Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Problem

I am attempting to set up a ASA 5505 in a location and having some issues. I am using a PPPOE connection with ATT and everything seems to be good. I have a secure connection and can ping public IP's from the ASA. My internal network (10.104.0.0/24) on the otherhand cant seem to get out past the ASA. I believe its either a routing issue, or a NAT issue. Unfournatly ATT is being tip lipped about the default gateway of my public IP. If anyone has any ideas please let me know. Below is my configuration for the ASA.

: Saved

:

ASA Version 8.2(5)

!

hostname 104-ASA

enable password XXXXXXXXXX encrypted

passwdXXXXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

switchport access vlan 20

!

interface Ethernet0/5

switchport access vlan 20

!

interface Ethernet0/6

switchport access vlan 20

!

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan10

description EXTERNAL-NETWORK

nameif OUTSIDE

security-level 100

ip address pppoe setroute

!

interface Vlan20

description INTERNAL

nameif INTERNAL

security-level 100

ip address 10.104.0.1 255.255.255.0

!

ftp mode passive

access-list VPN-TRAFFIC extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0

access-list NONAT-MIAMI extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0

pager lines 24

mtu OUTSIDE 1500

mtu INTERNAL 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INTERNAL) 0 access-list NONAT-MIAMI

nat (INTERNAL) 1 0.0.0.0 0.0.0.0

route OUTSIDE 10.33.80.0 255.255.255.0 68.157.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set SECURE esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MIAMI 10 match address VPN-TRAFFIC

crypto map MIAMI 10 set peer 23.24.X.X

crypto map MIAMI 10 set transform-set SECURE

crypto map MIAMI interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group INTERNET request dialout pppoe

vpdn group INTERNET localname agrotrade104@att.net

vpdn group INTERNET ppp authentication pap

vpdn username agrotrade104@att.net password ***** store-local

dhcpd dns 205.152.X.X 205.152.X.X

!

dhcpd address 10.104.0.25-10.104.0.50 INTERNAL

dhcpd enable INTERNAL

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 23.24.X.X type ipsec-l2l

tunnel-group 23.24.X.X ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b48a8a2ff31c98880dd163a53e4cabef

: end

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: ASA 5505 Problem

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
5 REPLIES
VIP Purple

Re: ASA 5505 Problem

interface Vlan10

  description EXTERNAL-NETWORK

  nameif OUTSIDE

  security-level 100

Using a security-level of 100 is quite uncommon, As this is the least secure interface it should be changed to "0".

Then, how do you test if you can reach the internet? Only with PING? Then you have to enable ICMP-inspection:

policy-map global_policy

  class inspection_default

    inspect icmp

-- 

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

ASA 5505 Problem

Inside the ASA i can ping 8.8.8.8 and other public IPs, correct me if im wrong but that means that i have connection to the outside world. Unfournatly my private network (10.104.0.0/24) cannot ping or get out.

As for the security level association to my vlan, everything will be tightened down, and the security ACL's will be implemented once the system is up and running completely. If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem. Feel free to correct me if im wrong, i am fairly new to ASA's.

-chris

VIP Purple

Re: ASA 5505 Problem

Inside the ASA i can ping 8.8.8.8 and other public IPs

What do you mean with that? Inside the ASA *is* the network 10.104.0.0/24, isn't it?

If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem

Well, up to now no one knows if a prison can be build without fences because no one has tried it before. It seems you are someone who would try it ... ;-)

The security-levels control which kind of security to apply for the traffic. And 100 for the outside interface is probably nothing that anyone have thought before.

But use the following command and paste the output. It simulates what the ASA would do with the traffic:

ASA# packet-tracer input INTERNAL tcp 10.104.0.10 1234 1.2.3.4 80


-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

Re: ASA 5505 Problem

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: ASA 5505 Problem

karsten.iwen wrote:

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

Karsten

Thanks for the help that command saved the day!!

455
Views
0
Helpful
5
Replies