Fixed ip(pc)--->(e1)2600(e0)-dhcp-->asa5505

Answered Question
Apr 1st, 2010
Good Morning Team,

Sorry this may bore lots of you, but it is a headache for me trying to learn.

As you see above Fixed ip(pc)--->(e1)2600(e0)-dhcp-->asa5505

From within the router via con port, I can ping both directions
eg: ping 192.168.2.2 = PC
ping 192.168.1.1 = asa5505 gateway

But pinging from the PC direct to the firewall dont work, or to the outside world

Below is my listing if anyone can help it would be great

Thanks from Alan

!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c2600-i-mz.123-19a.bin
boot-end-marker
!
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.40
!
ip dhcp pool locallan
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.23.3.100 212.23.6.100
!
!
!
!
!
interface Ethernet0/0
ip address dhcp
ip nat outside
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
full-duplex
!
ip nat inside source list 101 interface Ethernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any log
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 8 months ago

Alan

The speed could be duplex settings on your router. Check that everything is running full-duplex preferably at 100Mbps.

Glad we got there in the end

Please mark this post as solved.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 04/01/2010 - 07:41

Stewart

Can you post from the router -

1) sh ip route

2) sh ip int brief

also why do you have a DHCP pool for 192.168.1.0/24 and then have the router interface using DHCP, does the ASA also have a DHCP pool for 192.168.1.0/24 ?

Jon

stewartrose Thu, 04/01/2010 - 07:58

Hi Jon

Let me try and explain, the asa5505 is a firewall as you know, it has the adsl router feeding in to it, and the output port is dhcp (192.168.1.1 - 192.168.1.127 , ad I have three computers feeding from that point, so I thought the Ethernet0/0 would also need to be set at dhcp, I have not problem changing things if you come up with a better idea, as I said I am learnig probably the hard way

Thanks from Alan

Router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [254/0] via 192.168.1.1

Router#show ip int brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.46 YES DHCP up up

Serial0/0 unassigned YES TFTP administratively down down

FastEthernet0/1 192.168.2.1 YES manual up up

Serial0/1 unassigned YES TFTP administratively down down

Router#

stewartrose Thu, 04/01/2010 - 08:00

Hi Jon,

So you are not confused I copied the config to an other 2600, just to prove the router was ok hence Ethernet0/0 and FastEthernet0/0

Jon Marshall Thu, 04/01/2010 - 08:24

Stewart

Because you are Natting on the router then the ASA should have a route back it doesn't look like a missing route on the firewall.

Just to clarify, the ASA has a DHCP pool int 192.168.1.0/24 subnet does it ?

If so can you exclude an address from that pool and manually assign it to the 2600 e0 interface.

Then try the ping again and post the output of a "sh ip nat translations" from the 2600 router after you have done it.

Jon

stewartrose Thu, 04/01/2010 - 08:33

Hi Jon,

I think a config will answer your questions better than me . thank you for your help...

ASA Version 7.2(3)
!
hostname power-plant
domain-name power-plant.com
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name power-plant.com
object-group service srvgrp_dns tcp-udp
port-object eq domain
object-group service srvgrp_tcp tcp
port-object eq www
port-object eq ftp
port-object eq pop3
port-object eq ssh
port-object eq https
object-group icmp-type srvgrp_ping
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service srvgrp_udp udp
port-object eq domain
access-list outside_in extended permit icmp any any object-group srvgrp_ping
access-list outside_in extended permit tcp any any object-group srvgrp_tcp
access-list outside_in extended permit udp any any object-group srvgrp_dns
access-list outside_in extended permit udp any any object-group srvgrp_udp
pager lines 45
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd ping_timeout 750
dhcpd domain power-plant.com
!
dhcpd address 192.168.1.2-192.168.1.127 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:6164cd9900911563a4a2aebddee37e4b
: end

Jon Marshall Thu, 04/01/2010 - 08:39

Stewart

Okay you are handing out addresses on the ASA. Can you simply change the following -

dhcpd address 192.168.1.2-192.168.1.127 inside

to

dhcpd address 192.168.1.3-192.168.1.127 inside

and then configure 192.168.1.2 on the e0 interface of your router.

Also does your 2600 need to hand out any 192.168.1.x addresses because if it doesn't then can you remove the DHCP pool configured on your 2600.

Then ping again from PC and post "sh ip nat translations"

Jon

stewartrose Thu, 04/01/2010 - 10:18

Hi Jon,

Did the mods as said. I pinged from the pc to 192.168.1.1 and it worked, tried again and it did not work..

So I tried pining the internet and nothing returned...

so here is the command you gave me before with new results, and the config file...

All the best from Alan

Router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

Router#show ip int

Router#show ip interface br

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

Serial0/0 unassigned YES TFTP administratively down down

FastEthernet0/1 192.168.2.1 YES manual up up

Serial0/1 unassigned YES TFTP administratively down down

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

!

memory-size iomem 10

ip subnet-zero

!

!

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

ip nat outside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip http server

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.1 log-input

no cdp run

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 120 0

line aux 0

line vty 0 4

login

!

end

stewartrose Thu, 04/01/2010 - 10:25

Hi Jon,

I noticed now the DHCP is gone, there is no route so I added ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 is directly connected, FastEthernet0/0

I can ping 192.168.1.2 but not beyond that or to the asa gateway...

I hope this helps

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 10:33

stewartrose wrote:

Hi Jon,

I noticed now the DHCP is gone, there is no route so I added ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 is directly connected, FastEthernet0/0

I can ping 192.168.1.2 but not beyond that or to the asa gateway...

I hope this helps

All the best from Alan

Alan

Can you change your default-route to

ip route 0.0.0.0 0.0.0.0 192.168.1.1

can you remove the "ip nat inside" from fa0/1

can you remove the "ip nat outside" from fa0/0

can you change your acl 101 back to

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

can you add this to the ASA firewall -

route (inside) 192.168.2.0 255.255.255.0 192.168.1.2

Finally are you sure that nothing else could be getting the 192.168.1.2 address ie. could the ASA have handed this out to another device as well as the router.

Apologies for all the changes requests, i am just trying to get your config to a standard type setup.

Edit - and oh and apologies for keep calling you Stewart

Jon

stewartrose Thu, 04/01/2010 - 11:11

Hi Jon,

Stop worring I am happy to change anything to get it working, and I learn from it as well double bonus, and dont worry about my name, my parents could not afford a second name for me, so I think I will be Alan Stewart Walker hows that..:)

Right I did the mods, the one for the ASA I had to change it, (inside) --> inside it did not like brackets

The rest was fine Jon..

All the best from Alan

Router#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/0 192.168.1.2 YES manual up up

Serial0/0 unassigned YES TFTP administratively down down

FastEthernet0/1 192.168.2.1 YES manual up up

Serial0/1 unassigned YES TFTP administratively down down

Router#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, FastEthernet0/0

C 192.168.2.0/24 is directly connected, FastEthernet0/1

S* 0.0.0.0/0 [1/0] via 192.168.1.1

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

!

memory-size iomem 10

ip subnet-zero

!

!

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip http server

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 120 0

line aux 0

line vty 0 4

login

!

end

stewartrose Thu, 04/01/2010 - 11:14

Hi Jon,

I forgot the important question, I use wireshark, and nothing is on 192.168.1.2, with the router switched of...

All the best from Alan

stewartrose Thu, 04/01/2010 - 11:23

Hi Jon,

I can ping 192.168.1.1 now all the time, but no further..

All the best from Alan

stewartrose Thu, 04/01/2010 - 11:26

Hi Jon,

If I go into the router via the console, and ping google.com it comes back and says Translating "google.com" ...domain server

% Unrecognized host or address, or protocol not running..

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 11:39

stewartrose wrote:

Hi Jon,

If I go into the router via the console, and ping google.com it comes back and says Translating "google.com" ...domain server

% Unrecognized host or address, or protocol not running..

All the best from Alan

Alan

This is because the router is no longer getting a DHCP address from the ASA together with DNS servers so it can't do DNS lookups. This isn't a problem once it's all working as normally routers don't access web pages.

What we will have to do is tell your 192.168.2.x PC what DNS servers to use, hence the reason at the moment i asked you to test with an IP address.

We can setup a DHCP pool for 192.168.2.x on your router when we get internet access working for IP addresses if you want. Note the DHCP pool we deleted was for 192.168.1.x and not 192.168.2.x so we are not just putting back what we deleted

Jon

Jon Marshall Thu, 04/01/2010 - 11:32

stewartrose wrote:

Hi Jon,

I can ping 192.168.1.1 now all the time, but no further..

All the best from Alan

Alan

Making progress

On your ASA I have just noticed you have an access-list outside_in but you haven't applied it to the outside interface ie.

ASA(config)# access-group outside_in in interface outside

Also when you ping make sure you ping something beyond the ASA and by IP not DNS name to start with. If you try to ping the outside IP of the ASA it won't work so try the next-hop from the ASA ie. the ISP router.

Also couple of other things -

1) can you edit your previous posts and where you have public IPs just leave the last octet ie. x.x.x.82 for your outside IP on the ASA and also the default-route on the ASA - best to keep those sort of things out of posts.

2) your access-list on the ASA is wide open so is this just a temporary acl to test with ?

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

stewartrose Thu, 04/01/2010 - 11:42

Hi Jon,

I add the line on the ASA Mmmm dont like an open firewall

Ok I pinged an IP in Canada should be far enough away

and that was within the router it self, then did it for the PC and stiill nothing...

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 11:45

Alan

Can you post "sh running-config xlate" or "sh xlate" from the ASA after you ping ?

Can you try pinging the ISP next-hop from the ASA ?

Jon

stewartrose Thu, 04/01/2010 - 11:51

Hi Jon, this is getting interesting well for me it is..

All the best from Alan

18 in use, 956 most used
PAT Global x.x.x.82(15) Local 192.168.1.2 ICMP id 4792
PAT Global x.x.x.82(4512) Local 192.168.1.3(1026)
PAT Global x.x.x.82(14435) Local 192.168.1.3(3305)
PAT Global x.x.x.82(4511) Local 192.168.1.3(63826)
PAT Global x.x.x.82(14433) Local 192.168.1.3(3302)
PAT Global x.x.x.82(4510) Local 192.168.1.3(63591)
PAT Global x.x.x.82(14431) Local 192.168.1.3(3300)
PAT Global x.x.x.82(14430) Local 192.168.1.3(3298)
PAT Global x.x.x.82(14425) Local 192.168.1.3(3292)
PAT Global x.x.x.82(14424) Local 192.168.1.3(3291)
PAT Global x.x.x.82(14387) Local 192.168.1.3(3231)
PAT Global x.x.x.82(14050) Local 192.168.1.3(2643)
PAT Global x.x.x.82(14048) Local 192.168.1.3(2641)
PAT Global x.x.x.82(14047) Local 192.168.1.3(2640)
PAT Global x.x.x.82(4470) Local 192.168.1.3(21403)
PAT Global x.x.x.82(13731) Local 192.168.1.3(2051)
PAT Global x.x.x.82(11812) Local 192.168.1.3(3201)
PAT Global x.x.x.82(10305) Local 192.168.1.3(4527)
    I remembered

Jon Marshall Thu, 04/01/2010 - 11:59

Alan

Can you ping the address in Canada from the actual firewall itself - you may have to temporarily add this to your firewall -

icmp permit any outside

Jon

stewartrose Thu, 04/01/2010 - 12:05

Hi Jon,

That ip was useless, looks like it does not except so I tried an other one, and have success from every where

well done so far...

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 12:06

stewartrose wrote:

Hi Jon,

That ip was useless, looks like it does not except so I tried an other one, and have success from every where

well done so far...

All the best from Alan

So what else do we need to sort out ?

Jon

stewartrose Thu, 04/01/2010 - 12:09

Hi Jon,

MM...can we do it so I can get to a website url is that possible please... then fix my security HOLE you found

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 12:14

stewartrose wrote:

Hi Jon,

MM...can we do it so I can get to a website url is that possible please... then fix my security HOLE you found

All the best from Alan

From PC2 ?

Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router.

As for the firewall if you just want web access then remove the access-list from the interface ie.

ASA(config)# no access-group outside_in in interface

you don't need an acl to allow return traffic back in for stateful traffic such as http which is why you could access this forum even without the access-list applied. We only applied it for ping.

If you want ping access then rather than use an acl turn on ICMP inspection on the ASA firewall and then you won't need an acl on the outside. You will only need an acl on the outside interface if you start hosting servers that you want internet users to be able to access.

Jon

stewartrose Thu, 04/01/2010 - 12:20

Hi Jon,

I thank you very much, you put a lot of time into this and I am very happy, I have learnt a great deal of information, and looking at the views on this forum I think a few more people have gained some insite to....

Thank again Jon

All the best from Alan

Jon Marshall Thu, 04/01/2010 - 12:22

Alan

No problem, glad to have helped.

Jon

Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

stewartrose Fri, 04/02/2010 - 00:14

Good Morning Jon,

Sorry I am in trouble on the last part, cannot seem to get the browser to work with domain names...

"Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router."

Could I have the code for both methods please Jon.

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 01:20

stewartrose wrote:

Good Morning Jon,

Sorry I am in trouble on the last part, cannot seem to get the browser to work with domain names...

"Well you can either manually add the DNS servers (the ones configured under the DHCP pool on the ASA) or you can add a DHCP pool for 192.168.2.x network to the router with the same DNS servers as on the ASA. If you have many clients then probably best to setup DHCP pool on the router."

Could I have the code for both methods please Jon.

All the best from Alan

Alan

Your ASA is handing out these DNS servers - 212.23.3.100 212.23.6.100

To add manually you go into the networking properties on the PC ie. where you set a static IP you can also specific DNS servers.

To do it via DHCP from the router -

ip dhcp excluded-address 192.168.2.1 192.168.1.10  <-- note you can exclude any IPs from the pool that you want to here
!
ip dhcp pool locallan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 212.23.3.100 212.23.6.100
!

Jon

If this works can you mark the post as solved as this helps others when searching for answers.

stewartrose Fri, 04/02/2010 - 01:31

Good Morning Jon,

Thank you for getting back to me, and I understand a ot more now, but do I need to change FastEthernet0/1 port to dhcp for the second option.

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 01:33

stewartrose wrote:

Good Morning Jon,

Thank you for getting back to me, and I understand a ot more now, but do I need to change FastEthernet0/1 port to dhcp for the second option.

All the best from Alan

Alan

No you don't, you just need to exclude fa0/1 IP address from the DHCP scope. Adding a DHCP scope to a router does not mean you have to run DHCP on the interface, they are 2 separate thngs.

Jon

stewartrose Fri, 04/02/2010 - 01:45

Hi Jon,

I did what you suggested, but it still dont work from the browser, it does if I use an "ip" but not a domain name...

Here is the config, I hope I have done it right

Thanks from Alan

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

!

memory-size iomem 10

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool firewall

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 212.23.3.100 212.23.6.100

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip http server

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 120 0

line aux 0

line vty 0 4

login

!

end

Jon Marshall Fri, 04/02/2010 - 04:02

Alan

PC1 is working correct ?

If so and they are windows PCs can you post an ipconfig /all from both PC1 and PC2

Jon

stewartrose Fri, 04/02/2010 - 04:13

Hi Jon on PC1

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Alan Walker>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : highforc-55aqzc
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : power-plant.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : power-plant.com
        Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-1F-D0-27-A6-A7
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.1.3
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 212.23.3.100
                                            212.23.6.100
        Lease Obtained. . . . . . . . . . : 02 April 2010 11:53:37
        Lease Expires . . . . . . . . . . : 02 April 2010 12:53:37

C:\Documents and Settings\Alan Walker>

PC2 is a linux machine Fedora 12, will ifconfig give you what you need

[[email protected] dev]# ifconfig

eth1 Link encap:Ethernet HWaddr 00:30:48:94:C3:62

inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0

inet6 addr: fe80::230:48ff:fe94:c362/64 Scope:Link

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:25326 errors:0 dropped:0 overruns:0 frame:0

TX packets:13374 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:35213800 (33.5 MiB) TX bytes:905608 (884.3 KiB)

Memory:d3300000-d3320000

lo Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0

inet6 addr: ::1/128 Scope:Host

UP LOOPBACK RUNNING MTU:16436 Metric:1

RX packets:16 errors:0 dropped:0 overruns:0 frame:0

TX packets:16 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:0

RX bytes:1484 (1.4 KiB) TX bytes:1484 (1.4 KiB)

wlan0 Link encap:Ethernet HWaddr 00:11:95:91:E7:3D

UP BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 04:28

Alan

For the linux PC can you post the contents of the file /etc/resolv.conf.

Jon

Jon Marshall Fri, 04/02/2010 - 04:36

Alan

Are you using DHCP for PC2 or are you still using static IP ?

Add this to your resolv.conf -

nameserver 212.23.3.100

nameserver 212.23.6.100

and then retest.

Jon

stewartrose Fri, 04/02/2010 - 04:47

Hi Jon,

My config is still as is above, but it is a static ip

Fedora Eth0 setup is Port address 192.168.2.2 - Mask 255.255.255.0 - Gateway 192.168.2.0

Added the 2 lines in resolv.com there is no named running, so I rebooted the system just in case

ran firefox with ip and it dont work, take out all the dhcp stuff the ip works via browser

if i switch the PC2 port back to DHCP and plug it in directly into ASA then domain urls works fine

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 04:54

stewartrose wrote:

Hi Jon,

My config is still as is above, but it is a static ip

Fedora Eth0 setup is Port address 192.168.2.2 - Mask 255.255.255.0 - Gateway 192.168.2.0

Added the 2 lines in resolv.com there is no named running, so I rebooted the system just in case

ran firefox with ip works fine, run firefox with website url and nothing.

if i switch the PC2 port back to DHCP and plug it in directly into ASA then domain urls works fine

All the best from Alan

Alan

This is definitely something to do with your linux PC and statically adding the IP. By the way you don't need named running for client resolution.

I haven't used Fedora but i do use Ubuntu and that should have done it. What i suggest is to add the DHCP pool for 192.168.2.0/24 on the router as covered in previous post and then tell your linux PC to get an IP using DHCP. If it works from the ASA there is no reason it shouldn't work from the router.

Jon

stewartrose Fri, 04/02/2010 - 05:17

Hi Jon,

Right I did something which may help

On PC1 I changed the eth0 (windows) from DHCP to static 192.168.2.2/255.255.255.0/192.168.2.1 so it is the same as the linux box, and took the ethernet0/1 plug out of PC2 and pluggit in PC1 port, re booted everthing so it all comes up clean and re checked,

I ran wireshark, and it said "Arp Who has 192.168.2.0 Tell 192.168.2.2" just kept doing it..

Apart from that the windows PC acted the same as the linux box...

I hope it helps, I am now going to change over from static ip to dhcp as you suggested on PC2

And Jon, if this is all getting to much then pull the plug I do understand..

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 05:22

Alan

How is PC2 connected to your network. Is it literally connected to the e1 interface of your router ?

On PC1, if it still connected to the 192.168.2.x network can you post output of  -

ipconfig /all

and

sh arp

and

netstat -nr

Jon

stewartrose Fri, 04/02/2010 - 05:36

Hi Jon,

No it is not still connected but I can do it no problem at all, but one of the commands windows has not got that is "sh arp"

ok to answer the other question from the ASA box to a Netgear Fastethernet switch to PC1 port 1,  (port 2 to fe0/0)ROUTER 2621(fe0/1 - PC2(linux)

ASA || Port 1 --> PC1

        || Port 2 -->Router (fe0/0) - (fe0/0) --> PC2

|| = switch port 1 and 2

Back in a while

All the best from Alan

stewartrose Fri, 04/02/2010 - 05:59

Hi Jon,

Ok this is with DHCP set on FastEthernet0/1 and plugged into PC1, and PC1 complained about limited connectivity

All the best from Alan

netstat -nr

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1f d0 27 a6 a7 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ether
net NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  169.254.243.194  169.254.243.194      20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0  169.254.243.194  169.254.243.194      30
  169.254.243.194  255.255.255.255        127.0.0.1       127.0.0.1       20
  169.254.255.255  255.255.255.255  169.254.243.194  169.254.243.194      20
        224.0.0.0        240.0.0.0  169.254.243.194  169.254.243.194      20
  255.255.255.255  255.255.255.255  169.254.243.194  169.254.243.194      1
Default Gateway:   169.254.243.194
===========================================================================
Persistent Routes:

C:\Documents and Settings\Alan Walker>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : highforc-55aqzc
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-1F-D0-27-A6-A7
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Autoconfiguration IP Address. . . : 169.254.243.194
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 169.254.243.194

Jon Marshall Fri, 04/02/2010 - 06:05

Alan

Your PC did not get an IP from the router. Can you repost the router config please ?

Jon

stewartrose Fri, 04/02/2010 - 06:15

Hi Jon, here you are...

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Router

!

!

memory-size iomem 10

ip subnet-zero

!

!

ip dhcp excluded-address 192.168.2.1

!

ip dhcp pool firewall

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 212.23.3.100 212.23.6.100

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.2 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address dhcp

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip http server

!

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 120 0

line aux 0

line vty 0 4

login

!

end

Jon Marshall Fri, 04/02/2010 - 06:18

Alan

On interface fa0/1

remove the "ip address dhcp"

and add

ip address 192.168.2.1 255.255.255.0

Jon

stewartrose Fri, 04/02/2010 - 06:24

Hi Jon,

Ok thats is done, and that is what I had about an hour ago..:)

What next boss

All the best from Alan

Jon Marshall Fri, 04/02/2010 - 06:25

Alan

Not sure why you changed it ?

Try from PC1 connected to fa0/1 again.

Jon

stewartrose Fri, 04/02/2010 - 06:56

Here you go Jon..

C:\Documents and Settings\Alan Walker>ipconfig /all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : highforc-55aqzc
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Realtek RTL8168C(P)/8111C(P) PCI-E G
igabit Ethernet NIC
        Physical Address. . . . . . . . . : 00-1F-D0-27-A6-A7
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.2.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.0
        DNS Servers . . . . . . . . . . . : 212.23.3.100


C:\Documents and Settings\Alan Walker>netstat -rn

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1f d0 27 a6 a7 ...... Realtek RTL8168C(P)/8111C(P) PCI-E Gigabit Ether
net NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.0     192.168.2.2       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0      192.168.2.2     192.168.2.2       30
      192.168.2.0    255.255.255.0      192.168.2.2     192.168.2.2       20
      192.168.2.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.2.255  255.255.255.255      192.168.2.2     192.168.2.2       20
        224.0.0.0        240.0.0.0      192.168.2.2     192.168.2.2       20
  255.255.255.255  255.255.255.255      192.168.2.2     192.168.2.2       1
Default Gateway:       192.168.2.0
===========================================================================
Persistent Routes:  None

arp -a showed no entries

Jon Marshall Fri, 04/02/2010 - 06:58

Alan

That's better.

So can you access websites via URL ?

If so can you try setting PC2 to use DHCP and test with that one.

Jon

Actions

This Discussion