This sample configuration demonstrates how to set up the Cisco Adaptive Security Appliance (ASA) with version 8.3(1) for use with two internal networks.
Refer to PIX/ASA: Connecting Two Internal Networks with Internet Configuration Example for the same configuration on Cisco Adaptive Security Appliance (ASA) with versions 8.2 and earlier.
When you add a second internal network behind an ASA firewall, keep these point in mind:
The ASA cannot route any packets.
The ASA does not support secondary addressing.
A router must be used behind the ASA to achieve routing between the existing network and the newly added network.
The default gateway of all the hosts must point to the inside router.
Add a default route on the inside router that points to the ASA.
Remember to clear the Address Resolution Protocol (ARP) cache on the inside router.
The information in this document is based on these software and hardware versions:
Cisco Adaptive Security Appliance (ASA) with version 8.3(1)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses the network setup shown in this diagram.
Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses , which have been used in a lab environment.
This document uses the configurations shown here.
|ASA 8.3(1) Running Config|
ASA#show run : Saved : ASA Version 8.3(1) ! hostname ASA enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! !--- Configure the outside interface. ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.1.5.1 255.255.255.0 !--- Configure the inside interface. ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! boot system disk0:/asa831-k8.bin ftp mode passive !--- Creates an object called OBJ_GENERIC_ALL. !--- Any host IP not already matching another configured !--- object will get PAT to the outside interface IP !--- on the ASA (or 10.1.5.1), for internet bound traffic. object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface route inside 192.168.1.0 255.255.255.0 192.168.0.254 1 route outside 0.0.0.0 0.0.0.0 10.1.5.2 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.254.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:6fffbd3dc9cb863fd71c71244a0ecc5f : end
|Router B Configuration|
Building configuration... Current configuration: ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router B ! ! username cisco password 0 cisco ! ! ! ! ip subnet-zero ip domain-name cisco.com ! isdn voice-call-failure 0 ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet0/1 !--- Assigns an IP address to the ASA-facing Ethernet interface. ip address 192.168.0.254 255.255.255.0 no ip directed-broadcast ip classless !--- This route instructs the inside router to forward all !--- non-local packets to the ASA. ip route 0.0.0.0 0.0.0.0 192.168.0.1 no ip http server ! ! line con 0 exec-timeout 0 0 length 0 transport input none line aux 0 line vty 0 4 password ww login ! end
There is currently no verification procedure available for this configuration.
There is currently no specific troubleshooting information available for this configuration.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.