Am I in over my head......

Unanswered Question
Sep 22nd, 2010
User Badges:

I have read a ton of stuff on this forum....WOW....great work by everyone contributing...


My initial question is how should I go about learning/familiarizing myself on how to properly configure cisco products?


Here is what I want to do with what I have.

I have a one asa 5510 and three asa 5505.  The goal is to have the asa 5510 at our main office then the 5505 at each remote office.  Then establish a vpn connection to the server at the main office.


I HAVE ZERO cisco experience.....and only know the basics in network.  So am I way in over my head or can make this happen????


So far I have bridged my isp provided modem to my asa 5510.  On the asa 5510 I have established my outside and inside interfaces.  But I have not been able to establish a simple internet connection thru the asa 5510.....


Any help and suggestions is greatly appreciated.


Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 09/23/2010 - 03:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

toddyboman wrote:


I have read a ton of stuff on this forum....WOW....great work by everyone contributing...


My initial question is how should I go about learning/familiarizing myself on how to properly configure cisco products?


Here is what I want to do with what I have.

I have a one asa 5510 and three asa 5505.  The goal is to have the asa 5510 at our main office then the 5505 at each remote office.  Then establish a vpn connection to the server at the main office.


I HAVE ZERO cisco experience.....and only know the basics in network.  So am I way in over my head or can make this happen????


So far I have bridged my isp provided modem to my asa 5510.  On the asa 5510 I have established my outside and inside interfaces.  But I have not been able to establish a simple internet connection thru the asa 5510.....


Any help and suggestions is greatly appreciated.


Thanks!


Well, there is a ton of documentation avaailable on the Cisco site especially for VPNs that give step by step config guides so we can point you to those when you want to setup the VPN.


But first we need to get your ASAs setup so you have internet access.


So a few questions -


1) can you post config of ASA 5510 and remove any sensitive info ie. public IP addresses etc.


2) how are you testing internet connectivity ie. what is the source IP and where is it in relation to the ASA and what is the destination IP and are you using ping or trying to connect to a web site etc.


3) From the ASA itself can you ping the ISP gateway


Jon

rmavila Thu, 09/23/2010 - 06:01
User Badges:
  • Cisco Employee,

Hi,


First to set up the internet connectivity :


Have you configured the nat rules and the route commands ?

Nat rules would like (assuming you are translating all the inside ip to the outside interface ip) :


ASA5510(config)# global (outside) 1 interface


ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0


Also you need to point the default gateway to the isp :


ASA5510(config)# route outside 0.0.0.0 0.0.0.0


Do tell me how it goes


Regards,

Rahul

toddyboman Thu, 09/23/2010 - 09:06
User Badges:

Thank you both for a prompt reply!!


I would love to post my configurations.....


but its all gone......I had my inside/outside/mgmt/ nat and routes all set up last night.....

NO everything wasn't functioning properly but I had it all set.......now I log in this morning and its like I am logging in the first time.....The only interface I have is mgmt.  What did I do wrong???


My set up is as follows...



internet............isp given modem.......asa5510........basic switch/hub.......all office pc.

                                                               ..

                                                              ..

                                                              ..

                                                            server

    



I currently have been doing all my setup/configurations through the ASDM launcher.  However I see almost everyone used the command line.......Why?  How can I properly connect to the asa and use the command line features?


Thanks again.....

Jitendriya Athavale Thu, 09/23/2010 - 09:37
User Badges:
  • Cisco Employee,

here is the link to setup vpn ising asdm

since this is a new setup i would suggest setup the vpn using the wizard it will take you 1 to 2 mins to setup vpn on both ends


now regarding initial config for your asa box, here is a example config


this is for asa 5505


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

ExampleASA(config)# username example password example privilege 15
ExampleASA(config)#

ExampleASA(config)# interface vlan 1
ExampleASA(config-if)# ip address 192.168.1.1 255.255.255.0
ExampleASA(config-if)# nameif inside

ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address 212.115.192.x 255.255.255.248
ExampleASA(config-if)# nameif outside

ExampleASA(config-if)# exit
ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.y

ExampleASA(config)# interface ethernet0/0
ExampleASA(config-if)# switchport access vlan 2
ExampleASA(config-if)# no shutdown

ExampleASA(config)# interface ethernet0/1
ExampleASA(config-if)# no shutdown

ExampleASA(config)# nat (inside) 10 192.168.1.0 255.255.255.0

ExampleASA(config)# global (outside) 10 interface



if you are getting ip via dhcp then instead of giving ip address on asa give the following command


ip address dhcp set route


for asa 5510 only thing that is different is that you will be entering the ip address commands on interface and not on vlans as they have L3 ports, for example


int e0/0


ip address x.x.x.x y.y.y.y

nameif inside

no shut



for asdm and ssh access


ExampleASA(config)# crypto key generate rsa  modulus 1024

ExampleASA(config)#  aaa authentication ssh console LOCAL

ExampleASA(config)# ssh 192.168.1.0 255.255.255.0  inside

ExampleASA(config)# http server enable


ExampleASA(config)# aaa authentication http  console LOCAL
ExampleASA(config)# http 192.168.1.0 255.255.255.0 inside

toddyboman Mon, 09/27/2010 - 22:57
User Badges:

Thanks everyone for the replies......as always other "stuff" came up to fix so this was put aside for a few days.....


Here is was my current configs........Still no connection to the Internet......So what all am I missing....


Thanks!



asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname L
domain-name default.domain.invalid
enable password ml encrypted
passwd 2 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.1111.111.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password vx8BkOWfWwvYuBKw encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.254 management
dhcpd address 192.168.10.10-192.168.10.200 inside
dhcpd dns 200.200.200.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum: e
: end

Jitendriya Athavale Mon, 09/27/2010 - 23:14
User Badges:
  • Cisco Employee,

firstly your default gateway is wrong


you have given it to be the same as your outside or external interface ip


route outside 0.0.0.0 0.0.0.0 111.1111.111.11


secondly how are you testing internet connetivity if you are doing a ping test to internet it will not work bcoz you are not inspoecting icmp

try to browse or add this


policy-map global_policy
class inspection_default

  inspect icmp



and ping 4.2.2.2

toddyboman Wed, 09/29/2010 - 08:24
User Badges:

Brian -


I am confused and questioning my setup......

Do I have to bridge my router or not?  Should I bridge it to make the asa connect to the internet......or can I just simple let my isp given modem acquire my internet connection and then connect my asa to that and allow all stuff to run through the asa?


Thanks for the help!

Jitendriya Athavale Wed, 09/29/2010 - 08:37
User Badges:
  • Cisco Employee,

you can do the second alternative, use the isp given modem and

connect asa behind it


but the point we r getting to is how is your isp router set, if it is bridge mode you might have to set it up a different way and similarly if you have it i router mode we would look at it from a different point of view


may be this is confusing


in any case, can you please check the default gateway as per my previous post

toddyboman Wed, 09/29/2010 - 08:40
User Badges:

I can set the ips given modem either way......either bridge it or not.....Which way should I set it?



Won't the default gateway depends on which way I set the modem???


Thanks!

Jitendriya Athavale Wed, 09/29/2010 - 08:49
User Badges:
  • Cisco Employee,

well you are rihgt it does depend, but the default gateway cannot be your self in any case and it is set that way currently your default gateway is your ip itself

toddyboman Wed, 09/29/2010 - 09:24
User Badges:

Sorry I am making this so challenging........I am learning a lot as I go.....So thanks so much for your time and help!!


ok.....if I don't bridge my isp router......and go into my ips router settings.....I can find:

network routing tables and host routing tables.....both providing different gateways....


Here is my latest config....


asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname L
domain-name default.domain.invalid
enable password m encrypted
passwd m encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 127.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username 12 password v encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.254 management
dhcpd address 192.168.10.10-192.168.10.200 inside
dhcpd dns 200.200.200.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:f
: end



Thanks again!!

Jitendriya Athavale Wed, 09/29/2010 - 09:31
User Badges:
  • Cisco Employee,

no worries, even i learnt it by questioning, it

feels good when one tries to learn rather than just implement what one says


anyways coming back,


teh default gateway still looks incorrect because it looks like you have given the internal loopback ip address as default gateway


your default gateway would be the ip address of the interface on isp router which is connected to asa, if you are unsure you can conatct the isp guys and they will help you figure that out


also other option is see if you can configure it as pppoe server or dhcp server so that we can configure asa to get ip address and default gateway from the modem itself

toddyboman Wed, 09/29/2010 - 09:52
User Badges:

sounds good....


So the default gateway for my isp router is 192.168.1.1.  So this should be the default gateway i should input?


As for configuring dhcp or ppoe I would set this on the outside interface or configure a new interface?


Can I set up ppoe with my verison of asa......My asa version is 7.0(8).......I thought I read somewhere I could only do ppoe for 8.X????


Thanks again!

Jitendriya Athavale Wed, 09/29/2010 - 17:21
User Badges:
  • Cisco Employee,

since it is a new setup i would recommend you go to the atleast 8.x code, bcoz 7.08 is ancient


coming back to the default gateway question let m egive you an example


if this is your interface ip



asa55(config-if)# ip address 212.115.192.x 255.255.255.248
asa55(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.



asa55(config-if)# exit


your default gateway would be the following (basically in the same subnet)


asa5505(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.y


from what you have sent me it looks like your modem has an internal ip in 192.168.1.x range and it is doing natting


so you need to put an ip to the outside interface in the same subnet and give it as the default gateway


asa-----------------------------isp modem/router--------------------------

       192.168.1.x          192.168.1.1                      public ip


correct me if this setup is wrong

toddyboman Wed, 09/29/2010 - 20:42
User Badges:

jathaval wrote:


since it is a new setup i would recommend you go to the atleast 8.x code, bcoz 7.08 is ancient





WHY did i not do this update earlier......WOW. 




jathaval wrote:




coming back to the default gateway question let m egive you an example


if this is your interface ip



asa55(config-if)# ip address 212.115.192.x 255.255.255.248
asa55(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.



asa55(config-if)# exit


your default gateway would be the following (basically in the same subnet)


asa5505(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.y


from what you have sent me it looks like your modem has an internal ip in 192.168.1.x range and it is doing natting


so you need to put an ip to the outside interface in the same subnet and give it as the default gateway


asa-----------------------------isp modem/router--------------------------

       192.168.1.x          192.168.1.1                      public ip


correct me if this setup is wrong

YES my asa is 192.168.1.x

Yes my isp/modem/router is 192.168.1.1

Then my isp has provided me with 2 static ips......we will call them 111.111.111.111 and 222.222.222.222


WOW really missing the boat on this default gateway.......

BEFORE I started this project a simple ipconfig on any machine shows a default gateway of 192.168.1.1....which is the ip of my isp/modem/router......

My isp guys say that gateway is my first static ip.........so IF i configure my outside interface as a ppoe and make it obtain an IP using ppoe then will I make my gateway my first static ip (111.111.111.111).......

Jitendriya Athavale Wed, 09/29/2010 - 20:49
User Badges:
  • Cisco Employee,

if you configure your asa to get ip from pppoe you can also configure it such that it gets its default gateway from th eisp rputer

so we wont have to bother about default gateway as the modem is going to puch it


if you using static's ip's (which is the current setup), then change the default gateway to 192.168.1.1


and you should be up and running


also when you say you connect your PC to this mdem your PC gets an ip with defaukt gateway as 192.168.1.1, it gives me a feeling that your modem is behaving like a dhcp server

toddyboman Thu, 09/30/2010 - 07:35
User Badges:

Thanks again for all your help.......

jathaval wrote:



also when you say you connect your PC to this mdem your PC gets an ip with defaukt gateway as 192.168.1.1, it gives me a feeling that your modem is behaving like a dhcp server




My modem does have a dhcp option.....should this be diabled?





here is my current config......with my router NOT bridged........giving my asa outside interface a static IP.......no PPOE configurations on my ASA.........


: Saved
:
ASA Version 8.0(5)
!
hostname L
domain-name default.domain.invalid
enable password m encrypted
passwd U encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.10.1
!
dhcpd address 192.168.10.5-192.168.10.25 inside
!
dhcpd address 192.168.1.6-192.168.1.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6db9429f9cba9424fccd50647514ae9a
: end
asdm image disk0:/asdm-631.bin
no asdm history enable








According to the ARP table on the ASDM some of my office pc's where connected to the mgmt interface.....and not the inside interface.  (Which I thought was odd?)  ........but those pc's couldn't establish an internet connection.....

Antonio Knox Thu, 09/30/2010 - 11:23
User Badges:
  • Silver, 250 points or more

toddyboman,


From what I see, you seem to have an ASA behind a DHCP-serving DSL modem.  In this case, you should be able to configure (update) your outside interface as a dhcp client and take out all of the guesswork with trying to address your outside interface and to figure out what your default route should be and such (let dhcp do it for you):


no route outside 0.0.0.0 0.0.0.0 192.168.1.1 1


interface Ethernet0/0
nameif outside
security-level 0
no ip address 111.111.111.111 255.255.255.252
ip address dhcp setroute


Also, I've gotta ask what the point is of this:


dhcpd address 192.168.1.6-192.168.1.10 management
dhcpd enable management


You have enabled your management port as a DHCP server.  If this was not your intention, which I'm certain it isn't ;), the two dhcpd lines above should be removed (leave the dhcpd address inside as it is).   Finally, if your PCs are arping up on your management port, you should  take that cable plugged into management (which from the sound of it goes to your switch) and plug it into Ethernet0/1, which is your inside interface (where your user PCs belong).  All should work after that.


Please rate my post if it helps.

toddyboman Fri, 10/01/2010 - 06:46
User Badges:

dhcpd address 192.168.1.6-192.168.1.10 management
dhcpd enable management


Not sure the point of that.......In the craziness of trying to making this thing work I am sure got this going......


Should I have enabled dhcp on my inside interface?

  When I try to enable that I get the following error.......

      Dhcp:Interface "inside" is currently configured as CLIENT and cannot be changed to a SERVER by a SERVER feature


I am a bit confused on the arping with my mgmt port.....

Currently this pc I am using is plugged into my switch.
Then I have plugged my asa5510 mgmt port into my isp provided dsl modem/router.......

IF i unplug that then I won't have access to my asdm.....

My outside interface plugs into my my isp provided dsl modem/router

My inside interface plugs into my switch.




Thanks for your help!

Jitendriya Athavale Fri, 10/01/2010 - 08:09
User Badges:
  • Cisco Employee,

ok use this



ExampleASA(config-if)#interface e0/0

ExampleASA(config-if)# ip address dhcp setroute
ExampleASA(config-if)# nameif outside

ExampleASA(config-if)# no shut


that's it... if your modem is a dhcp server, which i belive it is because when you connct your pc u get default gateway and ip automatically

toddyboman Fri, 10/01/2010 - 10:23
User Badges:

tried this as well.......


Should i just set the ASA back the the factory default settings and start over.........I (we) have changed so much stuff I am fearful it is so messed up we could have more problems than we ever imagined......OR can this not be true.....



Thanks again for everyone's help!!!

Antonio Knox Fri, 10/01/2010 - 11:24
User Badges:
  • Silver, 250 points or more

It would probably make life easier for you to blow away the config and start fresh.  You don't seem to have the connectivity you seek anyway, so it definitely wouldn't hurt.  Future reference, you should never have to play around with a config file.  At the worst you could type configs into notepad and copy/paste to command line.  I don't think anyone will ever advise you to paste to the config file.  If they do they probably don't know what they're doing

toddyboman Fri, 10/01/2010 - 12:20
User Badges:

yup I think I am going to nuke my current configs and start over.....


I however will keep this thread going......so please check back to help me as I go...


Here is what I want to set up.....


It appears my isp provided dsl modem is set up as a dhcp.  I CAN disable this.  SO question 1.....should I?


internet...........isp provided/dsl modem-------->asa outside interface

asa inside interface and asa mgmt interface----->internal switch-------> pc


after I have the new setup goin......what is the best method of testing my internet connections......simple pulling IE up?


I will post my config file after have it set.....


Thanks again!!

Jitendriya Athavale Fri, 10/01/2010 - 21:13
User Badges:
  • Cisco Employee,

let it be the dhcp for now


and yeah the best way would be pull up a IE pageor pings if you have inspect icmp as mentioned in my first post


i think setting it to factory default will make asa pull up ip from dhcp

Antonio Knox Fri, 10/01/2010 - 08:09
User Badges:
  • Silver, 250 points or more

According to your latest posted config, you already have dhcp server enabled on your inside interface.


dhcpd address 192.168.10.5-192.168.10.25 inside


As far as how things are wired, it should look something like this:


For internet connectivity

Internet------>DSL Modem-------->ASA Outside (E0/0)


Outside interface config:
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute


For Internal network PC's
PC------>Internal Switch------>ASA Inside (E0/1)


Inside interface config (what you have here is good):
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0


Now, you should be able to configure your management port with an ip in your Inside range (like 192.168.10.30 for instance) and can be plugged into your switch as well.  Not sure, but you can try it:


Management0/0------->Internal Switch


Management interface config:
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.30 255.255.255.0
management-only


Make sure you've allowed ASDM access to your inside network


http 192.168.10.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside


As for DHCP, you should be good with what you have (minus the removals from my previous post):

dhcpd dns 192.168.10.1
dhcpd address 192.168.10.5-192.168.10.25 inside


Give this a try and let me know how it works for you.

Please rate my post if helpful.

toddyboman Fri, 10/01/2010 - 08:43
User Badges:

antonioknox wrote:



Now, you should be able to configure your management port with an ip in your Inside range (like 192.168.10.30 for instance) and can be plugged into your switch as well.  Not sure, but you can try it:


Management0/0------->Internal Switch


Management interface config:
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.30 255.255.255.0
management-only


Make sure you've allowed ASDM access to your inside network


http 192.168.10.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside


     .

Not sure this is possible........
When I try to change the mgmt ip address I get:

Error: Failed to apply IP address to interface mgmt0/0, as the network overlaps with interface ethernet0/1.  Two interfaces cannot be in the same subnet.



here is my most current config......



: Saved
:
ASA Version 8.0(5)
!
hostname L
domain-name default.domain.invalid
enable password m encrypted
passwd m encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.10.1
!
dhcpd address 192.168.10.5-192.168.10.25 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3fd6c86d2cce815cffb5062f814d1b5c
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

Antonio Knox Fri, 10/01/2010 - 09:15
User Badges:
  • Silver, 250 points or more

Copy/paste this to your config


This will ensure that you keep ASDM access, you'll just have to get to it through 192.168.10.1


no http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside


Add this so that when we resolve the issue with the Management interface (which I think will require a router) you will have access from the inside network:

http 192.168.10.0 255.255.255.0 management


Go ahead and disconnect the Management0/0 from the Internal switch.


Before we troubleshoot further, make sure that these configs enable you to access the internet fom the PC, which should now be arping up on the inside interface if you cabled it according to spec.

toddyboman Fri, 10/01/2010 - 09:59
User Badges:

How will copying and pasting that into my config file work......Don't those commands need to be inputed via CLI???


I think I input the commands correctly via CLI........There is my config file now...


: Saved
:
ASA Version 8.0(5)
!
hostname L
domain-name default.domain.invalid
enable password m encrypted
passwd m encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:0
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.10.1
!
dhcpd address 192.168.10.5-192.168.10.25 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:60d693c3586a102e5f989b7740fcee9e
: end

Antonio Knox Fri, 10/01/2010 - 11:21
User Badges:
  • Silver, 250 points or more

I assumed that it was understood that when I say 'paste into your config' that I meant the command line, as I've never heard of anyone pasting into a config file.  Perhaps I should have been a bit clearer?????

Actions

This Discussion