Best practice wise - should I let the router or the ASA handle NAT
(Overloading)?
In the most general of design best practices NAT is performed between an inside and outside network. NAT overloading is generally performed at the edge when there is limited public IP address space. You can learn more about NAT overloading, also known as Port Address Translation or PAT, in RFC 2663 (PAT is referred to as Network Address Port Translation (NAPT) in section 4.1.2).
In this particular scenario you can argue that you have two inside and outside networks and will need to perform some form of NAT on both the ASA (whether that is the NAT overloading you're using now, NAT exemption, static NAT, etc) and the Cisco Router.
I can ping the 172.16.2.2
interface but not 172.16.2.1
from a pc
connected to one of the layer 2 switches (proves intervlan routing is
working -- i have a 172.20.100.8
address on the PC). Why can't I ping
172.16.2.1
from a PC but I can from the Layer 3 Switch?
The ASA 172.16.2.2
is receiving the ICMP echo-request but does not have a route back to 172.20.100.0/27
. The echo-reply is actually being forwarded to the Router 172.16.1.1
via the default route.
And most of all -- Why can't I get out to the Internet from the Layer 3 switch?
Currently your ASA and Cisco Router do not have routes to internal devices other than their connected routes.
Your ASA configuration:
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?
You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.
ASA static routing example:
route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2
Further reading: ASA static routing
Your Cisco Router's configuration:
ip route 0.0.0.0 0.0.0.0 200.200.200.200
Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200
?
Router static routing example:
ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10
Further reading: ISR static routing
I cannot get an ip address right now from the DHCP server (Windows).
Any insight into why?
Ensure you have end-to-end IP reachability between the client(s) sending DHCP discover messages and the DHCP server.
From what I can gather from your topology and configuration, the subnets 172.19.3.0/24
, 172.19.12.0/28
and 172.20.100.0/27
should have no issues connecting to each other (assuming they are configured to use their respective default gateways) from a networking perspective.
You can remove the ip helper-address
syntax from the SVI 100 given that the DHCP server is on the same segment and that command is used for a DHCP server(s) that is on a different segment.
interface Vlan100
ip address 172.20.100.1 255.255.255.224
ip helper-address 172.20.100.27
The "outside" vlan seems to be misconfigured, and I've tried so many permeations, that I am sure I am overlooking something major, and obvious. When I am able to ping 8.8.8.8, from the ASA, I'll be happy!
Basic Config
As others have mentioned, your configuration is "suboptimal"... the biggest problem you have is that you're not using DHCP on the outside Vlan interface the biggest problem is that your default gw address is assigned to Vlan2... to recover, login to the console and...
copy runn flash:foobar.cfg
config t
configure factory-default 10.1.10.100 255.255.255.0
While you're in config mode, use this configuration...
hostname DTS-ASA
password ChangeMeNow
enable password ChangeMeNow
!
interface Ethernet0/0
switchport access vlan 2
!
interface Vlan2
! I don't think you need this, since it's an SMC MAC addr
! However, this illustrates how you can manually change the mac
! on your outside Vlan, if Comcast is restricting you
! to one mac (and now refuses to change it)
! mac-address 78cd.8ed9.fb37
nameif outside
security-level 0
ip address 74.xx.xx.225 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 74.xx.xx.230
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
end
wr mem
Please change the password :-)... now you need fw rules, but that's a different issue
WAN Validation
Make sure you really do have the Comcast modem attached to Eth0/0... After you're up and running, you should be able to check the address you got from Comcast like this...
DTS-ASA# sh int vlan2
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 0030.dead.beef, MTU 1500
IP address 74.xx.xx.225, subnet mask 255.255.255.248 <------------
Traffic Statistics for "outside":
108703406 packets input, 119199091796 bytes
69134254 packets output, 8083775282 bytes
1654709 packets dropped
1 minute input rate 2 pkts/sec, 280 bytes/sec
1 minute output rate 3 pkts/sec, 414 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 3 pkts/sec, 716 bytes/sec
5 minute output rate 4 pkts/sec, 520 bytes/sec
5 minute drop rate, 0 pkts/sec
DTS-ASA#
Then check your ping to google's DNS...
DTS-ASA# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms
DTS-ASA#
If not, be sure you can ping your default-gw...
DTS-ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 74.xx.xx.230 to network 0.0.0.0
C 74.xx.xx.230 255.255.255.248 is directly connected, outside
C 10.1.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 74.xx.xx.230, outside <------
DTS-ASA#
DTS-ASA# ping 74.xx.xx.230
Best Answer
All you should need is...
Since your inside interface is already a higher security level than outside interface and you are nating everthing, you should not need an internal or external acl.
Do a release / renew to pick up the dns setting, and then start surfing...