04-01-2010 07:23 AM - edited 03-04-2019 08:00 AM
Solved! Go to Solution.
04-02-2010 07:46 AM
Alan
The speed could be duplex settings on your router. Check that everything is running full-duplex preferably at 100Mbps.
Glad we got there in the end
Please mark this post as solved.
Jon
04-01-2010 07:41 AM
Stewart
Can you post from the router -
1) sh ip route
2) sh ip int brief
also why do you have a DHCP pool for 192.168.1.0/24 and then have the router interface using DHCP, does the ASA also have a DHCP pool for 192.168.1.0/24 ?
Jon
04-01-2010 07:58 AM
Hi Jon
Let me try and explain, the asa5505 is a firewall as you know, it has the adsl router feeding in to it, and the output port is dhcp (192.168.1.1 - 192.168.1.127 , ad I have three computers feeding from that point, so I thought the Ethernet0/0 would also need to be set at dhcp, I have not problem changing things if you come up with a better idea, as I said I am learnig probably the hard way
Thanks from Alan
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [254/0] via 192.168.1.1
Router#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.46 YES DHCP up up
Serial0/0 unassigned YES TFTP administratively down down
FastEthernet0/1 192.168.2.1 YES manual up up
Serial0/1 unassigned YES TFTP administratively down down
Router#
04-01-2010 08:00 AM
Hi Jon,
So you are not confused I copied the config to an other 2600, just to prove the router was ok hence Ethernet0/0 and FastEthernet0/0
04-01-2010 08:24 AM
Stewart
Because you are Natting on the router then the ASA should have a route back it doesn't look like a missing route on the firewall.
Just to clarify, the ASA has a DHCP pool int 192.168.1.0/24 subnet does it ?
If so can you exclude an address from that pool and manually assign it to the 2600 e0 interface.
Then try the ping again and post the output of a "sh ip nat translations" from the 2600 router after you have done it.
Jon
04-01-2010 08:33 AM
Hi Jon,
I think a config will answer your questions better than me . thank you for your help...
ASA Version 7.2(3)
!
hostname power-plant
domain-name power-plant.com
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 82.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name power-plant.com
object-group service srvgrp_dns tcp-udp
port-object eq domain
object-group service srvgrp_tcp tcp
port-object eq www
port-object eq ftp
port-object eq pop3
port-object eq ssh
port-object eq https
object-group icmp-type srvgrp_ping
icmp-object echo
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
object-group service srvgrp_udp udp
port-object eq domain
access-list outside_in extended permit icmp any any object-group srvgrp_ping
access-list outside_in extended permit tcp any any object-group srvgrp_tcp
access-list outside_in extended permit udp any any object-group srvgrp_dns
access-list outside_in extended permit udp any any object-group srvgrp_udp
pager lines 45
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 82.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd ping_timeout 750
dhcpd domain power-plant.com
!
dhcpd address 192.168.1.2-192.168.1.127 inside
dhcpd enable inside
!
!
!
prompt hostname context
Cryptochecksum:6164cd9900911563a4a2aebddee37e4b
: end
04-01-2010 08:39 AM
Stewart
Okay you are handing out addresses on the ASA. Can you simply change the following -
dhcpd address 192.168.1.2-192.168.1.127 inside
to
dhcpd address 192.168.1.3-192.168.1.127 inside
and then configure 192.168.1.2 on the e0 interface of your router.
Also does your 2600 need to hand out any 192.168.1.x addresses because if it doesn't then can you remove the DHCP pool configured on your 2600.
Then ping again from PC and post "sh ip nat translations"
Jon
04-01-2010 10:18 AM
Hi Jon,
Did the mods as said. I pinged from the pc to 192.168.1.1 and it worked, tried again and it did not work..
So I tried pining the internet and nothing returned...
so here is the command you gave me before with new results, and the config file...
All the best from Alan
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
Router#show ip int
Router#show ip interface br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.2 YES manual up up
Serial0/0 unassigned YES TFTP administratively down down
FastEthernet0/1 192.168.2.1 YES manual up up
Serial0/1 unassigned YES TFTP administratively down down
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip http server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 host 192.168.1.1 log-input
no cdp run
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
login
!
end
04-01-2010 10:25 AM
Hi Jon,
I noticed now the DHCP is gone, there is no route so I added ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
I can ping 192.168.1.2 but not beyond that or to the asa gateway...
I hope this helps
All the best from Alan
04-01-2010 10:33 AM
stewartrose wrote:
Hi Jon,
I noticed now the DHCP is gone, there is no route so I added ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 is directly connected, FastEthernet0/0
I can ping 192.168.1.2 but not beyond that or to the asa gateway...
I hope this helps
All the best from Alan
Alan
Can you change your default-route to
ip route 0.0.0.0 0.0.0.0 192.168.1.1
can you remove the "ip nat inside" from fa0/1
can you remove the "ip nat outside" from fa0/0
can you change your acl 101 back to
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
can you add this to the ASA firewall -
route (inside) 192.168.2.0 255.255.255.0 192.168.1.2
Finally are you sure that nothing else could be getting the 192.168.1.2 address ie. could the ASA have handed this out to another device as well as the router.
Apologies for all the changes requests, i am just trying to get your config to a standard type setup.
Edit - and oh and apologies for keep calling you Stewart
Jon
04-01-2010 11:11 AM
Hi Jon,
Stop worring I am happy to change anything to get it working, and I learn from it as well double bonus, and dont worry about my name, my parents could not afford a second name for me, so I think I will be Alan Stewart Walker hows that..:)
Right I did the mods, the one for the ASA I had to change it, (inside) --> inside it did not like brackets
The rest was fine Jon..
All the best from Alan
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.2 YES manual up up
Serial0/0 unassigned YES TFTP administratively down down
FastEthernet0/1 192.168.2.1 YES manual up up
Serial0/1 unassigned YES TFTP administratively down down
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
C 192.168.1.0/24 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 192.168.1.1
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
login
!
end
04-01-2010 11:13 AM
Alan
So is it working or not ?
Jon
04-01-2010 11:14 AM
Hi Jon,
I forgot the important question, I use wireshark, and nothing is on 192.168.1.2, with the router switched of...
All the best from Alan
04-01-2010 11:23 AM
Hi Jon,
I can ping 192.168.1.1 now all the time, but no further..
All the best from Alan
04-01-2010 11:26 AM
Hi Jon,
If I go into the router via the console, and ping google.com it comes back and says Translating "google.com" ...domain server
% Unrecognized host or address, or protocol not running..
All the best from Alan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: