09-13-2007 05:19 AM - edited 03-05-2019 06:27 PM
Hi,
I'm a proud owner of a new ASA 5505. I've gone through the getting started guide and some other documentation and can't seem to get the routes/rules right to get my inside interface (192.168.1.0/24) to my outside interface (my.public.i.p) to get to the internet. Although I didn't understand where to specifically define my.public.i.p gateway, is that something the ASA figures out on its own?
I've tried adding a static route for the inside like so: ip:192.168.1.0/24 gw:192.168.1.1 (inside interface IP) and it claims the route exists already.
So, I tried to create an access rule:
Outgoing rule allowing inside network to go to "any" and for some reason the wizard defines it, but then adds its own "deny" rule directly underneath. I trace the packets and they're getting dropped by some built-in implicit rules defined by the ASA.
What is this newbie overlooking?
I'm simply trying to set up my device and at least get the 1 PC that has access to the ASDM out to the internet and I can't even do that... This is one SERIOUS device coming from my limited networking background.
I thought walking through the wizards would at least get me on the internet, but it's not working...
TIA,
Kevin
UPDATE::
I was looking at some debugging logging and when I try to go to google.com for instance I get a "No route to My.External.dns.ip from 192.168.1.2 (The internal IP of the PC I'm connected to the ASA directly)
Recommended action is to add a route... Ok, I try to define a route, but ASA tells me the route already exists... Must be a rule thing I'm not understanding. Thanks again!
Solved! Go to Solution.
09-13-2007 08:22 AM
great, no, you are not wide opened to any inside hosts until you create one-to-one nats for inside hosts to be access from outside, of course creating access-list to control the access from outside to inside for that.
rgds
Jorge
09-13-2007 07:04 AM
Kevin , there are few things we need to find out from you to help.
Is your ISP providing you with Static IP or dynamic for your ASA public interface? if dynamic instruct ASA through ASDM to obtain IP by DHCP for the outside interface, once you do that telnet to ASA and issue
"show ip " to see if it did pick up IP.
Also, can you provide ASA configuration, once you attach config we can help to get your inside host get access to oustide.
09-13-2007 07:17 AM
Jorge - Thanks!
I have 5 static IPs and am trying to simply use 1 of them. So, I set the outside interface to that IP address.
Asa configuration... (slightly edited to hide real ips)
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name domain.cc
enable password encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 61.22.223.11 255.255.255.248
ospf cost 10
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 3
!
passwd
ftp mode passive
dns server-group DefaultDNS
domain-name domain.cc
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.150 inside
dhcpd dns 192.168.1.20 61.22.223.65 interface inside
dhcpd wins 61.22.223.65 interface inside
dhcpd domain domain.cc interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:
: end
And the "show ip" shows the correct static IP I chose. :)
09-13-2007 07:58 AM
can you post " show route | inc 0.0.0.0 "
to show whether you have default route.
09-13-2007 08:05 AM
That was exactly the problem. I had to define a route setup for the outside interface:
0.0.0.0 0.0.0.0
That seems to get me connected now... Are there other things I should watch for now? I'm not wide open am I? Thanks!
09-13-2007 08:22 AM
great, no, you are not wide opened to any inside hosts until you create one-to-one nats for inside hosts to be access from outside, of course creating access-list to control the access from outside to inside for that.
rgds
Jorge
09-13-2007 08:26 AM
Thanks for your help!!
10-09-2007 03:09 PM
Hi geeks,
Thanks for sharing your solution.
I've got some progress as to the DHCP on outside interface. My ASA can obtain an external IP from DSL router at least. However, still no luck in accessing Internet.
My set up is:
Internet--> DSL router--> ASA 5505
Here is the result after issuing "sh route" and "sh ip" command.
C 127.1.0.0 255.0.0.0 directly connected
C 192.168.1.0 255.255.255.0 direcly connected
C 125.xxx.xxx.xxx 255.255.255.255 direcly connected
d* 0.0.0.0 0.0.0.0 [1/0] via 125.xxx.xxx.xxx
Vlan 1: 192.168.1.1 255.255.255.0
Vlan 2: 125.xxx.xxx.xxx 255.255.255.255
Coule you please give a clue on Internet access?
Many thanks
Anita
10-09-2007 06:28 PM
Please post the results of the following command line sequence:
sh run |inc 0.0.0
10-10-2007 04:58 PM
Hi,
The result is :
nat (inside) 1 0.0.0.0 0.0.0.0
my running configuration is :
c(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname c
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif o
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu o 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (o) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface o
dhcpd auto_config o
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a9ac68584da5832df69c4e44b59be5bb
: end
many thanks
Anita
10-10-2007 05:48 PM
ok, so it seems you need to add the outside route now:
try the command below:
route outside 0.0.0.0 0.0.0.0
HTH, Kevin
10-11-2007 02:38 AM
Hi Kevin,
Thanks for your help, but I've still no luck in accessing Internet. Could you please give me one more clue?
Here is the result after issuing "sh route"
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 192.168.1.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 10.1.1.1, o
[1/0] via 125.236.209.196, o
Cheers
Anita
10-11-2007 05:07 AM
I'm not expert here, so I'm not familiar with the routing for your set up. I'm only familiar with the static route to the outside. To post a new topic you'll want to get to the top of the "Conversations" link and you'll see a "Start a New Conversation" link. Sorry I can't help further...
10-11-2007 01:20 PM
Thanks , I will post a new topic.
Cheers
Anita
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide