03-23-2008 01:21 PM - edited 02-21-2020 01:56 AM
I'm new to this and was asked to install this new asa 5505 at he main office and eventually install site to site vpn (did it easily with RV042 but this one is more complex...
Using ASDM 6, configuring static ISP IP, there is no place to enter the ISP Gateway, Am i missing something? This seemed to be there for older version but not there anymore???
The monitoring (home) shows my outside interface as 'down' and no data 'recorded' but I can surf the web. Am I missing something again?
I'm new to this so I need basic help and the documentation is not clear on those issues.
Thanks to all
Solved! Go to Solution.
03-29-2008 11:21 AM
Paul, glad you have it resolved, Im also glad I could help.
I forgot to add another link because you said that you will configure three different vpns statablish or L2L vpn tunnels with three different sites, when you configure your first L2L VPN you may want to reference bellow link for adding a second L2L tunnel to an already exsiting L2L vpn, same principle applies for a 3rd or 4th L2L vpn with different peers.
don't forget to rate post, this encourages everyone to help out and participate in forum.
Add a new L2L VPN or RA VPN to an exsisting L2L Tunnel.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
HTH
Rgds
Jorge
03-24-2008 06:57 PM
Typical ASA5505 configuration :
This is your outside Virtual interface
interface Vlan2
nameif outside
security-level 0
ip address
This is your physical outside interface
Interface ethernet0/0
speed auto
duplex auto
switchport access vlan 2
no shutdown
make sure speed duplex match at both ends the ISP router, if hard coded 100 full at the ISP router ASA5505 ethernet0/0 needs to be configured the same with speed 100 and duplex full hard coded , same principle if auto/auto.
Ethernet0/0 physical port on asa5505 connects to ISP router Fast-ethernet interface.
Define default gateway on asa5505
route outside 0.0.0.0 0.0.0.0
If you are surfing the web you are probably looking at the wrong physical interface on asa5505 firewall.
HTH
Rgds
Jorge
03-27-2008 05:54 PM
Thanks for your reply,
Here's the present config
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxx
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
Its reset to factory except for the inside ip.
1)I need to set with static ip at outside with ISP gateway
2)I need also static inside since it will be connected to a SBS 2003 server which acts as the DHCP for net network
3)I will also need to create vpn's with 3 other remote offices, also with static IP
4)Strange is at the 'Home' page of the ASDM, it shows outside interface down and most of the time, inside interface also. Could that be that 'missing' route?
5) I guess the only proper way to configure the baby's is via CLI, the Gui is not too helpfull
I've done this easily with Linksys RV042 at all places but the main office will have the ASA 5505. Should I also use the quick VPN to set them up? Or the 'manual' mode?
Thanks for your help
03-28-2008 02:16 PM
Paul, if you reset to factory default few things will happen. Inside interface IP address will be configured with IP you defined ,dhcpd is turned on for inside interface, and outside VLAN2 SVI interface will also be configured ip address dhcp setroute statement.
To change these things you need to remove these statememts and replace with statements of your choice.
You can start with the following:
Have handy the tools, static IP addresses you will be working with for your outside VLAN1 interface IP and your default route IP address which will be your ISP Ethernet IP address.
For sake of example lets assume 20.20.20.1/24 is the IP address for your VLAN 1 SVI interface and 20.20.20.254 is the ISP next hop router.
Lets start with your number 1 question, do all this connected to the console port, no telnet.
1-
asa(config)#interface Vlan2
asa(config)#no ip address dhcp setroute
asa(config)#ip address 20.20.20.1 255.255.255.0
asa(config)#exit
asa#
Ensure if ISP router interface is configured as auto/auto your ASA Ethernet0/0 is also auto which is by default, if ISP router is hard coded for Speed 100 and Duplex full , ASA Ethernet needs to be also hard coded to 100 full duplex with the speed 100 and duplex full commands under ETH0/0 interface.
asa(config)#interface Ethernet0/0
asa(config)#switchport access vlan 2
asa(config)#Description Connection to ISP_ROUTER
asa(config)#exit
asa#
define your default route
asa(config)#route outside 0.0.0.0 0.0.0.0 20.20.20.254 1
once you have this all configured , from ASA ping your default route, ping 20.20.20.254, if replies you're good.
2-
To change your inside IP address you need to remove dhcpd from inside interface, this will eliminate dhcp services from the inside interface.
asa(config)#no dhcpd address 192.168.2.2-192.168.2.254 inside
asa(config)#no dhcpd enable inside
Then configure your inside interface
asa(config)#interface vlan 1
asa(config)#ip address 192.168.2.1 255.255.255.0
asa(config)#Description Inside_Private_Net
asa(config)#exit
asa#
also, allow inside subnet telnet access to asa, you already have http
asa(config)#telnet 192.168.2.0 255.255.255.0
3-For L2L Ipsec tunnels configuration follow this link
4-Duno... we'll see the results once your resolved your 1st and 2nd questions.
5-Yes cli is good, you can use VPN wizard from ASDM, please follow the link above I provided you, the other side of the VPN tunnel can be anything as long it supports IPsec standards, just follow the example in the link and you should be ok creating the tunnel.
HTH
Rgds
Jorge
Rate any helpful post
03-29-2008 10:35 AM
Thanks for your help,
After playing around I finally got everything to work. Your help was excellent and really helped me understand the basics and also correlate the CLI with the ASDM
Now I will be on with the tunnels and try my way (or Cisco's way) around this part.
Thanks again
Paul
03-29-2008 11:21 AM
Paul, glad you have it resolved, Im also glad I could help.
I forgot to add another link because you said that you will configure three different vpns statablish or L2L vpn tunnels with three different sites, when you configure your first L2L VPN you may want to reference bellow link for adding a second L2L tunnel to an already exsiting L2L vpn, same principle applies for a 3rd or 4th L2L vpn with different peers.
don't forget to rate post, this encourages everyone to help out and participate in forum.
Add a new L2L VPN or RA VPN to an exsisting L2L Tunnel.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml
HTH
Rgds
Jorge
03-29-2008 12:29 PM
Thanks again. I'll let you know how it goes with the VPN's
I have also rated the post
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: