside) 1 interface
sw1# nat (inside) 1 192.168.241.0 255.255.255.0
sw1# access-group acl_outside in interface outside

OS version 8.3

sw1# object network TEST
sw1# subnet 10.10.10.0 255.255.255.0
sw1# object network obj_any
sw1# subnet 10.10.10.0 255.255.255.0

sw1# object network TEST
sw1# nat (inside,outside) dynamic interface
sw1# object network obj_any
sw1# nat (inside,outside) dynamic interface
sw1# access-group acl_outside in interface outside

DNS Address

All devices which connected to ASA 5505 will need a DNS server to resolve the address. In this case you can assign Google DNS server or your internet provider’s DNS server.

sw1# dhcpd dns 8.8.8.8 206.248.154.22
sw1# dhcpd lease 691200
sw1# dhcpd ping_timeout 750
sw1# dhcpd auto_config outside

    Permit for ICMP
    Create a permit for ICMP to allow ICMP traffic.

    sw1# object-group icmp-type DefaultICMP
    sw1# description Default ICMP Types permitted
    sw1# icmp-object echo-reply
    sw1# icmp-object unreachable
    sw1# icmp-object time-exceeded

    Here is an example of complete configuration:

    voltron# sh run
    : Saved
    :
    ASA Version 8.3(1)
    !
    hostname voltron
    domain-name poltak.ca
    enable password DU.xxxxxxxxxxxxxxxxxxxxxxx encrypted
    passwd DU.xxxxxxxxxxxxxxxxxxxxxxxxx encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.10.10.1 255.255.255.0
    !
    interface Vlan100
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 100
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    clock timezone CST -5
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name poltak.ca
    object network TEST
    subnet 10.10.10.0 255.255.255.0
    object network obj_any
    subnet 10.10.10.0 255.255.255.0
    object-group icmp-type DefaultICMP
    description Default ICMP Types permitted
    icmp-object echo-reply
    icmp-object unreachable
    icmp-object time-exceeded
    access-list acl_outside extended permit icmp any any object-group DefaultICMP
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    !
    object network TEST
    nat (inside,outside) dynamic interface
    object network obj_any
    nat (inside,outside) dynamic interface
    access-group acl_outside in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 8.8.8.8 206.248.154.22
    dhcpd lease 691200
    dhcpd ping_timeout 750
    dhcpd domain poltak.ca
    dhcpd auto_config outside
    !
    dhcpd address 10.10.10.100-10.10.10.130 inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username jeff password xxxxxxxxxxxxxxxxxxxxxxx encrypted
    !
    !
    prompt hostname context
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email callhome@cisco.com
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:7efc798528df4c0c80048a7d8e968941
    : end

About these ads

About Poltak Jefferson
I'm just an ordinary person who wants to be an extraordinary.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: