Add User Subnet to ASA

General config for adding a DHCP enabled subnet to a Cisco ASA as a sub-interface. Note: Default firewall rule in this config blocks all traffic to RFC-1918 addresses. Warning: My regexes suck so make sure you type in correct values for subnets, etc.

February 14, 2014
physical interface

vlan number


name of the interface

security level


subnet mask

NAT (script default to outside int so this is only for the desc)

conf t
interface Ethernet%{PHYSINT}%.%{VLAN}%
 description %{DESC}%
 vlan %{VLAN}%
 nameif %{NAMEIF}%
 security-level %{SECLVL}%
 ip address %{SUBNET}% %{MASK}%
 no shut
object network %{NAMEIF}%_net
 subnet %{SUBNET}% %{MASK}%
 description %{DESC}% / %{NAT}%
dhcprelay enable %{NAMEIF}%
nat (%{NAMEIF}%,outside) after-auto 2 source dynamic %{NAMEIF}%_net interface
access-list %{NAMEIF}%_in extended deny ip object %{NAMEIF}%_net object-group RFC_1918 
access-list %{NAMEIF}%_in extended permit ip object %{NAMEIF}%_net any 
access-group %{NAMEIF}%_in in interface %{NAMEIF}%