Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 connection problem to WAN

required end result:

ASA connected to outside via 8 port switch 63.x.y.0/24

ASA connected to inside via cisco 3560 switch. using 192.168.255.1-2, vlan 255

internal network contain 3 subnets - 200-202.x/24

my problem:

I've started to config my new ASA.

at this point ASA is connected to

1. outside 63.x.y.26 to an 8 port switch that connect to my ISP routers at 63.x.y.1

I've used regular cable and tried cross cable to make sure this is not the problem). lights on both ends show green, the interface show up-up

2. 192.168.200.4 to a laptop at 192.168.200.2

*************

ASA# sh route

.

Gateway of last resort is 63.x.y.26 to network 0.0.0.0

C 192.168.200.0 255.255.255.0 is directly connected, inside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 63.x.y.0 255.255.255.0 is directly connected, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 63.x.y.26, outside

tracing doen't even get to the D\G and ping to the laptop (I connect to ASA via this laptop using both console and application)

********************

ASA# trace 128.1.1.1

Type escape sequence to abort.

Tracing the route to 128.1.1.1

1 * * *

2 *

ASA# ping 192.168.200.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.200.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

I'll post the full config Separately

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA 5505 connection problem to WAN

Hello Ofir,

Do the following modifications

no route outside 0.0.0.0 0.0.0.0 63.x.y.26 1

route outside 0.0.0.0 0.0.0.0 63.x.y.1 1

clear arp

no icmp permit 192.168.200.0 255.255.255.0 inside

no icmp permit 192.168.201.0 255.255.255.0 inside

no icmp permit 192.168.202.0 255.255.255.0 inside

no icmp deny any inside

no icmp deny any outside

no icmp permit any inside

no icmp permit any outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

Re: ASA 5505 connection problem to WAN

Ofir,

First issue the following

no access-group outside_access_in in interface outside

no access-group outside_access_out out interface outside

Check the following

1)ASA can ping 63.x.y.1

2)Laptop is plugged int Vlan1 Port of ASA!

3)Laptop has got an IP address in 192.168.200.0/24 and has the gateway IP of 192.168.200.4.

4)Make sure Laptop can ping 192.168.200.4

5)Make sure Laptop has got a preferred DNS server IP of 4.2.2.2, not anything else, especially NOT 192.168.200.4 as DNS server

6)Make sure browser of Laptop does not have a proxy set.

7)Issue clear arp in ASA and arp -d couple of times in Laptop

10 REPLIES
New Member

Re: ASA 5505 connection problem to WAN

FULL CONFIG

***************************************************************************8

ASA# sh run

: Saved

:

ASA Version 7.2(3)

!

hostname ASA

domain-name domain.COM

enable password xxx

names

dns-guard

!

interface Vlan1

description Management

nameif inside

security-level 100

ip address 192.168.200.4 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 63.x.y.26 255.255.255.0

!

interface Vlan255

description ASA to LAN (192.168.255.2)

nameif inside255

security-level 100

ip address 192.168.255.1 255.255.255.252

!

interface Ethernet0/0

description WAN - connection to Verizon's network

switchport access vlan 2

!

interface Ethernet0/1

description VLAN255 to LAN

switchport access vlan 255

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name domain.COM

dns server-group dsnserver

name-server 192.168.200.x

name-server 192.168.200.y

domain-name domain.com

same-security-traffic permit inter-interface

pager lines 24

mtu inside 1500

mtu outside 1500

mtu inside255 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.200.0 255.255.255.0 inside

icmp permit 192.168.201.0 255.255.255.0 inside

icmp permit 192.168.202.0 255.255.255.0 inside

icmp deny any inside

icmp deny any outside

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 63.x.y.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.200.0 255.255.255.0 inside

snmp-server location Server Room

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

telnet 192.168.200.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 15

management-access inside

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

ntp server 192.43.244.18 source outside prefer

ntp server 207.46.232.182 source outside

prompt hostname context

Cryptochecksum:xxx

: end

************************************************************8

Re: ASA 5505 connection problem to WAN

do modifications and try again

icmp unreachable rate-limit 1 burst-size 1

no icmp permit 192.168.200.0 255.255.255.0 inside

no icmp permit 192.168.201.0 255.255.255.0 inside

no icmp permit 192.168.202.0 255.255.255.0 inside

icmp permit any inside

icmp permit any outside

if it doesn't work show the output "sh arp"

Re: ASA 5505 connection problem to WAN

Hello Ofir,

Do the following modifications

no route outside 0.0.0.0 0.0.0.0 63.x.y.26 1

route outside 0.0.0.0 0.0.0.0 63.x.y.1 1

clear arp

no icmp permit 192.168.200.0 255.255.255.0 inside

no icmp permit 192.168.201.0 255.255.255.0 inside

no icmp permit 192.168.202.0 255.255.255.0 inside

no icmp deny any inside

no icmp deny any outside

no icmp permit any inside

no icmp permit any outside

policy-map global_policy

class inspection_default

inspect icmp

Regards

New Member

Re: ASA 5505 connection problem to WAN

a.alekseev - your solution didn't work but husycisco's did.

I can't check the LAN connections during day time but the outbound connection is working.

I just want to make sure, it is OK to leave ASA side by side with the current firewall as long as I use different IPs? doing so I can test all my outside related connections during day time and save time

also, what do I have to configure to make my laptop (192.168.200.2) go to the internet via ASA?

thanks,

Ofir

Re: ASA 5505 connection problem to WAN

Ofir,

"I just want to make sure, it is OK to leave ASA side by side with the current firewall as long as I use different IPs?"

Sure it is.

"doing so I can test all my outside related connections "

Yes,

"also, what do I have to configure to make my laptop (192.168.200.2) go to the internet via ASA?"

Add the following commands

"Edited" You should be able to connect to internet once you set a correct DNS server to laptop. Set DNS as 4.2.2.2, assuming that the laptop is directly connected to ASA inside interface not inside255

Regards

New Member

Re: ASA 5505 connection problem to WAN

it did not work. still can't access outside via laptop

this is what I had before:

ASA# sh run | inc nat

access-list inside_nat0_outbound extended permit ip interface inside host 69.x.y.82

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

I've removed it and added this:

nat (inside) 1 0 0

now I get this:

ASA# sh run | inc nat

nat (inside) 1 0.0.0.0 0.0.0.0

this is my FULL CONFIG after these changes:

*******************************************

ASA# sh run

: Saved

:

ASA Version 7.2(3)

!

hostname ASA

domain-name domain.COM

enable password xxx

names

dns-guard

!

interface Vlan1

description Management

nameif inside

security-level 100

ip address 192.168.200.4 255.255.255.0

!

interface Vlan2

description WAN

nameif outside

security-level 0

ip address 63.x.y.26 255.255.255.0

!

interface Vlan255

description ASA to LAN (192.168.255.2)

nameif inside255

security-level 100

ip address 192.168.255.1 255.255.255.252

!

interface Ethernet0/0

description WAN - connection to Verizon's network

switchport access vlan 2

!

interface Ethernet0/1

description VLAN255 to LAN

switchport access vlan 255

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

domain-name domain.COM

dns server-group DOMAINinside

name-server 192.168.200.x

name-server 192.168.201.y

domain-name ogsny.domain.com

same-security-traffic permit inter-interface

pager lines 24

mtu inside 1500

mtu outside 1500

mtu inside255 1500

ip verify reverse-path interface outside

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

access-group outside_access_out out interface outside

route outside 0.0.0.0 0.0.0.0 63.x.y.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.200.0 255.255.255.0 inside

telnet 192.168.200.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 15

management-access inside

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

ntp server 192.43.244.18 source outside prefer

ntp server 207.46.232.182 source outside

smtp-server 192.168.200.12

prompt hostname context

Cryptochecksum:xxx

: end

Re: ASA 5505 connection problem to WAN

Ofir,

First issue the following

no access-group outside_access_in in interface outside

no access-group outside_access_out out interface outside

Check the following

1)ASA can ping 63.x.y.1

2)Laptop is plugged int Vlan1 Port of ASA!

3)Laptop has got an IP address in 192.168.200.0/24 and has the gateway IP of 192.168.200.4.

4)Make sure Laptop can ping 192.168.200.4

5)Make sure Laptop has got a preferred DNS server IP of 4.2.2.2, not anything else, especially NOT 192.168.200.4 as DNS server

6)Make sure browser of Laptop does not have a proxy set.

7)Issue clear arp in ASA and arp -d couple of times in Laptop

New Member

Re: ASA 5505 connection problem to WAN

I'm typing here off the laptop which mean THANKS and good job!

Re: ASA 5505 connection problem to WAN

You are welcome Ofir and thanks for rating. Please do not hesitate to post here if you encounter difficulties implementing into production network after your tests are finished.

Regards

New Member

Re: ASA 5505 connection problem to WAN

I will. thanks again

230
Views
0
Helpful
10
Replies