Tuesday 11 August 2015

Config Cisco ASA as Domestic Broadband Router and NetGear Router as Access Point

For about the last 6 months I have had a Cisco ASA 5505 I have meant to install into my home network, I bought it when I was studying for CCNA Security and it proved to be very useful for testing configurations etc. The plan was to implement it on my home network to provide an IPsec VPN for me, whilst away from home. Having a proper firewall on my broadband connection also allows me to configure proper NAT for servers in my lab.

Today I got round to doing it, the topology looks like this;

Virgin Media Cable Modem
NetGear N300 WNR2000v2 (which was the router) AP
Cisco ASA 5505 Router/Firewall

The cable connection terminated into the Virgin Media box, there is then an Ethernet connection to the "outside" interface on the ASA. The physical interface is configured to receive all configuration from the ISP's DHCP (including the default route). One of the ordinary Ethernet interfaces from the NetGear is then connected to the "inside" Layer 2 broadcast domain.

Configure Dynamic PAT

Dynamic Port Address Translation (PAT) is required to allow internal clients on the "inside" network to share the single public IP address on the "outside" interface of the ASA firewall. This will effectively allow the internal clients to "hide" behind the public IP address when accessing resources on the internet.

Click Configuration and expand Objects and then Network Objects/Groups.

Click Add, and then New Network Object. Change the type to Network to allow an entire network range in the PAT rule, name it something descriptive. Click OK.

Click on NAT Rules from the Firewall settings and select Add/Add NAT Rule After "Network Object" NAT Rules...

Source Interface/Address any/any, Destination Interface/Address any/any. Source NAT Type Dynamic PAT (Hide) out of Source Address outside. Please bare in mind these values are relative to my interface names, if for example your external interface was named "internetinterface" that would be instead of "outside".

Configure "outside" ASA interface DHCP from ISP

Configure the ASA's "outside" interface to use DHCP from the domestic broadband provider. You may have a static in which case you would configure the static details here.

Configure "inside" ASA interface as DHCP server

Configure the ASA's "inside" interface to be a DHCP server, this is because the DHCP server on the NetGear box must be disabled.

Configure NetGear router to operate in only "access point" mode

This may vary slightly depending on your domestic router/AP, on mine it was only a case of clicking on LAN Setup disabling the Router as a DHCP Server and then configuring the LAN TCP/IP Setup to be an available static address which is outside of the new DHCP scope configured on the "inside" interface of the ASA.

Test on wireless device

Now if I connect my laptop to the old network SSID if will get a DHCP address from the new pool created on the ASA firewall.