For about the last 6 months I have had a Cisco ASA 5505 I have meant to install into my home network, I bought it when I was studying for CCNA Security and it proved to be very useful for testing configurations etc. The plan was to implement it on my home network to provide an IPsec VPN for me, whilst away from home. Having a proper firewall on my broadband connection also allows me to configure proper NAT for servers in my lab.
Today I got round to doing it, the topology looks like this;
Virgin Media Cable Modem
NetGear N300 WNR2000v2 (which was the router) AP
Cisco ASA 5505 Router/Firewall
The cable connection terminated into the Virgin Media box, there is then an Ethernet connection to the "outside" interface on the ASA. The physical interface is configured to receive all configuration from the ISP's DHCP (including the default route). One of the ordinary Ethernet interfaces from the NetGear is then connected to the "inside" Layer 2 broadcast domain.
Dynamic Port Address Translation (PAT) is required to
allow internal clients on the "inside" network to share the single
public IP address on the "outside" interface of the ASA firewall.
This will effectively allow the internal clients to "hide" behind the
public IP address when accessing resources on the internet.
Today I got round to doing it, the topology looks like this;
Virgin Media Cable Modem
NetGear N300 WNR2000v2 (which was the router) AP
Cisco ASA 5505 Router/Firewall
The cable connection terminated into the Virgin Media box, there is then an Ethernet connection to the "outside" interface on the ASA. The physical interface is configured to receive all configuration from the ISP's DHCP (including the default route). One of the ordinary Ethernet interfaces from the NetGear is then connected to the "inside" Layer 2 broadcast domain.
Configure Dynamic PAT
Click Configuration and expand Objects and
then Network Objects/Groups.
Click Add, and then New Network Object.
Change the type to Network to allow an entire network range in the
PAT rule, name it something descriptive. Click OK.
Click on NAT Rules from the Firewall settings
and select Add/Add NAT Rule After "Network Object" NAT Rules...
Source Interface/Address any/any, Destination
Interface/Address any/any. Source NAT Type Dynamic PAT (Hide) out of
Source Address outside. Please bare in mind these values are relative to
my interface names, if for example your external interface was named
"internetinterface" that would be instead of "outside".
Configure "outside" ASA interface DHCP from ISP
Configure the ASA's "outside" interface
to use DHCP from the domestic broadband provider. You may have a static in
which case you would configure the static details here.
Configure "inside" ASA interface as DHCP server
Configure the ASA's "inside" interface
to be a DHCP server, this is because the DHCP server on the NetGear box must be
disabled.
Configure NetGear router to operate in only "access point" mode
This may vary slightly depending on your domestic
router/AP, on mine it was only a case of clicking on LAN Setup disabling
the Router as a DHCP Server and then configuring the LAN TCP/IP Setup
to be an available static address which is outside of the new DHCP scope
configured on the "inside" interface of the ASA.
Test on wireless device
Now if I connect my laptop to the old network
SSID if will get a DHCP address from the new pool created on the ASA firewall.
