ASA 5510 no Internet - what am I doing wrong

Answered Question
Dec 9th, 2009

Hi, Thanks all in advance

I have a ASA 5510 configured with three port, external, production, library

Library and Production will get DNS and DHCP via Windows server (just for diagnosing i have set up ISP's DNS on library now)

again for diagnostics i have set all ports security to 100

what i would like to achive is internal PCs to access Internet (one of many things)

I have linksys AM300 DSL modem half bridge (if I connect this to a PC i get public IP address and public default gateway and i can browse internet )

When i disconnect PC and connect same ethernet cable from DSL modem to External interface of the ASA5510 I do not see any ip address

please help - this will be the first of series of questions - i am new to Cisco and this is my second experience with one

IP addresses are marked as xxx for protection

Many Thanks

Result of the command: "show dhcpd state"

Context  Configured as DHCP Server
Interface External, Configured for DHCP CLIENT
Interface Production, Not Configured for DHCP
Interface library, Configured for DHCP SERVER
Interface management, Configured for DHCP SERVER


Result of the command: "sh interface e0/0"

Interface Ethernet0/0 "External", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Description: NZTC External Port
    MAC address 0024.c4cc.dd6a, MTU 1500


    IP address unassigned (why??????????????????????????)

    20 packets input, 6920 bytes, 0 no buffer
    Received 20 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    35 packets output, 12840 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 late collisions, 0 deferred
    0 input reset drops, 0 output reset drops, 0 tx hangs
    input queue (blocks free curr/low): hardware (255/254)
    output queue (blocks free curr/low): hardware (255/254)
  Traffic Statistics for "External":
    20 packets input, 6560 bytes
    35 packets output, 11940 bytes
    0 packets dropped
      1 minute input rate 0 pkts/sec,  49 bytes/sec
      1 minute output rate 0 pkts/sec,  86 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  21 bytes/sec
      5 minute output rate 0 pkts/sec,  39 bytes/sec
      5 minute drop rate, 0 pkts/sec

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname NZTC
domain-name xxxxxcollege.local
enable password xqVcRhG. encrypted
passwd 2xdI.2KYOU encrypted
names
name 192.168.8.xx server1 description Domain Controller
name 192.168.8.xx server2 description Mail Server
name 192.168.8.x server5 description ISA Server
name 203.xx.134.xx mailfilter1 description mail filter server 1
name 203.xx.197.xx mailfilter2 description mail filter server 2
name 210.xx.118.xx datacentervpn description datacentervpn
name 202.27.158.40 ispDns1 description ispDNS1
name 192.168.8.xx server4 description Terminal Server
!
interface Ethernet0/0
description External Port
nameif External
security-level 100
ip address dhcp setroute
!
interface Ethernet0/1
description Production Network
nameif Production
security-level 100
ip address 192.168.8.252 255.255.255.0
!
interface Ethernet0/2
description Library Network
nameif library
security-level 100
ip address 192.168.9.252 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 2:00
dns server-group DefaultDNS
domain-name college.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service MSRDP tcp
description MS Remote Desktop Connection
port-object eq 3389
object-group service HTTPAlternate tcp
description Alternate HTTP port created to server ISA proxy
port-object eq 8080
object-group network DM_INLINE_NETWORK_1
network-object host 202.27.156.72
network-object host ispDns1
access-list External_access_in remark Inbound mail from mailfiltering primary server
access-list External_access_in extended permit tcp mailfiltering MailServer1 255.255.254.0 host server2 eq smtp inactive
access-list External_access_in remark Inbound mail from mailfiltering secondary server
access-list External_access_in extended permit tcp mailfiltering2 255.255.255.224 host server2 eq smtp inactive
access-list External_access_in remark Inbound web traffic to ISA for URL forwarding
access-list External_access_in extended permit tcp any host server5 eq www inactive
access-list External_access_in remark Inbound Secure web traffic (for Webmail)
access-list External_access_in extended permit tcp any host server2 eq https inactive
access-list External_access_in remark Inbound VPN traffic for server1
access-list External_access_in extended permit tcp any host server1 eq pptp inactive
access-list External_access_in remark Inbound VPN traffic for server1
access-list External_access_in extended permit gre any host server1 inactive
access-list library_access_in remark Enable\disable to grant Library PCs to access Production network
access-list library_access_in extended permit tcp 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0 object-group MSRDP inactive
access-list library_access_in remark Web proxy for library
access-list library_access_in extended permit tcp 192.168.9.0 255.255.255.0 host server5 eq 8080 inactive
access-list library_access_in remark temp
access-list library_access_in extended permit ip any any
access-list library_access_in extended permit tcp any any eq www
access-list Home_access_in extended permit ip any any
access-list Home_access_in remark temp dns
access-list Home_access_in extended permit udp 192.168.9.0 255.255.255.0 eq domain object-group DM_INLINE_NETWORK_1 eq domain
access-list Home_access_out extended permit ip any any
access-list library_access_out remark temp
access-list library_access_out extended permit tcp any eq www any eq www
pager lines 24
logging enable
logging timestamp
logging asdm debugging
mtu External 1500
mtu Production 1500
mtu library 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit any Production
icmp permit any library
icmp permit any management
asdm history enable
arp timeout 14400
nat-control
global (External) 1 interface
global (Production) 101 interface
nat (External) 1 0.0.0.0 255.255.255.255
access-group External_access_in in interface External
access-group library_access_in in interface library
access-group library_access_out out interface library
!
router rip
passive-interface default
!
route External 0.0.0.0 0.0.0.0 222.155.128.254 1 ( ************* have set ISP default gate way as a test - didnt work***************)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca server
shutdown
cdp-url http://NZTC/+CSCOCA+/asa_ca.crl
issuer-name CN=NZTC
smtp from-address [email protected]
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcp-client broadcast-flag
dhcp-client client-id interface External
dhcpd dns XtraDns 202.27.156.72 interface External
dhcpd update dns both interface External
!
dhcpd address 192.168.9.50-192.168.9.100 library
dhcpd dns XtraDns 202.27.156.72 interface library
dhcpd enable library
!
dhcpd address 192.168.1.2-192.168.1.15 management
dhcpd domain nztertiarycollege.local interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ae8d5
: end

I have this problem too.
0 votes
Correct Answer by busterswt about 6 years 11 months ago

Perhaps the ISP blocks certain MAC addresses from getting IPs to prohibit connection sharing? You my try implementing the following command within the outside interface and see if it helps:

asa(config-if)# mac-address xx.yy.zz.aa.bb.cc

Put the MAC address of a working client PC in there instead of the bogus address. Save the config and reboot the ASA, and see then if you get an IP.

Good luck!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
healthprime Wed, 12/09/2009 - 01:55

hi,

According to your configuration

1.As u have kept ur external interface on DHCP i.e ip will be assigned by isp side which u wont be able to see in ASA .Secondly u have kept the security level 100 which is the highest of all but it wont work as u have not enabled the option that let the traffic pass with same security level.

2.First try to ping 4.2.2.2 public dns from ASA this will ensure that internet is working or not.It you are able to ping then try to ping from loacl machine.If your able to ping from local machine then try to ping yahoo.com or google.com if you are not then dns is not getting resolved ,so in that case you need to contact your isp for the same.

emil.roshan Wed, 12/09/2009 - 17:10

thanks healthprime

1)      I am quires to find out why I cannot see the DHCP assigned IP on external interface?      DSL modem is a very simple one Ethernet port unit that is domestically used than corporate environment. If I connect my PC I can see the public IP and public gateway (since it is half bridge) the reason for half bridge is a) to avoid DSL modem doing the NAT and PAT and ASA to have the public IP instead of a private IP b) we have just one static IP and ISP change the gateway as they wish – everytime I had to restart DSL modem I have seen different Gateway IP address –with DHCP mode I can select “Obtain Default route from DHCP” on ADSM

I must have missed the option to enable traffic between same levels. – I had security level of External set to 0 but changed it to 100 for diagnostics

Going back to the point with not been able to see the DHCP assigned IP address – what do i do when I need to troubleshoot later on?

2)      Great, I will ping and let you know.

Thanks again for your suggestions, appreciate your time and efforts

busterswt Wed, 12/09/2009 - 16:14

I have a few recommendations for your config that you may or may not want to implement.

1) Set the security-level of your outside interface to 0. This is the lowest level, and will ensure that without ACLs in place the outside segment cannot access the inside segments.

2) If both your Library and Production segments need outbound Internet access without the use of static NAT, you might want to change your NAT statements to something similar to this:

global (External) 1 interface
nat (Production) 1 0.0.0.0 0.0.0.0
nat (Library) 1 0.0.0.0 0.0.0.0

3) You've got an ACL configured for traffic coming in and leaving the Library interface. While the inbound ACL permits IP-bases traffic *from* your clients, it is being blocked by the outbound ACL on the same interface:

access-list library_access_out remark temp
access-list library_access_out extended permit tcp any eq www any eq www

(Implied deny all)

Your clients will not likely send traffic to port 80 from their own port 80, so you may want to modify that as well.

4) You do not have any kind of ACL configured for the production interface, so you will not be able to pass traffic to/from that interface.

5) You do not have an ACL permitting inbound ICMP requests, nor do you have the inside segments allowing ICMP replies or outbound ICMP requests, so you likely will not be able to ping anything

6) Even though you are using DHCP on the outside interface, I'm pretty sure you should be able to do a 'sh ip' and see what you have been assigned. Whatever it is, it needs to be in the same network as 222.155.128.254 (the default gateway)

I'm sure there's plenty more than can be done, and the above are just suggestions that could very well be knocked down by someone more experienced.

Good luck!

James

emil.roshan Wed, 12/09/2009 - 17:36

Thanks James Denton

1)      Yes, it was set to 0 by default and I intend to change back to 0  - thanks for pointing out.

2)      Yes, I need both subnets to  have outbound Internet access – I will configure the unit and post back or ask more questions on this. I have a feeling it is more likely to be NAT or Firewall that is stopping it.

global (External) 1 interface

nat (Production) 1 0.0.0.0 0.0.0.0

nat (Library) 1 0.0.0.0 0.0.0.0

3)      I will check this (I am at work but the ASA is at home now– lol) so are these the rules I need to set up on library port library out ? I will check the rules and answer my self J

access-list library_access_out remark temp

access-list library_access_out extended permit tcp any eq www any eq www

(Implied deny all)

Your clients will not likely send traffic to port 80 from their own port 80, so you may want to modify that as well.

Is there a built in object that I can specify for web traffic or are you suggesting to open all ports\high ports for web traffic library_access_in and have port 80 open for library_access_out   ---- apologise for newbie questions

4) yes, I wanted to get Library network working (since production network DHCP,DNS handled in a different way and for testing I have the ASA at home now)

5) I thought I did this – might have disable ICMP at one stage.

6) that is exactly what I thought, I used the command show interface e0/0 and this is what I get every time. And why MAC address look funny? Or is it my limited knowledge?

Result of the command: "sh interface e0/0"

Interface Ethernet0/0 "External", is up, line protocol is up
  Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
    Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
    Description: NZTC External Port
    MAC address 0024.c4cc.dd6a, MTU 1500

    IP address unassigned (why??????????????????????????)

     20 packets input, 6920 bytes, 0 no buffer
    Received 20 broadcasts, 0 runts, 0 giants
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
    0 L2 decode drops
    35 packets output, 12840 bytes, 0 underruns
    0 output errors, 0 collisions, 1 interface resets
    0 late collisions, 0 deferred
    0 input reset drops, 0 output reset drops, 0 tx hangs
    input queue (blocks free curr/low): hardware (255/254)
    output queue (blocks free curr/low): hardware (255/254)
  Traffic Statistics for "External":
    20 packets input, 6560 bytes
    35 packets output, 11940 bytes
    0 packets dropped
      1 minute input rate 0 pkts/sec,  49 bytes/sec
      1 minute output rate 0 pkts/sec,  86 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  21 bytes/sec
      5 minute output rate 0 pkts/sec,  39 bytes/sec
      5 minute drop rate, 0 pkts/sec

Many Thanks James, appreciate your comments. Still at work can’t wait to go home and try both of your suggestions. Yeah... it is funny I have to set it up using my own internet connection to avoid downtime to college network – that’s the thing with little places J

busterswt Wed, 12/09/2009 - 19:22

Hi Emil,

Couple of things here. If you set the security level on the outside interface to 0, both of the inside interface will inherently be able to send traffic to that interface. You do not need either of the 'same-security-traffic' commands to make this happen. *Only* if you set both of the inside interfaces to the same security level AND intend to send traffic between them will you need the 'same-security-traffic permit inter-interface' command PLUS ACLs to define what traffic is allowed.

You'll definitely need some kind of NAT (NAT Overload in the example I provided) to get both inside interfaces to be able to access the Internet. On the Library interface you have an inbound ACL that permits the following:

access-group library_access_in in interface library

1. access-list library_access_in remark Enable\disable to grant Library PCs to access Production network
2. access-list library_access_in extended permit tcp 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0 object-group MSRDP inactive
3. access-list library_access_in remark Web proxy for library
4. access-list library_access_in extended permit tcp 192.168.9.0 255.255.255.0 host server5 eq 8080 inactive
5. access-list library_access_in remark temp
6. access-list library_access_in extended permit ip any any
7. access-list library_access_in extended permit tcp any any eq www

Rule #6 really permits traffic to all networks (so #2 and #4 may be unnecessary), and #7 isn't ever hit. Rule #6 is allowing Library PCs to hit Production PCs on all ports. You would want to add some sort of deny under#2 like this:

2.   - access-list library_access_in extended permit tcp 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0 object-group MSRDP inactive

2.5 - access-list library_access_in extended deny tcp 192.168.9.0 255.255.255.0 192.168.8.0 255.255.255.0

You could remove #6 and really tighten outbound traffic, but even if you left it, #2.5 would ensure proper intra-segment communication.

You also have an *outbound* ACL on the Library interface that is completely stopping traffic permitted in the inbound ACL:

access-group library_access_out out interface library

1. access-list library_access_out remark temp
2. access-list library_access_out extended permit tcp any eq www any eq www

Rule #2 is permitting outbound access from a client PC to a webserver *as long as* the source port and dest port are 80. Very unlikely this will happen, so either remove the source port or remove the rule altogether, as well as the access-group line.

You do not have any sort of ACLs in place for the Production network. You would probably want a similar access-list to that of the library interface, but swap the source and destination IPs when going from production to library. As it stands right now you don't have an access-group or an ACL to assign to it, so traffic is getting denied when leaving the production network.

Your 'sh int e0/0' output looks pretty normal, and you even have hit counts on the input and output counters. The MAC address looks normal. I don't know for sure, as I don't have much experience with DHCP on an outside interface, but it *may* say 'IP Address Unassigned' because you didn't specify a static within the interface config. You might try running 'sh ip' at the command prompt to see if you can see the DHCP-assigned address there. I won't be able to look at an ASA using DHCP until tomorrow to see how it works.

Good luck with the config. I hope at least *some* of my advice works out for you.

- James

emil.roshan Wed, 12/09/2009 - 23:10

Many thanks James

I have done all of the stuff pointed out but still no go.. I am starting to pull my hair now...

after few reboots, swapping cable back and forth with PC, DSL modem and ASA I still cant get the public IP to show up on the interface. have used the command to show IP as you pointed out... result

Result of the command: "sh ip"

System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0              External               unassigned      unassigned      DHCP 
Ethernet0/1              Production             192.168.8.252   255.255.255.0   CONFIG
Ethernet0/2              library                192.168.9.252   255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0              External               unassigned      unassigned      DHCP 
Ethernet0/1              Production             192.168.8.252   255.255.255.0   CONFIG
Ethernet0/2              library                192.168.9.252   255.255.255.0   CONFIG
Management0/0            management             192.168.1.1     255.255.255.0   CONFIG

I have also disable half bridge mode on DSL modem and connected it just the normal way,still no IP

And then via a switch, still it doesnt want to obtain an IP from DSL modem. While DSL modem is connected to switch if i plug another device in to same switch I get an IP from DSL modem....

what are the funny things I need to look out for DHCP client on ASA 5510? Do I need to enable\activate DHCP client?

once again thanks a lot for your time

busterswt Thu, 12/10/2009 - 20:11

Hi Emil,

Looking over the DHCP config on my ASA at work, you already have the command in place on the outside interface to enable the DHCP client:

ip address dhcp setroute

The interface will obtain an IP from the DHCP server, and the ASA will set its default route to whatever the DHCP server provides. That said, you will want to remove the default route that you have set:

(no) route External 0.0.0.0 0.0.0.0 222.155.128.254 1

You can try removing the following line from the ASA to change the reply from the DHCP server to unicast from broadcast:

(no) dhcp-client broadcast-flag

You also won't be able to see the IP in a 'sh int e0/0', but would see it in a 'sh ip' if things are working normally.

James

emil.roshan Fri, 12/11/2009 - 17:50

Thnaks James...

I had to attend some Telecom problem and this task was pushed down the ladder.

Now back where we left it...

Yes, the default route was removed just after the original post above- it was a desperate attempt, which of course didnt work

I was advised by a very good and a knowledgable friend to to use below  - I am trying it out but I do have some trouble not been able to send some of the commands (I am using the command line tool provided by ADSM) it simply says it is incorrect - so more time on google

1. Go to your router's (ASA5500) config mode
!
ASA5500#conf t

ASA5500(config)#interface
ASA5500(config-if)#ip helper-address 192.168.8.252
ASA5500(config-if)#ip helper-address 192.168.9.252
ASA5500(config-if)#ip helper-address 192.168.1.1
ASA5500(config-if)#end
ASA5500#wr
!
2. Then check the router's (ASA5500) port if it has got the ip address
ASA5500#show ip int bri
or
ASA5500#show int
3. If the router's port doesn't get the ip address then shut and unshut the port, for Ex: if it is Fa0/1
!
ASA5500#conf t
ASA5500(config)#interface fa0/1

ASA5500(config-if)#shut
ASA5500(config-if)#no shut
ASA5500(config-if)#end
ASA5500#wr
!

reason provided for all above config was this...

Remember, DHCP requests are broadcast, and therefore blocked, by routers.

you should use ip helper-address command with the ip address of the DHCP server (which is in this case your DSL Modem)
The IP Helper Address feature converts broadcast messages into unicast messages. By default, when the IP Helper Address
feature is enabled, eight protocols are forwarded. These eight protocols and their
associated ports are:

1. TFTP (port 69)
2. DNS (port 53)
3. Time (port 37)
4. TACACS (port 49)
5. BOOTP client (port 68)
6. BOOTP server (port 67)
7. NetBIOS name service (port 137)
8. NetBIOS datagram service (port 138)
busterswt Fri, 12/11/2009 - 18:26

Hello Emil,

I don't believe the 'ip helper-address' commands work with an ASA, which could be why you're getting the command errors. While it's true a broadcast won't be routed, the DHCP server *will* be available to you from that outside interface. Otherwise, how would a PC get an IP? There really is only one line that I can see that enables the ASA to be a DHCP client, and that's 'ip address dhcp setroute' within the outside interface.

I can't recall, but were you able to hook a client PC directly to the DSL modem and get an IP? Do you have a link light on the ASA when plugged into the modem?

I'm really out of ideas here :/

James

emil.roshan Sat, 12/12/2009 - 14:45

well that explains why I get errors with that command....

Yes, if a PC connected to same Ethernet cable then it gets public IP and gateway from ISP, if I simply disconnect cable from that PC and connect to External port on ASA it does not get an IP - however light blinks and everything else appears to be working...

I have also used the Renew DHCP under properties of the interface - which fails
Under monitoring - Interface - DHCP client lease info I can not see any data - it shows External -0.0.0.0

I will try if DSL modem support DHCP reservations - so that I can enter MAC address of the external port under DSL modem and force it to hand over an IP

Have also used a crossover cable - which did nothing - well was expecting it anyway.

Funny enough no one seems have this problem, all of other forums, post, examples etc take it for a grant that IP address is obtained automatically..

I have also tried resetting unit via ADSM - it sends the command and wait for around 2 minutes and says time out. If I do reset the unit some how do I get back to the stage where all license etc are loaded or do I need to have all that info and create a new boot image?

Thank a lot..

Correct Answer
busterswt Sat, 12/12/2009 - 16:44

Perhaps the ISP blocks certain MAC addresses from getting IPs to prohibit connection sharing? You my try implementing the following command within the outside interface and see if it helps:

asa(config-if)# mac-address xx.yy.zz.aa.bb.cc

Put the MAC address of a working client PC in there instead of the bogus address. Save the config and reboot the ASA, and see then if you get an IP.

Good luck!

emil.roshan Sat, 12/12/2009 - 20:48

Great, great, great it worked.... thanks James. thanks a lot. it worked like a charm.

I also had to do the NAT rules you mentioned above to get it working.

Now I am stuck with SMTP - will open up a new thread.

Many Thanks

Actions

This Discussion