Document ID: 112996
Updated: May 12, 2011
Contents
Introduction
This sample configuration demonstrates how to set up the Cisco Adaptive Security Appliance (ASA) with version 8.3(1) for use with two internal networks.
Refer to PIX/ASA: Connecting Two Internal Networks with Internet Configuration Example for the same configuration on Cisco Adaptive Security Appliance (ASA) with versions 8.2 and earlier.
Prerequisites
Requirements
When you add a second internal network behind an ASA firewall, keep these point in mind:
-
The ASA cannot route any packets.
-
The ASA does not support secondary addressing.
-
A router must be used behind the ASA to achieve routing between the existing network and the newly added network.
-
The default gateway of all the hosts must point to the inside router.
-
Add a default route on the inside router that points to the ASA.
-
Remember to clear the Address Resolution Protocol (ARP) cache on the inside router.
Components Used
The information in this document is based on these software and hardware versions:
-
Cisco Adaptive Security Appliance (ASA) with version 8.3(1)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
In this section, you are presented with the information to configure the features described in this document.
Network Diagram
This document uses the network setup shown in this diagram.
Note: The IP addressing schemes used in this configuration are not legally
routable on the Internet. They are
RFC
1918 addresses
, which have been used in a lab environment.
ASA 8.3 Configuration
This document uses the configurations shown here.
If you have the output of a write terminal command from your Cisco device, you can use Output Interpreter (registered customers only) to display potential issues and fixes.
| ASA 8.3(1) Running Config |
|---|
ASA#show run : Saved : ASA Version 8.3(1) ! hostname ASA enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! !--- Configure the outside interface. ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.1.5.1 255.255.255.0 !--- Configure the inside interface. ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address management-only ! boot system disk0:/asa831-k8.bin ftp mode passive !--- Creates an object called OBJ_GENERIC_ALL. !--- Any host IP not already matching another configured !--- object will get PAT to the outside interface IP !--- on the ASA (or 10.1.5.1), for internet bound traffic. object network OBJ_GENERIC_ALL subnet 0.0.0.0 0.0.0.0 nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface route inside 192.168.1.0 255.255.255.0 192.168.0.254 1 route outside 0.0.0.0 0.0.0.0 10.1.5.2 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.254.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:6fffbd3dc9cb863fd71c71244a0ecc5f : end |
| Router B Configuration |
|---|
Building configuration... Current configuration: ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router B ! ! username cisco password 0 cisco ! ! ! ! ip subnet-zero ip domain-name cisco.com ! isdn voice-call-failure 0 ! ! ! ! ! ! ! ! ! interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 no ip directed-broadcast ! interface Ethernet0/1 !--- Assigns an IP address to the ASA-facing Ethernet interface. ip address 192.168.0.254 255.255.255.0 no ip directed-broadcast ip classless !--- This route instructs the inside router to forward all !--- non-local packets to the ASA. ip route 0.0.0.0 0.0.0.0 192.168.0.1 no ip http server ! ! line con 0 exec-timeout 0 0 length 0 transport input none line aux 0 line vty 0 4 password ww login ! end |
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.