08-27-2012 01:44 PM - edited 03-11-2019 04:46 PM
I am attempting to set up a ASA 5505 in a location and having some issues. I am using a PPPOE connection with ATT and everything seems to be good. I have a secure connection and can ping public IP's from the ASA. My internal network (10.104.0.0/24) on the otherhand cant seem to get out past the ASA. I believe its either a routing issue, or a NAT issue. Unfournatly ATT is being tip lipped about the default gateway of my public IP. If anyone has any ideas please let me know. Below is my configuration for the ASA.
: Saved
:
ASA Version 8.2(5)
!
hostname 104-ASA
enable password XXXXXXXXXX encrypted
passwdXXXXXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
switchport access vlan 20
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
switchport access vlan 20
!
interface Ethernet0/5
switchport access vlan 20
!
interface Ethernet0/6
switchport access vlan 20
!
interface Ethernet0/7
switchport access vlan 20
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan10
description EXTERNAL-NETWORK
nameif OUTSIDE
security-level 100
ip address pppoe setroute
!
interface Vlan20
description INTERNAL
nameif INTERNAL
security-level 100
ip address 10.104.0.1 255.255.255.0
!
ftp mode passive
access-list VPN-TRAFFIC extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0
access-list NONAT-MIAMI extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0
pager lines 24
mtu OUTSIDE 1500
mtu INTERNAL 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
nat (INTERNAL) 0 access-list NONAT-MIAMI
nat (INTERNAL) 1 0.0.0.0 0.0.0.0
route OUTSIDE 10.33.80.0 255.255.255.0 68.157.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set SECURE esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MIAMI 10 match address VPN-TRAFFIC
crypto map MIAMI 10 set peer 23.24.X.X
crypto map MIAMI 10 set transform-set SECURE
crypto map MIAMI interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group INTERNET request dialout pppoe
vpdn group INTERNET localname agrotrade104@att.net
vpdn group INTERNET ppp authentication pap
vpdn username agrotrade104@att.net password ***** store-local
dhcpd dns 205.152.X.X 205.152.X.X
!
dhcpd address 10.104.0.25-10.104.0.50 INTERNAL
dhcpd enable INTERNAL
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 23.24.X.X type ipsec-l2l
tunnel-group 23.24.X.X ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b48a8a2ff31c98880dd163a53e4cabef
: end
Solved! Go to Solution.
08-27-2012 03:55 PM
and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:
ASA(config)#same-security-traffic permit inter-interface
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 02:59 PM
interface Vlan10
description EXTERNAL-NETWORK
nameif OUTSIDE
security-level 100
Using a security-level of 100 is quite uncommon, As this is the least secure interface it should be changed to "0".
Then, how do you test if you can reach the internet? Only with PING? Then you have to enable ICMP-inspection:
policy-map global_policy
class inspection_default
inspect icmp
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 03:13 PM
Inside the ASA i can ping 8.8.8.8 and other public IPs, correct me if im wrong but that means that i have connection to the outside world. Unfournatly my private network (10.104.0.0/24) cannot ping or get out.
As for the security level association to my vlan, everything will be tightened down, and the security ACL's will be implemented once the system is up and running completely. If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem. Feel free to correct me if im wrong, i am fairly new to ASA's.
-chris
08-27-2012 03:31 PM
Inside the ASA i can ping 8.8.8.8 and other public IPs
What do you mean with that? Inside the ASA *is* the network 10.104.0.0/24, isn't it?
If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem
Well, up to now no one knows if a prison can be build without fences because no one has tried it before. It seems you are someone who would try it ... ;-)
The security-levels control which kind of security to apply for the traffic. And 100 for the outside interface is probably nothing that anyone have thought before.
But use the following command and paste the output. It simulates what the ASA would do with the traffic:
ASA# packet-tracer input INTERNAL tcp 10.104.0.10 1234 1.2.3.4 80
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-27-2012 03:55 PM
and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:
ASA(config)#same-security-traffic permit inter-interface
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-28-2012 02:26 PM
karsten.iwen wrote:
and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:
ASA(config)#same-security-traffic permit inter-interface
Karsten
Thanks for the help that command saved the day!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide