Duel WAN link ER605v2 Cisco ASA 5520
There is an old post on this but not able to find the answer in question, i will have two ISP WAN connections from this I am trying to link the ASA 5520 that has three interfaces Outside (connection of single ISP) Inside (connection of all VLAN HP switch), DMZ VLAN for Hosted Web Servers (inside traffic).
I can configure the WANS with no issues but trying to understand that one of the LAN ports (4) would need to direct back to the Outside Interface of ASA
Here is what I am trying to cover, but when I make a link from LAN Port 4 to Outside Interface on the ASA 5520 it pings but when I cover a test route it does not complete in the desired number hops, I have trued to Add Route but some options are not that clear.
The LAN port does require a VLAN tag and used 2 for this as it does not exist on my existing network and did not want conflicts and in it self is not seen on Existing LAN
Please if any one has covered this could you please provide details with DIA or point to any YouTube video that has done alike connection on main core router.
Does TP-Link have any supporting documentation, I work within a school and hope to pass this information on further to other schools UK based.
Thanks for your support.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
You find the latest firmware for ER605v2 in this url.
https://www.tp-link.com/en/support/download/er605/v2/#Firmware
where do you use subnet mask 255.255.255.248 is this between ASA and ER605?
if you steel use 172.16.50.14-172.16.50.15 is 172.16.50.15 broadcast address.
try 172.16.50.13-172.16.50.14 with 255.255.255.248 or /29
remember to change default route on ASA :-)
the easiest is to use the /24 (255.255.255.0) subnet then you can choose what you want from 172.16.50.1-254
- Copy Link
- Report Inappropriate Content
Some progress in that I was watching a video on LAN connections and noticed the DNS is an option on LAN if you want to place DNS here use the IP address of the interface
ER605
LAN1
192.168.0.1 # default port port 5 on ER 605 this will be admin
255.255.255.0
DNS 192.168.0.1 or leave blank
LAN2
172.50.25.1 > Port 4 on ER 605
255.255.255.248
DNS 172.50.25.1 # do not usde 8.8.8.8 it will fail to clients
DHCP
172.50.25.3
172.50.25.6
ASA
Set DHCP client on Outside interface
DHCP 172.50.25.4 > LAN port 4 on ER 605 DHCP
Next test is to place our internal network on Inside Interface and see if DNS is resolved by internal server will update on this progress
- Copy Link
- Report Inappropriate Content
I do a test now with a ER8411 in front and a ASA5506x. I clean all config and set ASA up from scratch. and everything work right away.
I use this command with only the basic settings outside interface have ip from dhcp on ER8411
conf t
conf factory-default
no interface BVI1
Interface GigabitEthernet1/2
no nameif
Interface GigabitEthernet1/3
no nameif
Interface GigabitEthernet1/4
no nameif
Interface GigabitEthernet1/5
no nameif
Interface GigabitEthernet1/6
no nameif
Interface GigabitEthernet1/7
no nameif
Interface GigabitEthernet1/8
no nameif
Interface GigabitEthernet1/2
no nameif
no bridge-group 1
Interface GigabitEthernet1/3
no nameif
no bridge-group 1
int gi1/2
ip address 192.168.50.1 255.255.255.0
nameif inside
no shut
http server enable
http 0.0.0.0 0.0.0.0 inside
dhcpd address 192.168.50.50-192.168.50.100 inside
dhcpd dns 1.1.1.2 1.0.0.2 interface inside
dhcpd option 3 ip 192.168.50.1 interface inside
dhcpd enable inside
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
policy-map global_policy
class inspection_default
inspect icmp
boot system disk0:asa9-16-4-lfbff-k8.SPA
asdm image disk0:asdm-openjre-7181-152.bin
- Copy Link
- Report Inappropriate Content
I can see that in your default ASA is setup in NAT mode where the existing network/Inside is translated to the Outside where you are getting DHCP coming from the ER605 LAN. THis works well.
However in your original setup, it might be that your ASA is setup in route mode where the ER605 need to add a static route of your existing network pointing to the next hop (ASA outside IP).
- Copy Link
- Report Inappropriate Content
Can you explain some thing to me, when I remove the Inside interface and place this on my Test ASA it drops or the Outside interface does not work, when I place the inside interface cable back on the production inside Interface there is also no outside interface up.
I have been resolving this by unplugging the router for restart not recommended, not sure on reboot in ADSM
But it also did the same on the Test ASA for this I disabled the outside interface, then enable not sure of the commands on this is no shutdown on the interface or shutdown to the interface
conft t
interface g0/0
no shutodwn # bring on line
shutdown # close interface.
But why does it not bring the interface back auto as expected.
- Copy Link
- Report Inappropriate Content
this is problably ARP tabel that no is updated. try and clear arp tabel with this command
clear arp
- Copy Link
- Report Inappropriate Content
Think we have it working or part of this, as done test with ASA 5515 and spare switch that configured in same manner as Core Switch attached to inside interface on the ASA 5515, with the introduction of big brother of the ER605 using ER8411 that has combination of 11 ports four 10GB Gbic ports set as WAN/LAN
This is from a windows 10 client on to HP Switch that routes to ASA 5515 inside interface.
As we have internal web server looking at the issues on that and other system but expect the ASA 5515 will deal with routing on this.
there after. spent time trying this and that setting but did apply Route setting on the ER8411 from Bridge interface to Inside as recommended, do not like the IGMP on LAN ER8411 settings but configured this for my WAN port, backed up both configurations, test this evening on production ASA 5515 & Core HP Switch see what gives
- Copy Link
- Report Inappropriate Content
Ok so you have a ER8411 now :-)
the configuration should be roughly the same as on the ER605, but ER8411 is a better choice considering that it is much more powerful.
but do you use NAT or do you route on the ASA? when I tested I used NAT, have not tested with routing.
routing should work without major problems, but then you have to set some routings and IP addresses manually.
I'm on holiday now so maybe I'll test a bit tomorrow :-)
- Copy Link
- Report Inappropriate Content
I tested routing on the ASA against the ER8411 and it worked fine too, so now I can add NAT on the ER8411 directly to the ASA inside without double NAT.
I added this config on the ASA in addition to the config I posted earlier
##Remove NAT add fixed IP Outside change security level to 100, allow trafic between interface with same security level and add deafult route to ER8411
object network obj_any
no nat (inside,outside) dynamic interface
clear xlate interface inside
Interface GigabitEthernet1/1
no ip address
ip address 192.168.30.45 255.255.255.0
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.30.1 1
same-security-traffic permit inter-interface
http server enable 4443
http 0.0.0.0 0.0.0.0 outside
##Then I add route to inside network on ER8411 via Outside on ASA
- Copy Link
- Report Inappropriate Content
Well need to look over what you have set on this post as far as the ASA 5520 as I would not like to move to many commands on this, cleaned out old references on the firewall, and this dia shows provisional layout, the wireless connection may go at some point, Load balancing was done for quick test. If you view this and can say yes that looks good but you should do that or this, we have route path via the ASA5515 as load of Access Rules there for firewall, NAT for DMZ. On pretest the phone system worked as its existing external interface, just route to the DMZ hope still works from the ASA5515 when I make changes to NAT rules for IP Address > DMZ
The DHCP for Outside (in RED)ASA5515 may be reserved in the TP-Link ER8411 to keep the IP address static, I understand this address could well be just made static.
I do apologize for the number of posts on this thread, its not fully my line of work as Network Manager but like to know how things bolt together and no better way than take it apart in stages and make it work.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2714
Replies: 24
Voters 0
No one has voted for it yet.