cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco asa5515x

jjamknight
On our wavelength

Hi all, looking for advice on my planned network changes... I’m hoping people have had the same ideas or challenges.

so I have setup a lab, L3 switch, intervlans and have opted to use a Cisco firewall as my router (I have a cisco3925 which I was going to use as my gateway to the virgin hub, but opted for one less hop) and the 5515x seems capable. In the lab I have 4g ethernet hub, and I’ve duplicated what I think the virgin hub will dooo when switched into modem mode... I.e it retains 192.168.100.1 IP address and enables dhcp for one additional IP address on that subnet. It all’s works ok.... my firewall picks up the dhcp address I.e...192.168.100.2 and I can ping 8.8.8.8 ... 

However my understanding of the virgin hub modem mode is limited. In modem mode can I bridge my connection to my external IP address.. and should I even try? I understand the external ip can change and I don’t need any more admin on my setup 🙂 and I’m not clear what ddns would do if enabled on my side on the network. 

please help as this seems to be the last step in the dance... and I want to make sure I have explored all my options. 

and if anyone has a similar setup any tips.. please share. I learnt the hardway Cisco asa don’t allow ping traffic without a enabling that protocol through the firewall Doh! 

 

 

 

22 REPLIES 22

sophist
Trouble shooter

@jjamknight wrote:

Hi all, looking for advice on my planned network changes... I’m hoping people have had the same ideas or challenges.

so I have setup a lab, L3 switch, intervlans and have opted to use a Cisco firewall as my router (I have a cisco3925 which I was going to use as my gateway to the virgin hub, but opted for one less hop) and the 5515x seems capable. In the lab I have 4g ethernet hub, and I’ve duplicated what I think the virgin hub will dooo when switched into modem mode... I.e it retains 192.168.100.1 IP address and enables dhcp for one additional IP address on that subnet. It all’s works ok.... my firewall picks up the dhcp address I.e...192.168.100.2 and I can ping 8.8.8.8 ... 

However my understanding of the virgin hub modem mode is limited. In modem mode can I bridge my connection to my external IP address.. and should I even try? I understand the external ip can change and I don’t need any more admin on my setup 🙂 and I’m not clear what ddns would do if enabled on my side on the network. 

please help as this seems to be the last step in the dance... and I want to make sure I have explored all my options. 

and if anyone has a similar setup any tips.. please share. I learnt the hardway Cisco asa don’t allow ping traffic without a enabling that protocol through the firewall Doh! 

 


Not entirely sure what the question is here... but if you configure your ASA to obtain it's WAN address using DHCP, the hub (when in modem mode) will allocate it a public IP address.. 

it's slightly more nuanced than that (there's some sort of handshake on the 192.168.100.0/24 network - my pfsense box gets a lease of 192.168.100.10 but it only has a lease time of 60seconds.. so guessing it's just there as some sort of helper when the device first comes up) but you can mostly ignore all of this - just configure the WAN on the ASA to get it's address through DHCP and it'll work. 

Hi tehwolf. 

thank you for the input.  I guess I’m trying to get my head around the WAN IP address. In my current setup I expect the virgin modem to provide an IP address on the 192.168.100.0 subnet. Let’s say 192.168.100.2. This means the modem has an address of 192.168.100.1 making this my gateway. I’m ok with that understanding and it works in my lab. 

my question is about my public IP address and the concept of a bridge from my LAN to the WAN, let’s say my public IP address is 72.99.99.1. As a domestic user I don’t technically have a static public IP address that I can add to my LAN router. So my assumption is I cannot bridge my LAN with my public IP address and remove a hop in the process. Hence looking for a better understanding of the term bridge in the context of using a virgin hub on a domestic non business account. I’m ok if this is my limited knowledge of what the virgin modem is actually doing with my traffic... I guess the modem is bridging the networks in my case, not my router?!?

What do all think? 

For all intents and purposes, the hub bridges a public ip address directly to whatever device you have at the other end of the ethernet port. you will not retain the 192.168.100.x address - your firewall will be issued, via dhcp, a publicly routable address.


@jjamknight wrote:


my question is about my public IP address and the concept of a bridge from my LAN to the WAN, let’s say my public IP address is 72.99.99.1. As a domestic user I don’t technically have a static public IP address that I can add to my LAN router.  


sorry, maybe i'm misunderstanding how it is you're trying to configure things.. are you expecting your ASA to perform the NAT on your network, or do you have another device sat *behind* the ASA that you want to do the NAT for your network?

Hi
yes, nating inside outside on the firewall and static routing for the VLAN subnet on the inside. It works on the 4g setup in the lab. Looking to cut over the firewall and switch to modem mode over the coming weeks... 


@jjamknight wrote:

Hi
yes, nating inside outside on the firewall and static routing for the VLAN subnet on the inside. It works on the 4g setup in the lab. Looking to cut over the firewall and switch to modem mode over the coming weeks... 


so i'm not understanding what the "bridge to LAN router" is all about.. there is no bridge.. your ASA is a NAT device.. so...?

Hi... it may be my limited knowledge of bridging.. I was checking is  there a better way to setup my network so that it uses the external IP address in the nat’ing as it currently ref to 192.168.100.1 as the gateway. I guess some routers display the WAN IP address but still route to the traffic via the modem gateway on the LAN side ie 192.168.100.1.  When setting up my network I made a call to remove reduce the number of hops and hence I’m hoping the asa will perform both roles ok. I removed the Cisco router from my design and my level 3 switch is managing my intervlan routing. 

I appreciate the input buddy....


@jjamknight wrote:

Hi... it may be my limited knowledge of bridging.. I was checking is  there a better way to setup my network so that it uses the external IP address in the nat’ing as it currently ref to 192.168.100.1 as the gateway. I guess some routers display the WAN IP address but still route to the traffic via the modem gateway on the LAN side ie 192.168.100.1.  When setting up my network I made a call to remove reduce the number of hops and hence I’m hoping the asa will perform both roles ok. I removed the Cisco router from my design and my level 3 switch is managing my intervlan routing. 

I appreciate the input buddy....


Once you have the ASA behind the hub in modem mode it will look something like this:

Hub----->ASA_PUB_IP[[[ASA]]ASA_RFC1918--->L3 switch

You won't see any 192.168.100.x addresses, there will be no additional hop.. 

Oh... ok that’s interesting in my lab the my asa interface gateway is set manually to 192.168.100.1 and the asa requests an IP address  via dhcp on that subnet.  So my asa gets 192.168.100.2. So have I missed something in my interface setup as I never see the external IP address. How do I pull that external address into the asa? From you earlier comments you have seen the handshake between the hub and your router and you end up with the external IP address on the edge of your LAN? Hmmmm I may be missing something...

 

hub 4g at the mo..with ip of .192.168.100.1 -  asa outside interface ip 192.168.100.2 gateway 192.168.100.1 asa inside interface 192.168.70.1 - switch  192.168.70.2  - vlans and devices