- Sep 22, 2014
- 98
- 3
- 10,645
Setting up a Cisco ASA 5505 at home I can reach internet from ASA but not from computer inside LAN
could someone help me?
I have set the outside interface for DHCP and I can acquire my public IP address, I can ping outside, but inside devices can't ping anything or reach outside, also I'm a bit confused because originally I set one interface as outside and one inside but if I connect multiple devices to the ASA and you can only have one interface as inside how do you connect multiple devices inside the LAN on multiple ports? Also I would be fine if I could get this working but to further complicate things I also have an ASUS router that I would like to hook up after the ASA and it just starts getting complicated at this point but if someone could shed light on how I can do this that would be great,
I plan on working on this all weekend if necessary so if someone could get this thread active I would appreciate it
I am following this guide below
Create 2 SVI’s one for inside and one for outside
GFirewall(config)# int vlan 77
GFirewall(config-if)#ip address 192.168.1.254 255.255.255.0
GFirewall(config-if)# nameif inside
GFirewall(config-if)# no shut
GFirewall(config-if)# interface ethernet 0/7
GFirewall(config-if)# switchport access vlan 77
GFirewall(config-if)# no shut
^ repeat this step for outside interface with new VLAN
Pick an interface (should be higher numbered interface for inside connection)
Ethernet 0/7
Set the route as the peered IP address (not usable)
GFirewall(config)# route outside 0.0.0.0 0.0.0.0 24.15.12.6
ACL ACE’s
access-list P2PACL line 60 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list P2PACL line (ACE) 60 extended permit ip (Source) 192.168.1.0 255.255.255. (destination) 10.0.0.0 255.0.0.0
add additional ACE’s for the public IP addresses
access-list P2PACL line 70 extended permit ip 25.25.25.25 255.255.255.252 64.64.64.64 255.255.255.252
Set IKE V1 phase 1
Create a policy
GFirewall(config)# crypto ikev1 policy 1
GFirewall(config-ikev1-policy)# authentication pre-share
GFirewall(config-ikev1-policy)# encryption aes-256
GFirewall(config-ikev1-policy)# group 2
GFirewall(config-ikev1-policy)# hash sha
GFirewall(config-ikev1-policy)# lifetime 86400 (*set lower to be more secure however uses more resources)
Enable IKE V1 on outside interface
GFirewall(config)# crypto ikev1 enable outside
Set IKE V1 Phase 2
GFirewall(config)# tunnel-group 1.1.1.1 type ipsec-l2l (* Use peer IP address (other ASA outside interface IP address) as tunnel group ID)
GFirewall(config)# tunnel-group 1.1.1.1 ipsec-attributes
GFirewall(config-tunnel-ipsec)# ikev1 pre-shared-key MGTech$upport (make sure there is no space at the end of the pre shared key)
Set the transform set
GFirewall(config)# crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set peer 1.1.1.1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL (* Create ACL with multiple ACE’s of subnets to Allow *Make sure you include nonat in front of extended ACL)
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP interface outside
could someone help me?
I have set the outside interface for DHCP and I can acquire my public IP address, I can ping outside, but inside devices can't ping anything or reach outside, also I'm a bit confused because originally I set one interface as outside and one inside but if I connect multiple devices to the ASA and you can only have one interface as inside how do you connect multiple devices inside the LAN on multiple ports? Also I would be fine if I could get this working but to further complicate things I also have an ASUS router that I would like to hook up after the ASA and it just starts getting complicated at this point but if someone could shed light on how I can do this that would be great,
I plan on working on this all weekend if necessary so if someone could get this thread active I would appreciate it
I am following this guide below
Create 2 SVI’s one for inside and one for outside
GFirewall(config)# int vlan 77
GFirewall(config-if)#ip address 192.168.1.254 255.255.255.0
GFirewall(config-if)# nameif inside
GFirewall(config-if)# no shut
GFirewall(config-if)# interface ethernet 0/7
GFirewall(config-if)# switchport access vlan 77
GFirewall(config-if)# no shut
^ repeat this step for outside interface with new VLAN
Pick an interface (should be higher numbered interface for inside connection)
Ethernet 0/7
Set the route as the peered IP address (not usable)
GFirewall(config)# route outside 0.0.0.0 0.0.0.0 24.15.12.6
ACL ACE’s
access-list P2PACL line 60 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list P2PACL line (ACE) 60 extended permit ip (Source) 192.168.1.0 255.255.255. (destination) 10.0.0.0 255.0.0.0
add additional ACE’s for the public IP addresses
access-list P2PACL line 70 extended permit ip 25.25.25.25 255.255.255.252 64.64.64.64 255.255.255.252
Set IKE V1 phase 1
Create a policy
GFirewall(config)# crypto ikev1 policy 1
GFirewall(config-ikev1-policy)# authentication pre-share
GFirewall(config-ikev1-policy)# encryption aes-256
GFirewall(config-ikev1-policy)# group 2
GFirewall(config-ikev1-policy)# hash sha
GFirewall(config-ikev1-policy)# lifetime 86400 (*set lower to be more secure however uses more resources)
Enable IKE V1 on outside interface
GFirewall(config)# crypto ikev1 enable outside
Set IKE V1 Phase 2
GFirewall(config)# tunnel-group 1.1.1.1 type ipsec-l2l (* Use peer IP address (other ASA outside interface IP address) as tunnel group ID)
GFirewall(config)# tunnel-group 1.1.1.1 ipsec-attributes
GFirewall(config-tunnel-ipsec)# ikev1 pre-shared-key MGTech$upport (make sure there is no space at the end of the pre shared key)
Set the transform set
GFirewall(config)# crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set peer 1.1.1.1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL (* Create ACL with multiple ACE’s of subnets to Allow *Make sure you include nonat in front of extended ACL)
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP interface outside
Facebook
Twitter
Instagram