Setup ASA 5505 Routed Subnet SDSL

Unanswered Question
Nov 15th, 2008
User Badges:

Hi All,


I'm fighting my ASA 5505 for a couple of days now, but I can't get it work for me the way it should....Situation:


SDSL Routed Subnet Internet Connection

IP: x.x.x.83/29


I setup my Outside port (port '0') with IP x.x.x.84/29


Cisco IP: 192.168.1.55 (connected ASDM GUI)


: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.55 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.84 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool x_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 0.0.0.0 0.0.0.0 x.x.x.83 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.220-192.168.1.250 inside

dhcpd enable inside

!


group-policy Demiam_Tunnel internal

group-policy Demiam_Tunnel attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec

username ralfmusterd password xxx encrypted privilege 0

username ralfmusterd attributes

vpn-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel type ipsec-ra

tunnel-group Demiam_Tunnel general-attributes

address-pool Demiam_Pool1

default-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

: end

asdm image disk0:/asdm-524.bin

no asdm history enable


I can't connect from the inside network to the internet...I guess I need to modify/add any rules. but don'no what en where...Please help, thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mohamed Sobair Sat, 11/15/2008 - 04:01
User Badges:
  • Gold, 750 points or more

Hi,


I think you are missing the following:


Global (Outside) 1 intterface , as long as (Nat) inside 1 , Global (Outside)1 configured , then there is no additional rules to permit the traffic from higher Security Level to a lower Security level.


also you need to correct the following:


from


route inside 0.0.0.0 0.0.0.0 x.x.x.83


to


route outside 0.0.0.0 0.0.0.0 x.x.x.83


HTH

Mohamed

Tim Roelands Sat, 11/15/2008 - 05:04
User Badges:

Mohamed,


Thanks for your reply!


I have changed route 'inside' to 'outside' without any problems...but...can you be more explicite about the next one;


'Global (Outside) 1 intterface , as long as (Nat) inside 1 , Global (Outside)1 configured , then there is no additional rules to permit the traffic from higher Security Level to a lower Security level.'


I do not understand...thanks again!



Jon Marshall Sat, 11/15/2008 - 05:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

What Mohamed means is that you have


nat (inside) 1 0.0.0.0 0.0.0.0


but you have no global (outside) 1 interface statement to match.


Your inside addresses are 192.168.1.x, these addresses will not route on the Internet so you need to NAT/PAT them to the public IP on your outside interface. You do this by matching


nat (inside) 1 0.0.0.0 0.0.0.0


with


global (outside) 1 interface


So apart from your nat (inside) 0 exemption all traffic destined for the Internet from inside will be natted to the public IP on the outside interface of your ASA.


Traffic by default is allowed from a higher security (your inside interface) to a lower security (your outside interface) so you do not need to update any access-lists. Remember with a stateful firewall once you allow traffic one way the return traffic is allowed without an acl.


So if you just add "global (inside) 1 interface" you should be able to get connectivity to the Internet.


Jon

Tim Roelands Sat, 11/15/2008 - 11:08
User Badges:

I starting to feel a bit stupid to be honest.. :(


I set up what I think is correct, here the changes....damn this is harder then I thought...


: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.55 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 87.x.x.84 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 87.x.x.83 netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_nat_outbound

route outside 0.0.0.0 0.0.0.0 87.x.x.83 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.220-192.168.1.250 inside

dhcpd enable inside

!


group-policy Demiam_Tunnel internal

group-policy Demiam_Tunnel attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec

username ralfmusterd password xxx encrypted privilege 0

username ralfmusterd attributes

vpn-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel type ipsec-ra

tunnel-group Demiam_Tunnel general-attributes

address-pool Demiam_Pool1

default-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-524.bin

no asdm history enable



Jon Marshall Sat, 11/15/2008 - 12:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I starting to feel a bit stupid to be honest.. :(


:-), you should have seen my recent performance in LAN Routing & Switching after i had had a few too many !!.


Don't worry everythings easy but only once you know how to do it.


You have set the following in your config


global (outside) 1 87.x.x.83 netmask 255.255.255.248


but 87.x.x.83 is the default-gateway of the ISP router or at least that is what you have in your router statement.


87.x.x.80 255.255.255.248 is your network which gives you


87.x.x.81 -> 87.x.x.86 as useable addresses with .87 as the broadcast address.


So you can use any of the above except .83 and the broadcast. Is there some reason you do not want to use the outside interface address on your ASA ie. 87.x.x.84 ?


If you don't mind using it replace


global (outside) 1 87.x.x.83 netmask 255.255.255.248


with


global (outside) 1 interface


If you want to use one of the other addresses


global (outside) 1 87.x.x.85 netmask 255.255.255.255


Jon

Tim Roelands Sun, 11/16/2008 - 04:02
User Badges:

Hi Jon,


Set it up like this now;


: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.55 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 87.x.x.84 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.255.240

access-list outside_nat_outbound extended permit ip 87.x.x.80 255.255.255.248 192.168.1.240 255.255.255.240

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool Demiam_Pool1 192.168.1.240-192.168.1.250 mask 255.255.255.240

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 87.x.x.85 netmask 255.255.255.248

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 1 access-list outside_nat_outbound

route outside 0.0.0.0 0.0.0.0 87.x.x.83 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.220-192.168.1.250 inside

dhcpd enable inside

!


group-policy Demiam_Tunnel internal

group-policy Demiam_Tunnel attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec

username ralfmusterd password xxx encrypted privilege 0

username ralfmusterd attributes

vpn-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel type ipsec-ra

tunnel-group Demiam_Tunnel general-attributes

address-pool Demiam_Pool1

default-group-policy Demiam_Tunnel

tunnel-group Demiam_Tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

asdm image disk0:/asdm-524.bin

no asdm history enable


But no go yet... I can't see this case in a helicoper view...damn. Thanks for your help Jon!

Jon Marshall Mon, 11/17/2008 - 14:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Things to check


1) From the firewall can you ping the default-gateway 87.x.x.83


2) What is the source IP address you are trying to access the internet from ?


3) If do you do a "sh xlate" or "sh running-config xlate" do you see a translation for the IP address in 2)


Jon

John Blakley Mon, 11/17/2008 - 14:18
User Badges:
  • Purple, 4500 points or more

Can you ping anything outside from a host on the 192.168.1.x subnet? I noticed in your dhcp settings, you aren't setting a dns server. If you can ping an address (4.2.2.1), I would add the dns settings to your scope (unless you're manually setting them, and then I'm way off).


dhcpd dns


--John

Actions

This Discussion