ASA 5505 not picking external IP from ISP

Unanswered Question
Oct 11th, 2007

Hi geeks,

I've got a trouble as to the DHCP running on ASA 5505. It is not picking any external IP from ADSL router. Upon iterative modification and testing, still no luck in accessing Internet.

My set up is:

Internet--> DSL router--> ASA 5505

Here is the result after issuing "sh route" and "sh ip" command.

C 127.1.0.0 255.0.0.0 directly connected

C 192.168.1.0 255.255.255.0 direcly connected

C 125.xxx.xxx.xxx 255.255.255.255 direcly connected

d* 0.0.0.0 0.0.0.0 [1/0] via 125.xxx.xxx.xxx

Vlan 1: 192.168.1.1 255.255.255.0

Vlan 2: 125.xxx.xxx.xxx 255.255.255.255

c(config)# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname c

domain-name default.domain.invalid

enable password xxx

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif o

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging asdm informational

mtu inside 1500

mtu o 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (o) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface o

dhcpd auto_config o

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

Coule you please give a clue on Internet access?

Many thanks

Anita

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
anitakuang Thu, 10/11/2007 - 13:44

Hi,

I am giving additional info regarding my setup here.

As i attempt to configure vpn using ASA 5505, the adsl router needs to be "half bridge". Before i launch any change, i already checked the adsl router alone was working properly. I also confirmed the capability that ASA 5505 can surf Internet when connected to ADSL router without "half bridge".

I think i must miss out something, could you please give me a clue on it?

Any comments or advice would be highly appreciated.

Anita

anitakuang Thu, 10/11/2007 - 13:53

Sorry for the confusing stuff, i have posted the wrong result.

As i used Dlink 302g as "half bridge" previously. It just worked fine with ASA 5505, but no internet access. Then i tried NOKIA M1122, it can't pick any external IP.

My question is whethter dlink incompatible with ASA 5505. If no, how to fulfill Internet access using ASA 5505 and dlink.

Many thanks

Anita

anitakuang Sat, 10/27/2007 - 21:34

Hi Noran,

Thanks for your quick replies.

Yes, the link light from the dlink router to ASA was up. Duplex / speeds settings were auto.

Actually, the outside interface of ASA can pick IP address directly from the dlink router with NAT, for example, 10.1.1.4. It can also pick IP address 125.xxx.xxx.xxx from the dlink router with half bridge, but all other routers, like linksys, netgear, alcatel and nokia don't.

Therefore, I believe it comes to the half bridge problem.

Since i attamp to config remote access VPN, any advice on the dlink router settings would be highly appreciated.

Cheers

Anita

andywang1 Wed, 11/28/2007 - 17:15

Anita,

Sadly, I have no answers for you but I am in the same boat. Any luck for you yet?

I have tried a dlink router and a Westell 2000 modem (with DHCP server built in) to provide a DHCP address to an ASA 5505. No luck. Both will provide DHCP addresses to other routers or networks no problem, just the Cisco won't pick one up.

If I configure the Cisco with a static IP on the outside interface, I can access the dlink's Web interface no problem. If I switch to DHCP and try to renew, I always get a "DHCP lease has not been renewed" error.

I checked the config on the Cisco and it is correctly "ip address dhcp setroute". But the ip address always shows up as unassigned.

I am running 7.2(2) firmware.

Help! I am a moron!!

kumlait2004 Sat, 12/08/2007 - 07:38

Here is a solution:

If you are running 7.2.3 or later you have a checkbox in ASDM Configuration / Interfaces / Outside / Edit / General. Check the value in "For the client identifier in DHCP option 61" - "Use Mac address".

If you dont have 7.2.3 you can in 7.2.2 try this:

In ASDM open configuration / Interfaces. Click outside (in my case 0/0) and press Edit. Then open the tab Advanced and set the correct Active Mac address for outside. You will find the correct MAC address under the help menu / "About ASA".

Im sure there is some another way to do this but this is a simple "how-to" that works with Swedens biggest ISP and their standard DSL modem.

Hopa this helps!

andywang1 Mon, 12/10/2007 - 14:30

It didn't work on my ASA with 7.2.2, but it seems that you are definitely on the right track. Also I only tried it so far with a dlink router as DHCP server.

I switched to static DSL at the same bum rate of 384-768MBps down (bad wiring in our area). Now I get to pay twice as much, so I will keep trying based on your suggestion. The DSL modem is still serving up DHCP.

Thanks for your excellent idea!

Andrew

Actions

This Discussion