Configure Cisco ASA 5506-X Firewall for M1 Leased Line

Subject: Configure Cisco ASA 5506-X Firewall for M1 Leased Line

Author: Mr. Turritopsis Dohrnii Teo En Ming

Country: Singapore

Date: 11 October 2020 Sunday Singapore Time

Type of Publication: Plain Text

Document Version: 20201011.01

Cisco ASA Firewall CLI commands:

enable

conf t

interface GigabitEthernet1/8 (M1 Leased Line connected to Port 8)

no shut

ip address aaa.bbb.108.212 255.255.255.248

nameif M1-Leased-Line

security-level 50

route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.121 5 track 1

route M1-Leased-Line aaa.bbb.108.0 255.255.255.0 aaa.bbb.108.209 1

object network Quantum

subnet aaa.bbb.108.0 255.255.255.0

same-security-traffic permit intra-interface

access-list nat_inside_quantum extended permit ip aaa.bbb.23.0 255.255.255.0 aaa.bbb.108.0 255.255.255.0

access-list nat_inside_quantum extended permit ip aaa.bbb.108.0 255.255.255.0 aaa.bbb.23.0 255.255.255.0

Teo En Ming’s Original NAT rule (partially correct only):

nat (inside,M1-Leased-Line) source static NETWORK_OBJ_aaa.bbb.23.0_24 NETWORK_OBJ_aaa.bbb.23.0_24 destination static Quantum Quantum no-proxy-arp route-lookup

NAT rule corrected/fixed by boss (FINAL VERSION):

nat (inside,M1-Leased-Line) source static NETWORK_OBJ_aaa.bbb.23.0_24 interface destination static Quantum Quantum

Useful Troubleshooting Commands

===============================

show interface ip brief

show route | begin Gateway

show nat (Very Important Command to use)

packet-tracer input inside tcp aaa.bbb.23.10 12345 aaa.bbb.108.180 22

Quantum Linux Servers

=====================

aaa.bbb.108.180 (Primary Linux Server)

aaa.bbb.108.181 (Backup Linux Server)

aaa.bbb.108.182 (UAT Linux Virtual Machine)

aaa.bbb.108.183 (IDRAC of Primary Linux Server)

aaa.bbb.108.184 (IDRAC of Backup Linux Server)

Useful Reading Resources

========================

[1] Cisco ASA 5506-X | Leased Line w/DSL Failover | Default Route Preference

https://www.reddit.com/r/networking/comments/fhff1m/cisco_asa_5506x_leased_line_wdsl_failover_default/

[2] ASA Dual ISP using IP SLA

https://integratingit.wordpress.com/2019/11/24/asa-dual-isp-using-ip-sla/

[3] Static route on inside interface of ASA does'nt work

https://community.cisco.com/t5/network-security/static-route-on-inside-interface-of-asa-does-nt-work/td-p/914826

[4] Cisco ASA 8.3 - No NAT / NAT Exemption

https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html

[5] NAT: Untranslate_hits

https://community.cisco.com/t5/switching/nat-untranslate-hits/td-p/1056571

[6] Cisco ASA Firewall Packet Tracer

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html

[7] Cisco ASA NAT – Configuration Guide

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/

REFERENCES

==========

[1] https://lkml.org/lkml/2020/10/11/67

[2] http://lkml.iu.edu/hypermail/linux/kernel/2010.1/02693.html

[3] https://marc.info/?l=linux-kernel&m=160241756503067&w=2

[4] https://lwn.net/ml/linux-kernel/3878b845eb3792db19856be9a51d0711%40teo-en-ming.com/

[5] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-October/029156.html