09-22-2010 09:26 PM - edited 03-11-2019 11:43 AM
I have read a ton of stuff on this forum....WOW....great work by everyone contributing...
My initial question is how should I go about learning/familiarizing myself on how to properly configure cisco products?
Here is what I want to do with what I have.
I have a one asa 5510 and three asa 5505. The goal is to have the asa 5510 at our main office then the 5505 at each remote office. Then establish a vpn connection to the server at the main office.
I HAVE ZERO cisco experience.....and only know the basics in network. So am I way in over my head or can make this happen????
So far I have bridged my isp provided modem to my asa 5510. On the asa 5510 I have established my outside and inside interfaces. But I have not been able to establish a simple internet connection thru the asa 5510.....
Any help and suggestions is greatly appreciated.
Thanks!
09-23-2010 03:17 AM
toddyboman wrote:
I have read a ton of stuff on this forum....WOW....great work by everyone contributing...
My initial question is how should I go about learning/familiarizing myself on how to properly configure cisco products?
Here is what I want to do with what I have.
I have a one asa 5510 and three asa 5505. The goal is to have the asa 5510 at our main office then the 5505 at each remote office. Then establish a vpn connection to the server at the main office.
I HAVE ZERO cisco experience.....and only know the basics in network. So am I way in over my head or can make this happen????
So far I have bridged my isp provided modem to my asa 5510. On the asa 5510 I have established my outside and inside interfaces. But I have not been able to establish a simple internet connection thru the asa 5510.....
Any help and suggestions is greatly appreciated.
Thanks!
Well, there is a ton of documentation avaailable on the Cisco site especially for VPNs that give step by step config guides so we can point you to those when you want to setup the VPN.
But first we need to get your ASAs setup so you have internet access.
So a few questions -
1) can you post config of ASA 5510 and remove any sensitive info ie. public IP addresses etc.
2) how are you testing internet connectivity ie. what is the source IP and where is it in relation to the ASA and what is the destination IP and are you using ping or trying to connect to a web site etc.
3) From the ASA itself can you ping the ISP gateway
Jon
09-23-2010 06:01 AM
Hi,
First to set up the internet connectivity :
Have you configured the nat rules and the route commands ?
Nat rules would like (assuming you are translating all the inside ip to the outside interface ip) :
ASA5510(config)# global (outside) 1 interface
ASA5510(config)# nat (inside) 1 0.0.0.0 0.0.0.0
Also you need to point the default gateway to the isp :
ASA5510(config)# route outside 0.0.0.0 0.0.0.0
Do tell me how it goes
Regards,
Rahul
09-23-2010 09:06 AM
Thank you both for a prompt reply!!
I would love to post my configurations.....
but its all gone......I had my inside/outside/mgmt/ nat and routes all set up last night.....
NO everything wasn't functioning properly but I had it all set.......now I log in this morning and its like I am logging in the first time.....The only interface I have is mgmt. What did I do wrong???
My set up is as follows...
internet............isp given modem.......asa5510........basic switch/hub.......all office pc.
..
..
..
server
I currently have been doing all my setup/configurations through the ASDM launcher. However I see almost everyone used the command line.......Why? How can I properly connect to the asa and use the command line features?
Thanks again.....
09-23-2010 09:37 AM
here is the link to setup vpn ising asdm
since this is a new setup i would suggest setup the vpn using the wizard it will take you 1 to 2 mins to setup vpn on both ends
now regarding initial config for your asa box, here is a example config
this is for asa 5505
ExampleASA(config)# username example password example privilege 15
ExampleASA(config)#
ExampleASA(config)# interface vlan 1
ExampleASA(config-if)# ip address 192.168.1.1 255.255.255.0
ExampleASA(config-if)# nameif inside
ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address 212.115.192.x 255.255.255.248
ExampleASA(config-if)# nameif outside
ExampleASA(config-if)# exit
ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.y
ExampleASA(config)# interface ethernet0/0
ExampleASA(config-if)# switchport access vlan 2
ExampleASA(config-if)# no shutdown
ExampleASA(config)# interface ethernet0/1
ExampleASA(config-if)# no shutdown
ExampleASA(config)# nat (inside) 10 192.168.1.0 255.255.255.0
ExampleASA(config)# global (outside) 10 interface
if you are getting ip via dhcp then instead of giving ip address on asa give the following command
ip address dhcp set route
for asa 5510 only thing that is different is that you will be entering the ip address commands on interface and not on vlans as they have L3 ports, for example
int e0/0
ip address x.x.x.x y.y.y.y
nameif inside
no shut
for asdm and ssh access
ExampleASA(config)# crypto key generate rsa modulus 1024
ExampleASA(config)# aaa authentication ssh console LOCAL |
ExampleASA(config)# ssh 192.168.1.0 255.255.255.0 inside ExampleASA(config)# http server enable
|
09-23-2010 10:34 AM
Here is a sample LAN-to-LAN VPN configuration, which it seems is what you are trying to configure:
To save your configuration, you have to issue the command "write memory" or "copy run start". This will save the configuration.
Hope this helps.
09-27-2010 10:57 PM
Thanks everyone for the replies......as always other "stuff" came up to fix so this was put aside for a few days.....
Here is was my current configs........Still no connection to the Internet......So what all am I missing....
Thanks!
asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname L
domain-name default.domain.invalid
enable password ml encrypted
passwd 2 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.1111.111.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username admin password vx8BkOWfWwvYuBKw encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.254 management
dhcpd address 192.168.10.10-192.168.10.200 inside
dhcpd dns 200.200.200.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum: e
: end
09-27-2010 11:14 PM
firstly your default gateway is wrong
you have given it to be the same as your outside or external interface ip
route outside 0.0.0.0 0.0.0.0 111.1111.111.11
secondly how are you testing internet connetivity if you are doing a ping test to internet it will not work bcoz you are not inspoecting icmp
try to browse or add this
policy-map global_policy
class inspection_default
inspect icmp
and ping 4.2.2.2
09-29-2010 01:55 AM
Does your ISP require authentication to connect? Noticed you are bridging your DSL to your Firewall, so you probably need some PPOE config on your firewall:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml
Cheers
Brian
09-29-2010 08:24 AM
Brian -
I am confused and questioning my setup......
Do I have to bridge my router or not? Should I bridge it to make the asa connect to the internet......or can I just simple let my isp given modem acquire my internet connection and then connect my asa to that and allow all stuff to run through the asa?
Thanks for the help!
09-29-2010 08:37 AM
you can do the second alternative, use the isp given modem and
connect asa behind it
but the point we r getting to is how is your isp router set, if it is bridge mode you might have to set it up a different way and similarly if you have it i router mode we would look at it from a different point of view
may be this is confusing
in any case, can you please check the default gateway as per my previous post
09-29-2010 08:40 AM
I can set the ips given modem either way......either bridge it or not.....Which way should I set it?
Won't the default gateway depends on which way I set the modem???
Thanks!
09-29-2010 08:49 AM
well you are rihgt it does depend, but the default gateway cannot be your self in any case and it is set that way currently your default gateway is your ip itself
09-29-2010 09:24 AM
Sorry I am making this so challenging........I am learning a lot as I go.....So thanks so much for your time and help!!
ok.....if I don't bridge my isp router......and go into my ips router settings.....I can find:
network routing tables and host routing tables.....both providing different gateways....
Here is my latest config....
asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname L
domain-name default.domain.invalid
enable password m encrypted
passwd m encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 127.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username 12 password v encrypted
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.254 management
dhcpd address 192.168.10.10-192.168.10.200 inside
dhcpd dns 200.200.200.10
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:f
: end
Thanks again!!
09-29-2010 09:31 AM
no worries, even i learnt it by questioning, it
feels good when one tries to learn rather than just implement what one says
anyways coming back,
teh default gateway still looks incorrect because it looks like you have given the internal loopback ip address as default gateway
your default gateway would be the ip address of the interface on isp router which is connected to asa, if you are unsure you can conatct the isp guys and they will help you figure that out
also other option is see if you can configure it as pppoe server or dhcp server so that we can configure asa to get ip address and default gateway from the modem itself
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: