ASA5505: Incredible…I have finally made my inside hosts to surf the net!

ASA5505: Incredible…I have finally made my inside hosts to surf the net!

by Cyrus Lok on Saturday, April 10, 2010 at 5:11am
I am going to record down the things that I have done so that I can remember.

Thanks to Abel for letting me read the book by Richard Deal.

Get the ip address from ISP:
interface vlan 2
ip address dhcp setroute <the setroute keyword is magic!>

Define DDNS.

ciscoasa(config)# dhcp-client update dns server none
ciscoasa(config)# ddns update method myddns
ciscoasa(DDNS-update-method)# ddns both
ciscoasa(DDNS-update-method)# exit
ciscoasa(config)# int vlan 2
ciscoasa(config-if)# ddns update myddns
ciscoasa(config-if)# ddns update hostname

Inspect http, base on state table to allow http to come back. <I think this is not necessary, the funny thing is I can login to my msn messenger…hmm…this is very different from IOS firewall whereby I need to match msn messenger and set it to inspect in order to login to messenger>
ciscoasa(config-if)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect http

I do not like this NAT, this means all inside host can be translated, I will change it soon. DNS keyword is the rewrite dns, this is used for ISP issuing dynamic ip address.
nat (inside) 1 dns

This is used together with the nat above, basically my inside address will be translated with the outside interface address with different port numbers. Type the command show xlate to see the translation table, I would not show it here as it contains my public and private ip addresses with the ports that they used.
global (outside) 1 interface


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s