Need help in configuring ASA5505 behind a Verizon Router using static IP

Unanswered Question
Sep 28th, 2010

I have MI424WR-GEN2 connected to the internet , and I have four static IP's , I have one static IP for the MI424WR-GEN2 and configured the NAT , protocol any.

staticIP.jpg

and did configure the CSA 5505 the outside VLAN with static IP info , the switch say up and running .. I do a ping on that static IP , I get the following

Reply from 192.168.1.1: Destination host unreachable.
Reply from 192.168.1.1: Destination host unreachable.

Please help..

Regards

SG

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Namit Agarwal Tue, 09/28/2010 - 21:34

Hi Saji,

I understand from the details mentioned here is that the Verizon router is facing the internet, the ASA is behind the Verizon Router. ASA's outside VLAN has been assigned a public Static IP and it is being translated to another public IP address on the Verizon Router. From the snapshot attached I believe that the translated IP address is 173.63.*.* Please provide me the following info :

1) what is the IP address of the outside VLAN of the ASA ?

2) Also what is the IP address of the inside interface of the ASA and the IP address of the Router interface facing the ASA ? ( If possible please provide me the running config of the ASA)

Thanks,

Namit

sabercloud Tue, 09/28/2010 - 22:24

Hi Namit,

here is an updated picture from the verizon router - the static IP that you notice under Public IP Address is the same that is configured for the outside interface within ASA5505 as Static IP . Hope this answers to your question.

and for the inside interface , I have not changes any config , it is the same as what came with the equipment.


Regards

SG

Namit Agarwal Tue, 09/28/2010 - 22:30

Hi Saji,

Could you please provide me the running config on the ASA ?

Thanks,

Namit

sabercloud Wed, 09/29/2010 - 04:58

Dear Namit,

Please see the following

Result of the command: "show running-config

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxx encrypted
passwd xxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.63.x.x 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:c551d84aba8
: end

Regards

SG

Namit Agarwal Wed, 09/29/2010 - 17:53

Hi Saji,

What I see from the running config is that the ASA is missing a route. Please add the following command

route outside 0.0.0.0 0.0.0.0 173.63.x.x , where this IP address will be the IP address of the next hop after the ASA.
Also can you please provide the output of the command "show int ip brief". The way this should be setup is 

Internal Network ----- (inside interface) 192.168.1.1 ASA 173.63.x.x/24 (outside interface) ----- (173.63.x.x/24) ISP Router ---- Internet

Thanks,

Namit

sabercloud Wed, 09/29/2010 - 20:10

Dear Namit,

have applied the command .. and please see the output.

Result of the command: "route outside 0.0.0.0 0.0.0.0 173.63.X.X"

The command has been sent to the device

Result of the command: "show int ip brief"

Interface                  IP-Address      OK? Method Status                Protocol
Internal-Data0/0           unassigned      YES unset  up                    up 
Internal-Data0/1           unassigned      YES unset  administratively down up 
Loopback0                  127.0.0.1       YES unset  up                    up 
Vlan1                      192.168.1.100   YES manual up                    up   
Vlan2                      173.63.X.X         YES CONFIG up                    up 
Ethernet0/0                unassigned      YES unset  up                    up 
Ethernet0/1                unassigned      YES unset  up                    up 
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  down                  down
Ethernet0/7                unassigned      YES unset  down                  down

Regards

Saji George

sabercloud Wed, 09/29/2010 - 20:29

Dear Namit,

As the Verizon router has the internal IP that starts from 192.168.1.1 , I had modified the Vlan1(inside) interface to have the new IP 192.168.1.100

honestly I like to to change that 10.10.0.1 , but I notice once I change that I am not able to access ASDM using the network port evenif I assigned a static IP for my laptop with the gateway 10.10.0.1. Would you know a way to access the console using ASDM once you change the internal IP to 10.10.0.1.

In any case , please see the new changes ..

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password XXXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 173.63.X.X 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 173.63.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
!
prompt hostname context
Cryptochecksum:c551d84aba091222d7b5c4ffffd62c68
: end

thanks again for your guidance.

Regards

Saji George

Namit Agarwal Wed, 09/29/2010 - 20:29

Hi Saji,

Could you please provide the following info

1)  what is the IP address we are trying to ping ? from where are we initiating the pings ?

2) Also is the topology like this ?

PC (192.168.1.0/24) ----- (inside interface) 192.168.1.1 ASA 173.63.x.x/24 (outside interface) ----- (173.63.113.67)  Verizon Router ---- Internet

What I mean to ask is if the IP Address 173.63.113.67 is assigned to the ASA facing interface of the Verizon Router. IF not what are the IP addresses assigned to the interfaces of the Verizon Router. My understanding of the scenario is that the Verizon Router is the Default Gateway of the ASA.

thanks,

Namit

Actions

This Discussion