There were some minor modifications on the 871w router for NAT to function properly. I also opened ICMP, SSH and Telnet ports on the ASA5505 firewall for troubleshooting and testing purposes. The switch's management IP were changed I used the 172.16.0.0 /16 subnet solely for my lab. I then isolate my wifi users on the 192.168.1.0 /24 subnet.
871W#configure terminal
871W(config-if)#interface fastethernet0 // MOVE TRUNK FROM FE3 TO FE0 PORT
871W(config-if)#description TRUNK TO ASA5505
871W(config-if)#do show ip interface brief
Interface IP-Address OK? Method Status Protocol
BVI1 192.168.1.1 YES NVRAM up up
Dot11Radio0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset administratively down down
FastEthernet2 unassigned YES unset administratively down down
FastEthernet3 unassigned YES unset administratively down down
FastEthernet4 59.189.109.1 YES DHCP up up
Group-Async4 unassigned YES NVRAM down down
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up up
871W(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2 // ROUTE TO LAB NETWORK
871W(config)#access-list 10 permit 172.16.0.0 0.0.255.255
871W(config)#do show access-list 10
Standard IP access list 10
10 permit 172.16.0.0, wildcard bits 0.0.255.255 (54 matches) // NAT ACL FOR 172.16.0.0/16 (LAB)
20 permit 192.168.1.0, wildcard bits 0.0.0.255 (862 matches) // NAT ACL FOR 192.168.1.0 /24 (WIFI)
871W(config)#exit
871W#show ip nat translations | include 172.16.1.6
udp 59.189.105.139:49226 172.16.1.6:49226 8.8.8.8:33506 8.8.8.8:33506
udp 59.189.105.139:49227 172.16.1.6:49227 8.8.8.8:33507 8.8.8.8:33507
udp 59.189.105.139:49228 172.16.1.6:49228 8.8.8.8:33508 8.8.8.8:33508
udp 59.189.105.139:49229 172.16.1.6:49229 8.8.8.8:33509 8.8.8.8:33509
udp 59.189.105.139:49230 172.16.1.6:49230 8.8.8.8:33510 8.8.8.8:33510
udp 59.189.105.139:49231 172.16.1.6:49231 8.8.8.8:33511 8.8.8.8:33511
udp 59.189.105.139:49232 172.16.1.6:49232 8.8.8.8:33512 8.8.8.8:33512
udp 59.189.105.139:49233 172.16.1.6:49233 8.8.8.8:33513 8.8.8.8:33513
udp 59.189.105.139:49234 172.16.1.6:49234 8.8.8.8:33514 8.8.8.8:33514
udp 59.189.105.139:49235 172.16.1.6:49235 8.8.8.8:33515 8.8.8.8:33515
udp 59.189.105.139:49236 172.16.1.6:49236 8.8.8.8:33516 8.8.8.8:33516
udp 59.189.105.139:49237 172.16.1.6:49237 8.8.8.8:33517 8.8.8.8:33517
udp 59.189.105.139:49238 172.16.1.6:49238 8.8.8.8:33518 8.8.8.8:33518
udp 59.189.105.139:49239 172.16.1.6:49239 8.8.8.8:33519 8.8.8.8:33519
udp 59.189.105.139:49240 172.16.1.6:49240 8.8.8.8:33520 8.8.8.8:33520
udp 59.189.105.139:49241 172.16.1.6:49241 8.8.8.8:33521 8.8.8.8:33521
udp 59.189.105.139:49242 172.16.1.6:49242 8.8.8.8:33522 8.8.8.8:33522
udp 59.189.105.139:49243 172.16.1.6:49243 8.8.8.8:33523 8.8.8.8:33523
871W#ping 172.16.1.6 // PING AND TELNET TO 1841-2 LAB ROUTER
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
871W#telnet 172.16.1.6
Trying 172.16.1.6 ... Open
+--------------------------------------------------------------+
| This equipment is privately owned and monitored. |
| Disconnect immediately if you are not an authorized user. |
+--------------------------------------------------------------+
User Access Verification
Username:
----
ASA5505# configure terminal
ASA5505(config)# interface ethernet0/0 // WAN PORT
ASA5505(config-if)# description LINK TO 871W
ASA5505(config-if)# interface ethernet0/1 // LAN PORT
ASA5505(config-if)# description TRUNK TO SW1
ASA5505(config-if)# exit
ASA5505(config)# banner motd +--------------------------------------------------------------+
ASA5505(config)# banner motd | This equipment is privately owned and monitored. |
ASA5505(config)# banner motd | Disconnect immediately if you are not an authorized user. |
ASA5505(config)# banner motd +--------------------------------------------------------------+
ASA5505(config)# policy-map global_policy
ASA5505(config-pmap)# class inspection_default
ASA5505(config-pmap-c)# inspect icmp error // FOR TRACEROUTE FUNCTION
ASA5505(config-pmap-c)# exit
ASA5505(config-pmap)# exit
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any 172.16.0.0 255.255.0.0 echo
ASA5505(config)# access-list OUTSIDE-IN extended permit tcp any 172.16.0.0 255.255.0.0 eq telnet
ASA5505(config)# access-list OUTSIDE-IN extended permit tcp any 172.16.0.0 255.255.0.0 eq ssh
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any any time-exceeded // FOR TRACEROUTE FUNCTION
ASA5505(config)# access-list OUTSIDE-IN extended permit icmp any any unreachable // FOR TRACEROUTE FUNCTION
PING TO SWITCHES:
ASA5505# ping 172.16.1.2 // SW1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA5505# ping 172.16.1.3 // SW2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5505# ping 172.16.1.4 // SW3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PING TO ROUTERS:
ASA5505# ping 172.16.1.6 // 1841-2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PING TO OUTSIDE:
ASA5505# ping 8.8.8.8 // GOOGLE PUBLIC DNS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/30 ms
ASA5505# ping www.cisco.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 60.254.168.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/50 ms
----
SW1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface fastethernet0/8
SW1(config-if)#description TRUNK TO ASA5505
SW1(config-if)#switchport trunk encapsulation dot1q
SW1(config-if)#switchport mode trunk
SW1(config-if)#do show interface description
Interface Status Protocol Description
Vl1 up up L3 MANAGEMENT VLAN
Fa0/1 up up L2 ETHERCHANNEL TO SW2 (LINK#1)
Fa0/2 up up L2 ETHERCHANNEL TO SW2 (LINK#2)
Fa0/3 up up L2 ETHECHANNEL TO SW3 (LINK#1)
Fa0/4 up up L2 ETHECHANNEL TO SW3 (LINK#2)
Fa0/5 down down
Fa0/6 down down
Fa0/7 down down
Fa0/8 up up TRUNK TO ASA5505
Gi0/1 down down
Po1 up up L2 ETHERCHANNEL TO SW2
Po2 up up L2 ETHECHANNEL TO SW3
SW1(config)#interface vlan1
SW1(config-if)#ip address 172.16.1.2 255.255.255.0 // CHANGED MANAGEMENT IP ADDRESS
SW1(config)#ip default-gateway 172.16.1.1 // ASA INSIDE IP ADDRESS
SW1(config)#exit
00:41:14: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1007 ms
SW2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface vlan1
SW2(config-if)#ip address 172.16.1.3 255.255.255.0
SW2(config)#interface fastethernet0/8
SW2(config-if)#description LINK TO 1841-1
SW2(config-if)#switchport mode trunk
SW2(config-if)#exit
SW2(config)#ip default-gateway 172.16.1.1
SW2(config)#exit
SW2#
01:00:29: %SYS-5-CONFIG_I: Configured from console by console
SW2#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/201/1000 ms
----
SW3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW3(config)#interface vlan1
SW3(config-if)#ip address 172.16.1.4 255.255.255.0
SW3(config-if)#exit
SW3(config)#ip default-gateway 172.16.1.1
SW3(config)#interface fastethernet0/8
SW3(config-if)#description LINK TO 1841-2
SW3(config-if)#switchport mode trunk
SW3(config-if)#do show interface description
Interface Status Protocol Description
Vl1 up up L3 MANAGEMENT VLAN
Fa0/1 up up L2 ETHERCHANNEL TO SW1 (LINK#1)
Fa0/2 up up L2 ETHERCHANNEL TO SW1 (LINK#2)
Fa0/3 up up L2 ETHERCHANNEL TO SW2 (LINK#1)
Fa0/4 up up L2 ETHERCHANNEL TO SW2 (LINK#2)
Fa0/5 down down
Fa0/6 down down
Fa0/7 down down
Fa0/8 down down LINK TO 1841-2
Gi0/1 down down
Po1 up up L2 ETHERCHANNEL TO SW1
Po2 up up L2 ETHERCHANNEL TO SW2
SW3(config)#exit
*Mar 1 00:59:09.169: %SYS-5-CONFIG_I: Configured from console by console
SW3#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1006 ms
----
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM up up
FastEthernet0/1 unassigned YES NVRAM administratively down down
Router#configure terminal
Router(config)# hostname 1841-2
1841-2(config)#service timestamps debug datetime msec localtime show-timezone
1841-2(config)#service timestamps log datetime msec localtime show-timezone
1841-2(config)#service password-encryption
1841-2(config)#banner login #
Enter TEXT message. End with the character '#'
+--------------------------------------------------------------+
| This equipment is privately owned and monitored. |
| Disconnect immediately if you are not an authorized user. |
+--------------------------------------------------------------+
#
1841-2(config)#logging buffered 4096
1841-2(config)#enable password cisco
1841-2(config)#ip domain name lagura.com
1841-2(config)#ip name-server 8.8.8.8
1841-2(config)#ip name-server 4.2.2.2
1841-2(config)#username cisco privilege 15 password cisco
1841-2(config)#interface fastethernet0/0
1841-2(config-if)#description CONNECTION TO WAN
1841-2(config-if)#ip address 172.16.1.6 255.255.255.0
1841-2(config-if)#interface fastethernet0/1
1841-2(config-if)#description CONNECTION TO LAN
1841-2(config-if)#ip address 172.16.20.254 255.255.255.0
1841-2(config-if)#no shutdown
1841-2(config-if)#exit
*Nov 6 09:24:53.155: %SYS-5-CONFIG_I: Configured from console by console
*Nov 6 09:24:54.235: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Nov 6 09:24:55.235: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
*Nov 6 09:25:00.671: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
1841-2(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 // STATIC DEFAULT ROUTE TO ASA INSIDE IP ADDRESS
1841-2(config)#router eigrp 1
1841-2(config-router)#network 172.16.0.0 0.0.255.255
1841-2(config-router)#no auto-summary
1841-2(config-router)#exit1841-2(config)#line vty 0 4
1841-2(config-line)#exec-timeout 0
1841-2(config-line)#logging synchronous
1841-2(config-line)#login local
1841-2(config-line)#line console 0
1841-2(config-line)#no exec-timeout
1841-2(config-line)#logging synchronous
1841-2(config-line)#end
1841-2#ping 172.16.1.1 // ASA INSIDE IP ADDRESS
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
1841-2#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/27/28 ms
1841-2#ping www.cisco.com
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Translating "www.cisco.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 23.58.240.170, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
1841-2#traceroute www.google.com
Type escape sequence to abort.
Tracing the route to www.google.com (74.125.200.105)
1 192.168.1.1 0 msec 0 msec 4 msec
2 cm1.delta104.maxonline.com.sg (59.189.104.1) 8 msec 12 msec 12 msec
3 172.20.43.1 12 msec 12 msec 12 msec
4 172.26.43.1 32 msec 12 msec 16 msec
5 172.20.7.114 28 msec 12 msec 12 msec
6 203.117.36.89 12 msec 16 msec 16 msec
7 203.117.36.21 [MPLS: Label 16040 Exp 0] 28 msec 12 msec 12 msec
8 203.117.35.206 12 msec 12 msec 12 msec
9 72.14.196.189 12 msec 12 msec 12 msec
10 66.249.95.124 12 msec
66.249.95.122 16 msec 20 msec
11 72.14.239.61 12 msec
209.85.244.23 12 msec 16 msec
12 * * *
13 www.google.com (74.125.200.105) 20 msec 28 msec 16 msec
Below are the logical network diagram and the actual physical setup of my lab. I plan to add more stuff like DDNS, enable EIGRP, use PRTG monitoring and experiment on the different styles of VPN and MPLS. I'll also rack mount my gears to a 12 RU rack to give it a more "professional" look.
Great work John. I am currently attempting to insert an ASA5505 into my network. I currently have a 871W routing to a 3550. I am closely looking at your output to see how the ASA is configured. Do you plan on moving away from the default routes to EIGRP or OSPF?
ReplyDelete-Mike U
Mike,
ReplyDeleteThanks for your kind words and I appreciate your time reading my blog. Yes, I do plan to use an IGP either EIGRP or OSPF. But my new job doesn't allow me to improve my lab (not that I'm complaining).
I plan to take up ROUTE (for my CCDP) soon and perhaps I can implement it in my lab. Just try to check my blog from time to time.
Nice lab John. I'm in the same boat as you are/were as I am trying to incorporate the 5505 into my home network.
ReplyDeleteA couple questions...
What purpose does your Linksys serve when you already have the 871W for wireless? I have the WRT160N, that quit forwarding ports, so I moved to the PIX 501 and will eventually will start using the 5505.
Was there a specific reason for placing the 871W in front of the ASA?
It appears you are utilizing your lab as part of your home network. Is that the case, or have you separated it somehow, either with a DMZ, or some other kind of filtering?
Hi Chris, thanks for your time reading my blog!
ReplyDeleteI initially had a Linksys E1000 at home and I use it whenever I'm not doing any lab. This will it will keep my 871w last longer. As we all know, we keep the wifi on 24x7.
Yes, I mentioned it on my blog post prior to this one that NAT is easier in a router. And router is flexible when it comes to WAN/modules. ASA comes with Ethernet ports by default.
My ASA has Base license so I can only create an inside and outside interfaces only.
You'll notice my 871w is my home wifi and behind the ASA is my lab network.
I understand what you mean by NAT being easier on a router. Even using the latest ASDM and IOS for the 5505, it's still pretty confusing. My lab consists of an Access Server, (6) Routers, (1) Router acting as a Frame Relay Switch, (1) 3550 L3 Switch, and (2) 2950 L2 Switches. I was using one of the 2520 Routers, or maybe it was the 2514, as an Internet router before, and it would only go so long before it would stop translating the internal internet traffic. I would have to reboot the router, and it would work fine again. I may try and use one of the 1721 routers in it's place. I was hoping to use the 5505 instead, mainly because I can have two FastEthernet ports, but it may not work for me.
ReplyDeleteI did create the restricted DMZ on the 5505, just for the lab environment. My understanding is as long as the lab routers will not initiate traffic to the inside network, it should work just fine. I have yet to see how that works yet, so we will see!
Anyway, great lab and blog, and I'll keep watching for further postings!
Thanks,
Chris