09-11-2013 04:58 PM - edited 03-11-2019 07:37 PM
Hi there,
I am almost new to firewall.
I have a ASA 5505 at home
Verizon MI24WR router ASA 5505
Public IP 192.168.1.x
Now I want to have a net work after ASA (192.168.20.x)
Also I would like to have access to internet from the network after ASA as well
I followed the instruction below:
===========================
When you open the box containing your new ASA 5505 and plug in your console you will see the following:
Type help or '?' for a list of available commands.
ciscoasa>
Here you type the command “enable” to get in enabled mode.
Type help or '?' for a list of available commands.
ciscoasa> enable
Password:
ciscoasa#
As you can see you will get a password prompt. Simply hit enter here because there is no enable password configured.
The 1st thing you want to do is type the command “write erase”. This will delete all the default configuration Cisco made for you. You might wonder why but there is a lot of stuff in that configuration that you don’t need/want and could even cause some network issues if you connected it to your network (DHCP).
ciscoasa# write erase
Erase configuration in flash memory? [confirm]
[OK]
ciscoasa#
You will be prompted to confirm that you want to erase the configuration. Simply hit enter here.
Now that you erased your startup configuration you will need to reload the ASA to get a clean configuration. You will use the “reload” command for this.
ciscoasa# reload
Proceed with reload? [confirm]
ciscoasa#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Now when your router is restarted you will get this question:
Pre-configure Firewall now through interactive prompts [yes]?
Answer with “no” since you want to configure the ASA yourself (you want to be a cisco engineer right?).
Now enter enabled mode (look up if you forgot how to) and issue the command “show running-config“.
ciscoasa# show running-config
Looks nice and clean right?
Now we can start the configuration.
The 1st thing you want to do is get into configuration mode. You can do this by issuing the command “configure terminal”
ciscoasa# configure terminal
ciscoasa(config)#
Notice the (config) behind the device hostname. This means you are in configuration mode.
Now we will give our ASA another hostname.
ciscoasa(config)# hostname ExampleASA
ExampleASA(config)#
As you can see, the hostname changes immediately.
Now we will set a username and password so you can actually manage the ASA from your desk with SSH/Telnet/ASDM.
ExampleASA(config)# username example password example privilege 15
ExampleASA(config)#
Setting your privilege to 15 is very important if you’re the one that is going to manage the ASA. Privilege 15 is the highest of the privileges and gives you full control over the device.
Now that this is done we will configure the inside (LAN) address of the ASA.
With the ASA 5505 you work with VLANs instead of assigning IP addresses to actual interfaces. We will use VLAN 1 as our inside VLAN.
ExampleASA(config)# interface vlan 1
ExampleASA(config-if)# ip address 192.168.1.1 255.255.255.0
ExampleASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
All the ASA devices work with security levels that you apply to VLANs/interfaces. With security levels you can always go from high (100) to low (0) but never the other way around unless configured otherwise. This means that no one from the outside can start a session to the inside.
So far for the inside the VLAN.
Now we will start on the outside (WAN) configuration.
Depending on the provider you might have to do this a little bit different but I will start with a static IP address first.
ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address 212.115.192.193 255.255.255.248
ExampleASA(config-if)# nameif outside
INFO: Security level for outside set to 0 by default.
ExampleASA(config-if)# exit
ExampleASA(config)# route outside 0.0.0.0 0.0.0.0 212.115.192.192
As you can see the ASA sets the security level of the interface called outside to 0.
You also need to make a static route if your provider supplied you with a static IP address. This is called the default gateway.
If your provider gives you an IP address trough DHCP the configuration is a little easier.
ExampleASA(config)# interface vlan 2
ExampleASA(config-if)# ip address dhcp setroute
ExampleASA(config-if)# nameif outside
With this command you don’t need to configure a default gateway since you will get this from your provider.
Now we need to attach the outside VLAN to one of the interfaces of the ASA.
By default all the interfaces are attached to VLAN 1 and by default all the interfaces are in the “shutdown” state. In this example I will attach the interface “Ethernet 0” to the outside VLAN (VLAN 2) and make the port operational.
ExampleASA(config)# interface ethernet0/0
ExampleASA(config-if)# switchport access vlan 2
ExampleASA(config-if)# no shutdown
Now this interface is attached to VLAN 2 and operational.
You need to make at least one other port operational for your inside network by typing the command “no shutdown”.
ExampleASA(config)# interface ethernet0/1
ExampleASA(config-if)# no shutdown
By default all the interfaces are attached to VLAN 1 so you don’t need to assign a VLAN to the interface.
And now to make internet work from your inside network we have to configure NAT.
1st you make a global interface to where all the addresses from the inside need to be translated to.
ExampleASA(config)# global (outside) 10 interface
INFO: outside interface address added to PAT pool
The number 10 in that line of configuration is an identifier. This way you can tell the NAT on the inside to which outside IP address they should translate to.
The interface part means that you use your interface IP address to translate to. In this case, the outside interface.
2nd we need to make a NAT rule for the inside network.
ExampleASA(config)# nat (inside) 10 192.168.1.0 255.255.255.0
ExampleASA(config)#
As you can see I also used the number 10 in this rule. This links the inside network to the outside global. The subnet behind that, states that the network 192.168.1.0/24 is allowed to be translated to the outside IP address.
Congratulations! You now should have an internet connection!
===========================
I had the modification below on the instruction above:
For VLAN 1 ExampleASA(config-if)# ip address 192.168.20.1 255.255.255.0
For Vlan 2 I used dhcp command, but I prefer to assign statice IP to my ASA (A static IP address from Verizon firewall)
For NAT ExampleASA(config)# nat (inside) 10 192.168.20.0 255.255.255.0
But I do not have access to internet.
I read, firewall has two IP address one for outside and another one for inside which I can consider it as gateway, but I do not know how to set it up
Please advise.
Thank you in advance for your time
09-11-2013 05:14 PM
This is the result of show run
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list INSIDE-NAT0 extended permit ip 192.168.99.0 255.255.255.0 any
access-list INSIDE-NAT0 extended permit ip 192.168.20.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list INSIDE-NAT0
nat (inside) 10 access-list INSIDE-NAT0
nat (inside) 10 192.168.20.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.1
!
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:3b0058988bbec035e3781611a2c16f8e
: end
=================
192.168.1.6: is the assigned IP address from Verizon firewall to ASA
09-12-2013 03:53 AM
Hi,
Having this configuration
nat (inside) 0 access-list INSIDE-NAT0
Will essentially mean that all your hosts behind the ASA will be visible to the Verizon device with their original IP addresses and will likely lead to problems so you should probably remove it.
Also since your "outside" interface is configured with "ip address dhcp setroute" it means that you shouldnt configure any Default Route, so remove the current one. The DHCP server provides you with the correct default route.
no route outside 0.0.0.0 0.0.0.0 192.168.1.6 1
- Jouni
09-12-2013 04:10 PM
Hello Jouni,
Thank you so much for your email
I followed your instruction
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
access-list INSIDE-NAT0 extended permit ip 192.168.20.0 255.255.255.0 any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 access-list INSIDE-NAT0
nat (inside) 10 192.168.20.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.1.1
!
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:85b9c089b86c4e155fa0e24d5185edfe
: end
As you can see right now, even I cannot connect to my network. also I do not have any idea out Gateway value
Any idea?
Thank you in Advance for your time
09-11-2013 07:10 PM
Hi,
"Public IP 192.168.1.x" how can your public IP be a private class?
And your default route must point for your ISP address : route outside 0.0.0.0 0.0.0.0 xxxx.xxxx.xxxx.xxxx(ISP Address)
Kind Regards,
AS
09-12-2013 04:13 PM
Hi Antonio,
Thank you so much for your reply.
As I mentioned my public IP address comes to my firewall and my ASA is after my firewall.
I am playing with the ASA as a lab.
09-12-2013 06:03 PM
I found a setting in Ciso ASA 5505 Configuration
=========== Original ====================
In this scenario the 5505 is used for basic internet access using PAT, with dynamic IP address obtained from the ISP via DHCP (Firewall will act as DHCP client for the outside interface).
the firewall will act also as a DHCP server for assigning IP addresses to inside hosts.
ASA-5505# show run
: Saved
:
ASA Version 7.2(3)
!
hostname ASA-5505
domain-name test.com
enable password xxxxxxxxxxxxxxxx encrypted
names
!
! Vlan 1 is assigned by default to all ports Ethernet0/1 to 0/7 which belong to the inside zone.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
! Vlan 2 is assigned to port Ethernet0/0 which belongs to the outside zone.
interface Vlan2
nameif outside
security-level 0
! Get outside address and default gateway from ISP
ip address dhcp setroute
!
! Assign Eth0/0 to vlan 2.
interface Ethernet0/0
switchport access vlan 2
!
! By default, Eth0/1 to 0/7 are assigned to vlan 1. No need to change anything.
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
! Create an ACL on the outside that will allow only echo-reply for troubleshooting purposes. Use a
!deny all with log at the end to monitor any attacks coming from outside.
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
! Do PAT using the outside interface address
global (outside) 1 interface
! Translate ALL inside addresses
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
! Configure Local authentication for firewall management (For accessing the Firewall you need to
!use the username/password configured later).
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
! Allow internal hosts to telnet to the device
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
! Allow an external management host to ssh from outside for firewall management
ssh 100.100.100.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
! Assign a DNS server to internal hosts
dhcpd dns 200.200.200.1
!
! Assign IP addresses to internal hosts
dhcpd address 192.168.1.10-192.168.1.40 inside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
! Configure here the username and password for accessing the device
username admin password xxxxxxxxxxxxxx encrypted
prompt hostname context
: end
=====================================
=========== Modified by Me ==============
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name xyx.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name xyx.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 200.200.200.1
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
username superHead password Hs/tINYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f4f28269cf243f2f8b0980f51a50ad10
: end
=====================================
Now I can connect to my network but not internet
Why?
09-13-2013 08:01 PM
the configuration below works.
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name xyx.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name xyx.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.20.0 255.255.255.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
username sarparast password Hs/tIupNYaeztJyS encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7b5bb632bce65adbe4796e72a3c19c03
: end
12-04-2013 07:27 PM
Hi there,
I had to reboot my router at home. then I lost my connection to my test network after ASA.
Also after rebooting ASA for couple of times the ASA goes back to "ASA Version 7.2(4)" from ASA Version 9.1(2)!!!!!!!!!???
Anyway.
my current setting is the same as before (the above configuration) and I had access to internet until last Saturday.
but right now no access to internet.
Any idea?
Configuration:
Verizon => Firewall => ASA5505 => My computer (Test network) No Internet
|=> My other devices Have internet
Cable from Firewall to ASA is fine.
=====================
CiscoASA5505# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name xyz1.net
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name xyz1.net
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.20.0 255.255.255.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9fc2f7981b4c42826bf6791f9178291f
: end
12-04-2013 11:49 PM
Hi,
You have not set any specific image for the ASA boot so the image which is chosen depends on their order on the Flash to my understanding
You have to use the following command to set the software image you want to use
boot system flash:/
And naturally save the configurations before rebooting to the new software.
Your configuration seems otherwise the same though you are missing ICMP Inspection. But you say Internet doesnt work? The ASA seems to have the basic configurations
You could add these
dhcpd auto_config outside
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
Let us know if that helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
12-07-2013 06:22 AM
Hello Jouni,
Please be informed I ran the command but still no luck.
I found something stranage, I sat up my computer to get IP from dhcp and then looked at details of it
the second IPv4 is not familiar to me.
I ran ipconfig /flushdns then ipconfig/renew but the ip address "68.238.112.12" is still there.
this is the new config of the ASA
CiscoASA5505(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name xyz.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name xyz.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 192.168.20.0 255.255.255.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9fc2f7981b4c42826bf6791f9178291f
: end
12-07-2013 06:31 AM
Hi,
The configuration above seems to me to be the same configuration your earlier posted to be the working configuration.
I don't see a problem with the configuration.
The strange IP address that you are getting with the DHCP to your client is probably information that the ASA gets from DHCP from some upstream device.
The below configuration we added is meant to pass information that the ASA gets as a DHCP Client to the DHCP Client behind the ASA. What I mean by that is that you have configured the ASA to get an IP address from some other device. It also gets the DNS information and the below command is supposed to pass that information to the DHCP used for the clients behind ASA
dhcpd auto_config outside
You can naturally try to remove the above configuration and add the DNS servers yourself
For example Google DNS servers
no dhcpd auto_config outside
dhcpd dns 8.8.8.8 8.8.4.4
You can use "packet-tracer" command to test the ASA configurations, for example
packet-tracer input inside tcp 192.168.20.6 12345 8.8.8.8 80
- Jouni
12-07-2013 05:49 PM
Hello Jouni,
Thank you so much for your reply.
Please be informed I fixed the issue by the config below:
192.168.1.6 is the static IP address which I assigned in my verizon's firewall to my ASA
Now I have access to internet on my computers after ASA.
Again Thank you so much for your time.
Amir
CiscoASA5505(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname CiscoASA5505
domain-name xyz.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name xyz.com
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in extended deny ip any any log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 192.168.1.6 netmask 255.255.255.0
nat (inside) 10 192.168.20.0 255.255.255.0
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17e52096b042a7ba21a209e7c58ed132
: end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide