dslreports logo

Suggested prerequisite reading:
Things to expect when setup network for home or small business

For some broadband Internet connections such as cable and DSL and business-grade Internet connections using T1/E1 or faster, the ISPs inform their customers (subscribers) to set their firewall to specifically set IP address into their firewall. This means that the subscriber's firewall is set to use static IP address to connect to the Internet.

When this is your case, then the following sample configuration is a good starting point to help you configure the firewall. Typical network environment that might utilize following sample PIX/ASA configuration is as follows

* There is a modem in front of the PIX/ASA, which the modem connects to the ISP
* ISP is providing Public IP address to the PIX/ASA statically
* There is NAT/PAT in place on the PIX/ASA to translate internal IP addresses to the ISP-provided Public IP address
* The PIX/ASA is also acting as DHCP server to local LAN, which provide dynamic IP info for hosts behind the PIX/ASA within the LAN

This sample PIX/ASA configuration assumes the followings

* Internal private IP subnet (for hosts behind the PIX/ASA): 10.0.0.0/24
* All of the hosts' gateway would be the PIX/ASA inside interface IP address: 10.0.0.1
* The IP address range of 10.0.0.30-10.0.0.254 would be available for DHCP pool client
* The IP address range of 10.0.0.2-10.0.0.29 would be reserved for statically-assigned hosts, consequently
* The DHCP clients would also receive DNS IP addresses of 68.87.64.196 and 68.87.66.196 automatically as part of the dynamically assigned IP address process
* When all hosts behind the PIX/ASA go out to the Internet, the hosts would be using the PIX/ASA outside interface IP address (which is the ISP-assigned Public IP address)
* Necessary ICMP packet coming from the Internet would be permitted to enter your LAN

Sample Configuration

Scenario 1: ISP Assigns One IP Subnet

In this case the ISP assigns 1.1.1.2/30 IP address with 1.1.1.1 as default gateway. Having this info means that ISP hands you single IP subnet, a /30 with 1.1.1.2 IP address for the ASA/PIX Firewall Outside interface and NAT-ed IP address for all hosts.

1. PIX

OS Version 6.3(3)



2. PIX/ASA

OS Version 7.x to 8.2



OS Version 8.3 or later



Note:
Should you decide to run Internet-accessible servers behind the PIX/ASA, you can check out the following FAQ for sample configurations.
PIX Firewall/ASA configuration to run server (with and without port forwarding)

Scenario 2: ISP Assigns Two IP Subnets

In this scenario, there are servers behind the firewall to connect to the Private LAN of 10.0.0.0/24. There are also vendor-managed machines sit in DMZ as 192.168.1.0/24 network and users sit in 192.168.2.0/24 network. The firewall inside (Vlan1) interface is within the Private LAN, which also serves as default gateway to all hosts within the Private LAN.

The requirement is to have servers go out to the Internet using one Public IP address, have vendor-managed machines go out using another Public IP address, and users go out using different Public IP address. ISP then assigns two IP subnets; one is 1.1.1.0/30 where 1.1.1.1 is a default gateway, and another is 2.2.2.0/24.

You may note that there are three NAT/PAT implemented on the firewall. One is the PAT for 192.168.0.x hosts using the Vlan2 (outside) interface IP address which is the WAN IP address. One NAT is for 192.168.1.254 host using 2.2.2.254 NAT-ed IP address. One PAT is for 192.168.2.x hosts using 2.2.2.1 NAT-ed IP address.

OS Version 8.3 or later


Cisco documentation:
ASA 8.3(x) Dynamic PAT with Two Internal Networks and Internet Configuration Example

Discussions

[HELP] NAT + ASA = I'm insane....
[Config] Clients can't get out on Cisco ASA 5505


Expand got feedback?

by aryoba See Profile
last modified: 2017-02-17 15:03:57