Solved: ASA 5505 Problem

chrispeet · ‎08-27-2012

I am attempting to set up a ASA 5505 in a location and having some issues. I am using a PPPOE connection with ATT and everything seems to be good. I have a secure connection and can ping public IP's from the ASA. My internal network (10.104.0.0/24) on the otherhand cant seem to get out past the ASA. I believe its either a routing issue, or a NAT issue. Unfournatly ATT is being tip lipped about the default gateway of my public IP. If anyone has any ideas please let me know. Below is my configuration for the ASA.

: Saved

:

ASA Version 8.2(5)

!

hostname 104-ASA

enable password XXXXXXXXXX encrypted

passwdXXXXXXXXXXXXXXX encrypted

names

!

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

switchport access vlan 20

!

interface Ethernet0/2

switchport access vlan 20

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

switchport access vlan 20

!

interface Ethernet0/5

switchport access vlan 20

!

interface Ethernet0/6

switchport access vlan 20

!

interface Ethernet0/7

switchport access vlan 20

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan10

description EXTERNAL-NETWORK

nameif OUTSIDE

security-level 100

ip address pppoe setroute

!

interface Vlan20

description INTERNAL

nameif INTERNAL

security-level 100

ip address 10.104.0.1 255.255.255.0

!

ftp mode passive

access-list VPN-TRAFFIC extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0

access-list NONAT-MIAMI extended permit ip 10.104.0.0 255.255.255.0 10.33.80.0 255.255.255.0

pager lines 24

mtu OUTSIDE 1500

mtu INTERNAL 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (OUTSIDE) 1 interface

nat (INTERNAL) 0 access-list NONAT-MIAMI

nat (INTERNAL) 1 0.0.0.0 0.0.0.0

route OUTSIDE 10.33.80.0 255.255.255.0 68.157.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set SECURE esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map MIAMI 10 match address VPN-TRAFFIC

crypto map MIAMI 10 set peer 23.24.X.X

crypto map MIAMI 10 set transform-set SECURE

crypto map MIAMI interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group INTERNET request dialout pppoe

vpdn group INTERNET localname agrotrade104@att.net

vpdn group INTERNET ppp authentication pap

vpdn username agrotrade104@att.net password ***** store-local

dhcpd dns 205.152.X.X 205.152.X.X

!

dhcpd address 10.104.0.25-10.104.0.50 INTERNAL

dhcpd enable INTERNAL

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 23.24.X.X type ipsec-l2l

tunnel-group 23.24.X.X ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:b48a8a2ff31c98880dd163a53e4cabef

: end

Karsten Iwen · ‎08-27-2012

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎08-27-2012

interface Vlan10

description EXTERNAL-NETWORK

nameif OUTSIDE

security-level 100

Using a security-level of 100 is quite uncommon, As this is the least secure interface it should be changed to "0".

Then, how do you test if you can reach the internet? Only with PING? Then you have to enable ICMP-inspection:

policy-map global_policy

class inspection_default

inspect icmp

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

chrispeet · ‎08-27-2012

Inside the ASA i can ping 8.8.8.8 and other public IPs, correct me if im wrong but that means that i have connection to the outside world. Unfournatly my private network (10.104.0.0/24) cannot ping or get out.

As for the security level association to my vlan, everything will be tightened down, and the security ACL's will be implemented once the system is up and running completely. If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem. Feel free to correct me if im wrong, i am fairly new to ASA's.

-chris

Karsten Iwen · ‎08-27-2012

Inside the ASA i can ping 8.8.8.8 and other public IPs

What do you mean with that? Inside the ASA *is* the network 10.104.0.0/24, isn't it?

If my security-level is something that is causing the issue i can lower the level but i dont believe that is a problem

Well, up to now no one knows if a prison can be build without fences because no one has tried it before. It seems you are someone who would try it ... ;-)

The security-levels control which kind of security to apply for the traffic. And 100 for the outside interface is probably nothing that anyone have thought before.

But use the following command and paste the output. It simulates what the ASA would do with the traffic:

ASA# packet-tracer input INTERNAL tcp 10.104.0.10 1234 1.2.3.4 80

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Karsten Iwen · ‎08-27-2012

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

chrispeet · ‎08-28-2012

karsten.iwen wrote:

and not to forget: I you don't change the security-level you have to instruct the ASA that you want to allow traffic between interfaces with the same level. That's not allowed by default:

ASA(config)#same-security-traffic permit inter-interface

Karsten

Thanks for the help that command saved the day!!