Configure Cisco ASA 5506-X Firewall for M1 Leased Line

Subject: Configure Cisco ASA 5506-X Firewall for M1 Leased Line


Author: Mr. Turritopsis Dohrnii Teo En Ming

Country: Singapore

Date: 11 October 2020 Sunday Singapore Time


Type of Publication: Plain Text

Document Version: 20201011.01


Cisco ASA Firewall CLI commands:


enable

conf t

interface GigabitEthernet1/8 (M1 Leased Line connected to Port 8)

no shut

ip address aaa.bbb.108.212 255.255.255.248

nameif M1-Leased-Line

security-level 50


route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.121 5 track 1

route M1-Leased-Line aaa.bbb.108.0 255.255.255.0 aaa.bbb.108.209 1


object network Quantum

subnet aaa.bbb.108.0 255.255.255.0


same-security-traffic permit intra-interface


access-list nat_inside_quantum extended permit ip aaa.bbb.23.0 255.255.255.0 aaa.bbb.108.0 255.255.255.0


access-list nat_inside_quantum extended permit ip aaa.bbb.108.0 255.255.255.0 aaa.bbb.23.0 255.255.255.0


Teo En Ming’s Original NAT rule (partially correct only):


nat (inside,M1-Leased-Line) source static NETWORK_OBJ_aaa.bbb.23.0_24 NETWORK_OBJ_aaa.bbb.23.0_24 destination static Quantum Quantum no-proxy-arp route-lookup


NAT rule corrected/fixed by boss (FINAL VERSION):


nat (inside,M1-Leased-Line) source static NETWORK_OBJ_aaa.bbb.23.0_24 interface destination static Quantum Quantum


Useful Troubleshooting Commands

===============================


show interface ip brief

show route | begin Gateway

show nat (Very Important Command to use)

packet-tracer input inside tcp aaa.bbb.23.10 12345 aaa.bbb.108.180 22


Quantum Linux Servers

=====================


aaa.bbb.108.180 (Primary Linux Server)

aaa.bbb.108.181 (Backup Linux Server)

aaa.bbb.108.182 (UAT Linux Virtual Machine)

aaa.bbb.108.183 (IDRAC of Primary Linux Server)

aaa.bbb.108.184 (IDRAC of Backup Linux Server)


Useful Reading Resources

========================


[1] Cisco ASA 5506-X | Leased Line w/DSL Failover | Default Route Preference


https://www.reddit.com/r/networking/comments/fhff1m/cisco_asa_5506x_leased_line_wdsl_failover_default/


[2] ASA Dual ISP using IP SLA


https://integratingit.wordpress.com/2019/11/24/asa-dual-isp-using-ip-sla/


[3] Static route on inside interface of ASA does'nt work


https://community.cisco.com/t5/network-security/static-route-on-inside-interface-of-asa-does-nt-work/td-p/914826


[4] Cisco ASA 8.3 - No NAT / NAT Exemption


https://www.fir3net.com/Firewalls/Cisco/cisco-asa-83-no-nat-nat-exemption.html


[5] NAT: Untranslate_hits


https://community.cisco.com/t5/switching/nat-untranslate-hits/td-p/1056571


[6] Cisco ASA Firewall Packet Tracer


https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115904-asa-config-dmz-00.html


[7] Cisco ASA NAT – Configuration Guide


https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/






REFERENCES

==========


[1] https://lkml.org/lkml/2020/10/11/67


[2] http://lkml.iu.edu/hypermail/linux/kernel/2010.1/02693.html


[3] https://marc.info/?l=linux-kernel&m=160241756503067&w=2


[4] https://lwn.net/ml/linux-kernel/3878b845eb3792db19856be9a51d0711%40teo-en-ming.com/


[5] http://lists.linuxfromscratch.org/pipermail/lfs-chat/2020-October/029156.html

Comments

Popular posts from this blog

[24 Mar 2022 Thursday] Erectile Dysfunction and Viagra

Patching Linux Kernel 5.5.7 to Add Support for AUFS Filesystem