Thanks for the input.  I'm a n00b with cisco.  It all makes sense in my head but putting it into practicefor the first few times is always an experience.  I'll be putting this live tomorrow, I'll let you know how it goes.

OK,  I made the changes you suggested.  I'll attach my running config.   I'm not able to get to the internet from the phone system (its basically a server2003 box) I can ping from the asa successfully, but not from the phone system.  I am resolving DNS.

: Saved
:
ASA Version 8.4(6) 
!
hostname wavefc
domain-name center
enable password 8EBQPyIGHYB9jy6X encrypted
passwd 8EBQPyIGHYB9jy6X encrypted
names
name 192.168.1.28 MRMA description Wave MRMA IP
name 192.168.1.27 MRMB description Wave MRMB IP
name 192.168.1.26 vam description WAVE VAM IP
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.30 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 108.174.110.110 255.255.255.0 
!
boot system disk0:/asa846-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name center
object network vam
 host 192.168.1.26
 description Created during name migration
object network MRMB_1
 host 192.168.1.27
 description Created during name migration
object network MRMA_1
 host 192.168.1.28
 description MRMB
object service VAM1
 service udp destination range sip 5061 
 description VAM ports
object service VAM2
 service udp destination range 16384 17383 
 description VAM SIP PORTS
object service MRMA
 service udp destination range 17640 17895 
 description MRM A PORTS
object service MRMB
 service udp destination range 17640 17895 
 description MRM B PORTS
object network Dynamic_NAT
 subnet 192.168.1.0 255.255.255.0
object network vamIP
 host 192.168.1.26
object network MRMAIP
 host 192.168.1.27
object network MRMBIP
 host 192.168.1.27
object service vamIP1
 service udp source range 16384 17383 
object service SIP
 service udp source range sip 5061 
object service mrmaUDP
 service udp source range 17384 17639 
object service mrmbUDP
 service udp source range 17640 17895 
object service vam5060
 service udp source range sip 5061 
object-group service VAM_PORTS
 service-object object VAM1 
 service-object object VAM2 
access-list outside_access_in remark Allow ports for phone system
access-list outside_access_in extended permit object-group VAM_PORTS any object vamIP 
access-list outside_access_in extended permit object MRMA any object MRMAIP 
access-list outside_access_in extended permit object MRMB any object MRMBIP 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static vamIP interface service vamIP1 vamIP1
nat (inside,outside) source static MRMA_1 interface service mrmaUDP mrmaUDP
nat (inside,outside) source static MRMB_1 interface service mrmbUDP mrmbUDP
nat (inside,outside) source static vamIP interface service vam5060 vam5060
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd auto_config outside
!
dhcpd address 192.168.1.99-192.168.1.100 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username wave password 7dzE8CxoLKj5NbvA encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:f1c2682304b634248f80c2cbccf90928
: end
asdm image disk0:/asdm-715-100.bin
no asdm history enable

Hi,

Do you mean that you cannot ICMP/PING to the Internet from the server?

I can't see any problem with the ASA configurations for normal TCP/UDP connectivity towards Internet but for ICMP to work you must add these.

policy-map global_policy
 class inspection_default

   inspect icmp

   inspect icmp error

Let me know if that helps

- Jouni

i've put in a static route for the gateway. . . but when I run the sh route command it doesn't show up there?

wavefc(config)# route outside 0.0.0.0 0.0.0.0 108.174.110.1 1
wavefc(config)# sh rou

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.1.0 255.255.255.0 is directly connected, inside
wavefc(config)#

correct, I can't ping,  but I also can't browse to websites, and my SIP trunk isn't connecting.   I'll add in the policy map command and test it.

Hi,

That would usually indicate that the interface itself is down.

Have you confirmed that the ASA port Ethernet0/0 is connected to the external network?

- Jouni

e0/0 is physically connected to the external network

I am replacing a sonic wall with this ASA5505

I am moving the cable from the sonic wall wan port to the e0/0 interface on the ASA5505

I am moving the cable from the sonic wall lan0/1 port to the e0/1 interface on the ASA5505

on the sonicwall the settings are

lan IP 192.168.1.30

wan IP 108.174.110.110

gateway 108.174.110.1

the sonic wall is functional.

so on the cisco I set vlan2 to 108.174.110.110 and set e0/0 switchport access vlan 2

and I set vlan 1 ip to 192.168.1.30

and route 0.0.0.0 0.0.0.0 108.174.110.1 1 for the default route/gateway

I can ping my vlan2 ip but I can't ping the gateway IP from the cisco

am I missing the part that lets vlan 1 talk with vlan 2?

Hi,

The configuration itself seems good to me except that the ACL is not attached to the external interface yet

access-group outside_access_in in interface outside

Also, when you look at the routing table of the ASA with the command

show route

You should see both the "outside" interface network there and you should also see the default route.

Can you share the output of the following when the ASA is connected to the network.

show interface Ethernet0/0

show route

show arp

show run interface Vlan2

Notice also that when you are switching 2 different devices with the same public IP address (but different MAC address) your ISP gateway might not always update and therefore traffic might not work. This should not prevent the routes from showing on the ASA but would rather mean that traffic wouldnt flow unless the ISP gateway updated with the new MAC address. You also have the option to configure the SonicWall external interface MAC address on the ASA Vlan2 interface if ARP is part of the problem.

- Jouni

wavefc(config)# sh int e0/0

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Input flow control is unsupported, output flow control is unsupported

        Available but not configured via nameif

        MAC address 885a.922c.59fc, MTU not set

        IP address unassigned

        4858 packets input, 1031732 bytes, 0 no buffer

        Received 694 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 pause input, 0 resume input

        0 L2 decode drops

        3972 switch ingress policy drops

        26 packets output, 3014 bytes, 0 underruns

        0 pause output, 0 resume output

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 rate limit drops

        0 switch egress policy drops

        0 input reset drops, 0 output reset drops

wavefc(config)#

wavefc(config)# sh rou

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 108.174.110.1 to network 0.0.0.0

C    108.174.110.0 255.255.255.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
S*   0.0.0.0 0.0.0.0 [1/0] via 108.174.110.1, outside
wavefc(config)#

wavefc(config)# sh arp

        inside 192.168.1.108 842b.2ba9.7e36 0

        inside 192.168.1.23 0021.9b8f.75de 3

        inside vam 0060.e055.cd70 206

        inside 192.168.1.11 009c.021f.0eac 2782

        outside 108.174.110.1 0000.5e00.010a 5171

wavefc(config)#

wavefc(config)# sh run int vlan 2

!

interface Vlan2

nameif outside

security-level 0

ip address 108.174.110.110 255.255.255.0

wavefc(config)#

Thanks for all the assistance.   Here is the info you wanted.   I'll get with the ISP about the MAC Address.  I was just thinking about that.  how would I go about adding in the sonicwall MAC to vlan2?

Hi,

If you can check the SonicWall external interface MAC address then you can configure that MAC address to the ASA Vlan2 interface by using these commands

wavefc(config)# interface Vlan2

wavefc(config-if)# mac-address aaaa.bbbb.cccc

Where the aaaa.bbbb.cccc is naturally the MAC address from the SonicWall

- Jouni

the sonicwall mac comes in a  xx:xx:xx:xx:xx:xx format,  I've tried entering it in straight but it won't take it.  how do I convert?

Hi,

You just write it in part of 4 like I mentioned.

xxxx.xxxx.xxxx

- Jouni