ASA5505: Incredible…I have finally made my inside hosts to surf the net!
Thanks to Abel for letting me read the book by Richard Deal.
Get the ip address from ISP:
interface vlan 2
ip address dhcp setroute <the setroute keyword is magic!>
ciscoasa(config)# dhcp-client update dns server none
ciscoasa(config)# ddns update method myddns
ciscoasa(DDNS-update-method)# ddns both
ciscoasa(config)# int vlan 2
ciscoasa(config-if)# ddns update myddns
ciscoasa(config-if)# ddns update hostname ciscoasa.cyruslab.com
Inspect http, base on state table to allow http to come back. <I think this is not necessary, the funny thing is I can login to my msn messenger…hmm…this is very different from IOS firewall whereby I need to match msn messenger and set it to inspect in order to login to messenger>
ciscoasa(config-if)# policy-map global_policy
ciscoasa(config-pmap)# class inspection_default
ciscoasa(config-pmap-c)# inspect http
I do not like this NAT, this means all inside host can be translated, I will change it soon. DNS keyword is the rewrite dns, this is used for ISP issuing dynamic ip address.
nat (inside) 1 0.0.0.0 0.0.0.0 dns
This is used together with the nat above, basically my inside address will be translated with the outside interface address with different port numbers. Type the command show xlate to see the translation table, I would not show it here as it contains my public and private ip addresses with the ports that they used.
global (outside) 1 interface