I'm completely stymied with what should be a very simple, basic configuration of an ASA 5505.
I'm wanting to connect the ASA to a standard cable modem, provide the ASA with a single static IP address, provide DHCP services on the internal interface(s) and PAT from the internal network to the Internet. (Ultimately, I'm wanting to use the ASA as one half of a site-to-site VPN, but I need to tackle one hurdle at a time.)
When I connect the ASA to the cable modem with the default configuration where the ASA receives it's external IP via DHCP, everything works fine. But when I attempt to assign the static IP address to the external interface, clients on the internal network can no longer get out to the Internet. Thinking there may be a problem with the static IP configuration provided by the ISP, I connected a client directly to the cable modem and configured the client to the static IP settings. All worked fine, so it really seems like an ASA configuration issue.
I've got some experience with PIX firewalls (for small office firewall and remote access VPN services) and I figured that the ASA would be as simple to set up as the PIXs have been, but such has not been the case.
In examining the configs for the default that works and the static IP that doesn't, the only difference is the âip addressâ designation for the Vlan 2 interface. The default config specifies âdhcp setrouteâ, whereas the static IP config specifies the ISP-provided static IP address and subnet mask.
Worth noting, perhaps, is that with the static IP configuration, the line and link lights in the ASDM are green for both the internal and external interfaces, and the syslog shows that inbound filtering is occurring, but this error appears in the syslog, as well:
syslog 110002 failed to locate egress interface for UDP from outside:xx.xxx.xx.xx/68 to xxx.xxx.xxx.xx/67
Attached is the config file for the non-functional static IP configuration. Any suggestions would be most greatly appreciated.
I had checked your configuration. What I am able to understand is that when ASA outside interface is configured to accept IP Address from DHCP, gateway is also configured for that interface which works as a default route. But when you put static IP on outiside interface you have to put default route for next hop via outside interface which is not there in your configuration.
So I will suggest to put default route with next hop IP Address which gayeway from your ISP side.
Thanks for your reply. I'm not sure I fully understand your recommendation. I have information provided by the ISP for the static IP address, subnet mask and gateway router address. Are you saying that I need to add the gateway address to the outside interface configuration? Do you have a recommendation for the command(s) I would use to do that?
I recall with the PIX that when using the Startup Wizard to set the static IP address that you have fields to specify the IP address, subnet mask and router. However, I believe the Startup Wizard on the ASA only allows you to specify the static IP address and the subnet mask, not the gateway router address.
I mean to say that whatever static IP and subnet mask is provided by ISP that you had configured on outside interface. You have to put one default route via outside interface using gateway router address provided by ISP as next hop. command syntex is given below: route outside 0.0.0.0 0.0.0.0 1.
This command is missing in configuration you had attached.This must to send traffic which is going to internet or ISP.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :