@Freddo 

You find the latest firmware for ER605v2 in this url.

https://www.tp-link.com/en/support/download/er605/v2/#Firmware

 

 

where do you use subnet mask 255.255.255.248 is this between ASA and ER605?

if you steel use 172.16.50.14-172.16.50.15 is 172.16.50.15 broadcast address.

try 172.16.50.13-172.16.50.14 with 255.255.255.248 or /29

remember to change default route on ASA :-)

 

the easiest is to use the /24 (255.255.255.0)  subnet then you can choose what you want from 172.16.50.1-254

 

 

 

 

  @Freddo 

 

 

Some progress in that I was watching a video on LAN connections and noticed the DNS is an option on LAN if you want to place DNS here use the IP address of the interface

 

ER605

 

LAN1

 

192.168.0.1   # default  port port 5 on ER 605 this will be admin

 

255.255.255.0

 

DNS 192.168.0.1 or leave blank 

 

LAN2

 

172.50.25.1   > Port 4 on ER 605

 

255.255.255.248

 

DNS 172.50.25.1 # do not usde 8.8.8.8 it will fail to clients

 

DHCP

 

172.50.25.3

 

172.50.25.6

 

 

ASA

 

 

Set DHCP client on Outside interface

 

DHCP 172.50.25.4  > LAN port 4 on ER 605 DHCP

 

 

Next test is to place our internal network on Inside Interface and see if DNS is resolved by internal server will update on this progress

 

 

 

  @Freddo 

 

I  do a test now with a ER8411 in front and a ASA5506x. I clean all config and set ASA up from scratch. and everything work  right away.

 

I use this command with only the basic settings outside interface have ip from dhcp on ER8411

 

conf t

conf factory-default

      no interface BVI1
      Interface GigabitEthernet1/2
       no nameif
      Interface GigabitEthernet1/3
        no nameif
      Interface GigabitEthernet1/4
        no nameif
      Interface GigabitEthernet1/5
        no nameif
      Interface GigabitEthernet1/6
        no nameif
      Interface GigabitEthernet1/7
        no nameif
      Interface GigabitEthernet1/8
        no nameif
      Interface GigabitEthernet1/2
        no nameif
        no bridge-group 1
      Interface GigabitEthernet1/3
        no nameif
        no bridge-group 1

int gi1/2
ip address 192.168.50.1 255.255.255.0
nameif inside
no shut

 

http server enable
http 0.0.0.0 0.0.0.0 inside

 

dhcpd address 192.168.50.50-192.168.50.100 inside
dhcpd dns 1.1.1.2 1.0.0.2 interface inside
dhcpd option 3 ip 192.168.50.1 interface inside
dhcpd enable inside

 

 object network obj_any
        subnet 0.0.0.0 0.0.0.0
        nat (inside,outside) dynamic interface

 

   policy-map global_policy
        class inspection_default
          inspect icmp 

 

boot system disk0:asa9-16-4-lfbff-k8.SPA
asdm image disk0:asdm-openjre-7181-152.bin

 

 

 

 

  @MR.S 

 

I can see that in your default ASA is setup in NAT mode where the existing network/Inside is translated to the Outside where you are getting DHCP coming from the ER605 LAN. THis works well.  

 

However in your original setup, it might be that your ASA is setup in route mode where the ER605 need to add a static route of your existing network pointing to the next hop (ASA outside IP).

  @MR.S 

 

Can you explain some thing to me, when I remove the Inside interface and place this on my Test ASA it drops or the Outside interface does not work, when I place the inside interface cable back on the production inside Interface there is also no outside interface up.

 

I have been resolving this by unplugging the router for restart not recommended, not sure on reboot in ADSM

 

But it also did the same on the Test ASA for this I disabled the outside interface, then enable not sure of the commands on this is no shutdown on the interface or shutdown to the interface

 

conft t

 

interface g0/0

 

no shutodwn    # bring on line

 

shutdown     # close interface.

 

But why does it not bring the interface back auto as expected.

 

 

 

 

 

  @Freddo 

 

this is problably ARP tabel that no is updated. try and clear arp tabel with this command

clear arp 

  @MR.S 

 

Think we have it working or part of this, as done test with ASA 5515 and spare switch that configured in same manner as Core Switch attached to inside interface on the ASA 5515, with the introduction of big brother of the ER605 using ER8411 that has combination of 11 ports four 10GB Gbic ports set as WAN/LAN

 

 

 

This is from a windows 10 client on to HP Switch that routes to ASA 5515 inside interface.

 

As we have internal web server looking at the issues on that and other system but expect the ASA 5515 will deal with routing on this. 

 

there after. spent time trying this and that setting but did apply Route setting on the ER8411 from Bridge interface to Inside as recommended, do not like the IGMP on LAN ER8411 settings but configured this for my WAN port, backed up both configurations, test this evening on production ASA 5515 & Core HP Switch see what gives

 

 

 

 

 

 

  @Freddo 

 

Ok so you have a ER8411 now :-)

the configuration should be roughly the same as on the ER605, but ER8411 is a better choice considering that it is much more powerful.

but do you use NAT or do you route on the ASA? when I tested I used NAT, have not tested with routing.

routing should work without major problems, but then you have to set some routings and IP addresses manually.
I'm on holiday now so maybe I'll test a bit tomorrow :-)

 

 

  @Freddo 

 

I tested routing on the ASA against the ER8411 and it worked fine too, so now I can add NAT on the ER8411 directly to the ASA inside without double NAT.

 

I added this config on the ASA in addition to the config I posted earlier

 

##Remove NAT add fixed IP Outside change security level to 100, allow trafic between interface with same security level and add deafult route to ER8411

      object network obj_any
        no nat (inside,outside) dynamic interface
      clear xlate interface inside

 

     Interface GigabitEthernet1/1
        no ip address
        ip address  192.168.30.45 255.255.255.0
        security-level 100

  route outside 0.0.0.0 0.0.0.0 192.168.30.1 1
        
  same-security-traffic permit inter-interface

 

http server enable 4443
http 0.0.0.0 0.0.0.0 outside

 

 

##Then I add route to inside network on ER8411 via Outside on ASA
 

 

  @MR.S 

 

 

Well need to look over what you have set on this post as far as the ASA 5520 as I would not like to move to many commands on this, cleaned out old references on the firewall, and this dia shows provisional layout, the wireless connection may go at some point, Load balancing was done for quick test. If you view this and can say yes that looks good but you should do that or this, we have route path via the ASA5515 as load of Access Rules there for firewall, NAT for DMZ. On pretest the phone system worked as its existing external interface, just route to the DMZ hope still works from the ASA5515 when I make changes to NAT rules for IP Address > DMZ

 

The DHCP for Outside (in RED)ASA5515 may be reserved in the TP-Link ER8411 to keep the IP address static, I understand this address could well be just made static.

 

I do apologize for the number of posts on this thread, its not fully my line of work as Network Manager but like to know how things bolt together and no better way than take it apart in stages and make it work.