New 5505: Need help getting inside network to the internet

Answered Question
Sep 13th, 2007

Hi,

I'm a proud owner of a new ASA 5505. I've gone through the getting started guide and some other documentation and can't seem to get the routes/rules right to get my inside interface (192.168.1.0/24) to my outside interface (my.public.i.p) to get to the internet. Although I didn't understand where to specifically define my.public.i.p gateway, is that something the ASA figures out on its own?

I've tried adding a static route for the inside like so: ip:192.168.1.0/24 gw:192.168.1.1 (inside interface IP) and it claims the route exists already.

So, I tried to create an access rule:

Outgoing rule allowing inside network to go to "any" and for some reason the wizard defines it, but then adds its own "deny" rule directly underneath. I trace the packets and they're getting dropped by some built-in implicit rules defined by the ASA.

What is this newbie overlooking?

I'm simply trying to set up my device and at least get the 1 PC that has access to the ASDM out to the internet and I can't even do that... This is one SERIOUS device coming from my limited networking background.

I thought walking through the wizards would at least get me on the internet, but it's not working...

TIA,

Kevin

UPDATE::

I was looking at some debugging logging and when I try to go to google.com for instance I get a "No route to My.External.dns.ip from 192.168.1.2 (The internal IP of the PC I'm connected to the ASA directly)

Recommended action is to add a route... Ok, I try to define a route, but ASA tells me the route already exists... Must be a rule thing I'm not understanding. Thanks again!

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 9 years 3 months ago

great, no, you are not wide opened to any inside hosts until you create one-to-one nats for inside hosts to be access from outside, of course creating access-list to control the access from outside to inside for that.

rgds

Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Thu, 09/13/2007 - 07:04

Kevin , there are few things we need to find out from you to help.

Is your ISP providing you with Static IP or dynamic for your ASA public interface? if dynamic instruct ASA through ASDM to obtain IP by DHCP for the outside interface, once you do that telnet to ASA and issue

"show ip " to see if it did pick up IP.

Also, can you provide ASA configuration, once you attach config we can help to get your inside host get access to oustide.

kcaporaso Thu, 09/13/2007 - 07:17

Jorge - Thanks!

I have 5 static IPs and am trying to simply use 1 of them. So, I set the outside interface to that IP address.

Asa configuration... (slightly edited to hide real ips)

Result of the command: "show running-config"

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name domain.cc

enable password encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 61.22.223.11 255.255.255.248

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

ospf cost 10

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

passwd encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name domain.cc

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.150 inside

dhcpd dns 192.168.1.20 61.22.223.65 interface inside

dhcpd wins 61.22.223.65 interface inside

dhcpd domain domain.cc interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:

: end

And the "show ip" shows the correct static IP I chose. :)

kcaporaso Thu, 09/13/2007 - 08:05

That was exactly the problem. I had to define a route setup for the outside interface:

0.0.0.0 0.0.0.0 outside

That seems to get me connected now... Are there other things I should watch for now? I'm not wide open am I? Thanks!

Correct Answer
JORGE RODRIGUEZ Thu, 09/13/2007 - 08:22

great, no, you are not wide opened to any inside hosts until you create one-to-one nats for inside hosts to be access from outside, of course creating access-list to control the access from outside to inside for that.

rgds

Jorge

anitakuang Tue, 10/09/2007 - 15:09

Hi geeks,

Thanks for sharing your solution.

I've got some progress as to the DHCP on outside interface. My ASA can obtain an external IP from DSL router at least. However, still no luck in accessing Internet.

My set up is:

Internet--> DSL router--> ASA 5505

Here is the result after issuing "sh route" and "sh ip" command.

C 127.1.0.0 255.0.0.0 directly connected

C 192.168.1.0 255.255.255.0 direcly connected

C 125.xxx.xxx.xxx 255.255.255.255 direcly connected

d* 0.0.0.0 0.0.0.0 [1/0] via 125.xxx.xxx.xxx

Vlan 1: 192.168.1.1 255.255.255.0

Vlan 2: 125.xxx.xxx.xxx 255.255.255.255

Coule you please give a clue on Internet access?

Many thanks

Anita

kcaporaso Tue, 10/09/2007 - 18:28

Please post the results of the following command line sequence:

sh run |inc 0.0.0

anitakuang Wed, 10/10/2007 - 16:58

Hi,

The result is :

nat (inside) 1 0.0.0.0 0.0.0.0

my running configuration is :

c(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname c

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif o

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging asdm informational

mtu inside 1500

mtu o 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (o) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface o

dhcpd auto_config o

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a9ac68584da5832df69c4e44b59be5bb

: end

many thanks

Anita

kcaporaso Wed, 10/10/2007 - 17:48

ok, so it seems you need to add the outside route now:

try the command below:

route outside 0.0.0.0 0.0.0.0 1

HTH, Kevin

anitakuang Thu, 10/11/2007 - 02:38

Hi Kevin,

Thanks for your help, but I've still no luck in accessing Internet. Could you please give me one more clue?

Here is the result after issuing "sh route"

Gateway of last resort is 10.1.1.1 to network 0.0.0.0

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.1.0 255.255.255.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 10.1.1.1, o

[1/0] via 125.236.209.196, o

Cheers

Anita

kcaporaso Thu, 10/11/2007 - 05:07

I'm not expert here, so I'm not familiar with the routing for your set up. I'm only familiar with the static route to the outside. To post a new topic you'll want to get to the top of the "Conversations" link and you'll see a "Start a New Conversation" link. Sorry I can't help further...

Actions

This Discussion