Re: ASA 5505 - Inside does not access to outside

Amir Eskandari · ‎09-11-2013

Hi there,

I am almost new to firewall.

I have a ASA 5505 at home

Verizon MI24WR router ASA 5505

Public IP 192.168.1.x

Now I want to have a net work after ASA (192.168.20.x)

Also I would like to have access to internet from the network after ASA as well

I followed the instruction below:

===========================

When you open the box containing your new ASA 5505 and plug in your console you will see the following:

Type help or '?' for a list of available commands.

ciscoasa>

Here you type the command “enable” to get in enabled mode.

Type help or '?' for a list of available commands.

ciscoasa> enable

Password:

ciscoasa#

As you can see you will get a password prompt. Simply hit enter here because there is no enable password configured.

The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration Cisco made for you. You might wonder why but there is a lot of stuff in that configuration that you don’t need/want and could even cause some network issues if you connected it to your network (DHCP).

ciscoasa# write erase

Erase configuration in flash memory? [confirm]

[OK]

ciscoasa#

You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.

Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.

ciscoasa# reload

Proceed with reload? [confirm]

ciscoasa#

***

*** --- START GRACEFUL SHUTDOWN ---

Shutting down isakmp

Shutting down File system

***

*** --- SHUTDOWN NOW ---

Now when your router is restarted you will get this question:

Pre-configure Firewall now through interactive prompts [yes]?

Answer with “no” since you want to configure the ASA yourself (you want to be a cisco engineer right?).

Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config“.

ciscoasa# show running-config

Looks nice and clean right?

Now we can start the configuration.

The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”

ciscoasa# configure terminal

ciscoasa(config)#

Notice the (config) behind the device hostname. This means you are in configuration mode.

Now we will give our ASA another hostname.

ciscoasa(config)# hostname ExampleASA

ExampleASA(config)#

As you can see, the hostname changes immediately.

Now we will set a username and password so you can actually manage the ASA from your desk with SSH/Telnet/ASDM.

ExampleASA(config)# username example password example privilege 15

ExampleASA(config)#

Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.

Now that this is done we will configure the inside (LAN) address of the ASA.

With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.

ExampleASA(config)# interface vlan 1

ExampleASA(config-if)# ip address 192.168.1.1 255.255.255.0

ExampleASA(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.

So far for the inside the VLAN.

Now we will start on the outside (WAN) configuration.

Depending on the provider you might have to do this a little bit different but I will start with a static IP address first.

ExampleASA(config)# interface vlan 2

ExampleASA(config-if)# ip address 212.115.192.193 255.255.255.248

ExampleASA(config-if)# nameif outside

INFO: Security level for outside set to 0 by default.

ExampleASA(config-if)# exit

ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.192

As you can see the ASA sets the security level of the interface called outside to 0.

You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.

If your provider gives you an IP address trough DHCP the configuration is a little easier.

ExampleASA(config)# interface vlan 2

ExampleASA(config-if)# ip address dhcp setroute

ExampleASA(config-if)# nameif outside

With this command you don’t need to configure a default gateway since you will get this from your provider.

Now we need to attach the outside VLAN to one of the interfaces of the ASA.

By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0” to the outside VLAN (VLAN 2) and make the port operational.

ExampleASA(config)# interface ethernet0/0

ExampleASA(config-if)# switchport access vlan 2

ExampleASA(config-if)# no shutdown

Now this interface is attached to VLAN 2 and operational.

You need to make at least one other port operational for your inside network by typing the command “no shutdown”.

ExampleASA(config)# interface ethernet0/1

ExampleASA(config-if)# no shutdown

By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.

And now to make internet work from your inside network we have to configure NAT.

1st you make a global interface to where all the addresses from the inside need to be translated to.

ExampleASA(config)# global (outside) 10 interface

INFO: outside interface address added to PAT pool

The number 10 in that line of configuration is an identifier. This way you can tell the NAT on the inside to which outside IP address they should translate to.

The interface part means that you use your interface IP address to translate to. In this case, the outside interface.

2nd we need to make a NAT rule for the inside network.

ExampleASA(config)# nat (inside) 10 192.168.1.0 255.255.255.0

ExampleASA(config)#

As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that, states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.

Congratulations! You now should have an internet connection!

===========================

I had the modification below on the instruction above:

For VLAN 1 ExampleASA(config-if)# ip address 192.168.20.1 255.255.255.0

For Vlan 2 I used dhcp command, but I prefer to assign statice IP to my ASA (A static IP address from Verizon firewall)

For NAT ExampleASA(config)# nat (inside) 10 192.168.20.0 255.255.255.0

But I do not have access to internet.

I read, firewall has two IP address one for outside and another one for inside which I can consider it as gateway, but I do not know how to set it up

Please advise.

Thank you in advance for your time

Amir Eskandari · ‎09-11-2013

This is the result of show run

CiscoASA5505# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

access-list INSIDE-NAT0 extended permit ip 192.168.99.0 255.255.255.0 any

access-list INSIDE-NAT0 extended permit ip 192.168.20.0 255.255.255.0 any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list INSIDE-NAT0

nat (inside) 10 access-list INSIDE-NAT0

nat (inside) 10 192.168.20.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.168.1.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.1.1

!

username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:3b0058988bbec035e3781611a2c16f8e

: end

=================

192.168.1.6: is the assigned IP address from Verizon firewall to ASA

Jouni Forss · ‎09-12-2013

Hi,

Having this configuration

nat (inside) 0 access-list INSIDE-NAT0

Will essentially mean that all your hosts behind the ASA will be visible to the Verizon device with their original IP addresses and will likely lead to problems so you should probably remove it.

Also since your "outside" interface is configured with "ip address dhcp setroute" it means that you shouldnt configure any Default Route, so remove the current one. The DHCP server provides you with the correct default route.

no route outside 0.0.0.0 0.0.0.0 192.168.1.6 1

- Jouni

Amir Eskandari · ‎09-12-2013

Hello Jouni,

Thank you so much for your email

I followed your instruction

CiscoASA5505# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

access-list INSIDE-NAT0 extended permit ip 192.168.20.0 255.255.255.0 any

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 access-list INSIDE-NAT0

nat (inside) 10 192.168.20.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.1.1

!

username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:85b9c089b86c4e155fa0e24d5185edfe

: end

As you can see right now, even I cannot connect to my network. also I do not have any idea out Gateway value

Any idea?

Thank you in Advance for your time

Antonio Simoes · ‎09-11-2013

Hi,

"Public IP 192.168.1.x" how can your public IP be a private class?

And your default route must point for your ISP address : route outside 0.0.0.0 0.0.0.0 xxxx.xxxx.xxxx.xxxx(ISP Address)

Kind Regards,

AS

Amir Eskandari · ‎09-12-2013

Hi Antonio,

Thank you so much for your reply.

As I mentioned my public IP address comes to my firewall and my ASA is after my firewall.

I am playing with the ASA as a lab.

Amir Eskandari · ‎09-12-2013

I found a setting in Ciso ASA 5505 Configuration

=========== Original ====================

In this scenario the 5505 is used for basic internet access using PAT, with dynamic IP address obtained from the ISP via DHCP (Firewall will act as DHCP client for the outside interface).

the firewall will act also as a DHCP server for assigning IP addresses to inside hosts.

ASA-5505# show run

: Saved

:

ASA Version 7.2(3)

!

hostname ASA-5505

domain-name test.com

enable password xxxxxxxxxxxxxxxx encrypted

names

!

! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.

interface Vlan2

nameif outside

security-level 0

! Get outside address and default gateway from ISP

ip address dhcp setroute

!

! Assign Eth0/0 to vlan 2.

interface Ethernet0/0

switchport access vlan 2

!

! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxxxxxxxxxxxxxxxxx encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name test.com

! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a

!deny all with log at the end to monitor any attacks coming from outside.

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

! Do PAT using the outside interface address

global (outside) 1 interface

! Translate ALL inside addresses

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

! Configure Local authentication for firewall management (For accessing the Firewall you need to

!use the username/password configured later).

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

! Allow internal hosts to telnet to the device

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

! Allow an external management host to ssh from outside for firewall management

ssh 100.100.100.1 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

! Assign a DNS server to internal hosts

dhcpd dns 200.200.200.1

!

! Assign IP addresses to internal hosts

dhcpd address 192.168.1.10-192.168.1.40 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

! Configure here the username and password for accessing the device

username admin password xxxxxxxxxxxxxx encrypted

prompt hostname context

: end

=====================================

=========== Modified by Me ==============

CiscoASA5505# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

domain-name xyx.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name xyx.com

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 200.200.200.1

dhcpd auto_config outside

!

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

username superHead password Hs/tINYaeztJyS encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f4f28269cf243f2f8b0980f51a50ad10

: end

=====================================

Now I can connect to my network but not internet

Why?

Amir Eskandari · ‎09-13-2013

the configuration below works.

CiscoASA5505# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

domain-name xyx.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name xyx.com

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.20.0 255.255.255.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7b5bb632bce65adbe4796e72a3c19c03

: end

Amir Eskandari · ‎12-04-2013

Hi there,

I had to reboot my router at home. then I lost my connection to my test network after ASA.

Also after rebooting ASA for couple of times the ASA goes back to "ASA Version 7.2(4)" from ASA Version 9.1(2)!!!!!!!!!???

Anyway.

my current setting is the same as before (the above configuration) and I had access to internet until last Saturday.

but right now no access to internet.

Any idea?

Configuration:

Verizon => Firewall => ASA5505 => My computer (Test network) No Internet

|=> My other devices Have internet

Cable from Firewall to ASA is fine.

=====================

CiscoASA5505# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

domain-name xyz1.net

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name xyz1.net

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.20.0 255.255.255.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9fc2f7981b4c42826bf6791f9178291f

: end

Jouni Forss · ‎12-04-2013

Hi,

You have not set any specific image for the ASA boot so the image which is chosen depends on their order on the Flash to my understanding

You have to use the following command to set the software image you want to use

boot system flash:/.bin

And naturally save the configurations before rebooting to the new software.

Your configuration seems otherwise the same though you are missing ICMP Inspection. But you say Internet doesnt work? The ASA seems to have the basic configurations

You could add these

dhcpd auto_config outside

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Let us know if that helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Amir Eskandari · ‎12-07-2013

Hello Jouni,

Please be informed I ran the command but still no luck.

I found something stranage, I sat up my computer to get IP from dhcp and then looked at details of it

the second IPv4 is not familiar to me.

I ran ipconfig /flushdns then ipconfig/renew but the ip address "68.238.112.12" is still there.

this is the new config of the ASA

CiscoASA5505(config)# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

domain-name xyz.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name xyz.com

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.20.0 255.255.255.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:9fc2f7981b4c42826bf6791f9178291f

: end

Jouni Forss · ‎12-07-2013

Hi,

The configuration above seems to me to be the same configuration your earlier posted to be the working configuration.

I don't see a problem with the configuration.

The strange IP address that you are getting with the DHCP to your client is probably information that the ASA gets from DHCP from some upstream device.

The below configuration we added is meant to pass information that the ASA gets as a DHCP Client to the DHCP Client behind the ASA. What I mean by that is that you have configured the ASA to get an IP address from some other device. It also gets the DNS information and the below command is supposed to pass that information to the DHCP used for the clients behind ASA

dhcpd auto_config outside

You can naturally try to remove the above configuration and add the DNS servers yourself

For example Google DNS servers

no dhcpd auto_config outside

dhcpd dns 8.8.8.8 8.8.4.4

You can use "packet-tracer" command to test the ASA configurations, for example

packet-tracer input inside tcp 192.168.20.6 12345 8.8.8.8 80

- Jouni

Amir Eskandari · ‎12-07-2013

Hello Jouni,

Thank you so much for your reply.

Please be informed I fixed the issue by the config below:

192.168.1.6 is the static IP address which I assigned in my verizon's firewall to my ASA

Now I have access to internet on my computers after ASA.

Again Thank you so much for your time.

Amir

CiscoASA5505(config)# show run

: Saved

:

ASA Version 7.2(4)

!

hostname CiscoASA5505

domain-name xyz.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

dns server-group DefaultDNS

domain-name xyz.com

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 192.168.1.6 netmask 255.255.255.0

nat (inside) 10 192.168.20.0 255.255.255.0

access-group outside_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.20.5-192.168.20.36 inside

dhcpd enable inside

!

username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:17e52096b042a7ba21a209e7c58ed132

: end