05-08-2012 12:07 PM - edited 03-11-2019 04:03 PM
I first want to apologize for coming here with what I feel is a simple question. I'm a little embarrased on how rusty my Cisco knowledge has gotten. I'm trying to get a laptop connect to an ASA 5505 to be able to browse the web. I've tried following basic instructions on doing this through the console because I didn't get much luck with the ASDM.
My internet port that the firewall is connected to does have a static IP of 99.66.167.69 assigned to it with a gateway of 99.66.167.70. The port also has two DNS servers I'll call A.A.A.A and B.B.B.B if I need that information.
Below is what I currently have as my config. Any help on resolving this would be greatly appreciated.
====================================================
ASA Version 8.2(5)
!
hostname ciscoasas
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.66.167.69 255.255.255.248
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.66.167.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:225af90f110a58bbc8d98e50c545608d
: end
05-08-2012 12:16 PM
HI Joffroi,
Are you able to ping 4.2.2.2 from the ASA and the default gateway?? are you able to ping it from a host on the inside? Add icmp isnpection before pinging.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-08-2012 12:44 PM
Hi Joffroi
Can you insure you have enabled all 4 interfaces (physical, virtual) and that you can ping the default gateway.
E.g
conf t
int eth 0/0
no shut
ping 99.x.x.x
Could you also make sure a host can ping 192.168.1.1
Regards Craig
05-08-2012 01:10 PM
From the ASA, I am able to ping 99.66.167.69 and 4.2.2.2.
From the computer I had plugged to the ASA, I was not able to ping 192.168.1.1. Unfortunately, I had to step away from the lap to check that laptop for now.
All the interfaces have had "no shutdown" applied.
Thanks
05-08-2012 01:22 PM
Hi,
Can you please apply these captures and ping again, just wanna check if ASA is forwarding the packets at all or not?
access-list cap permit ip any host 4.2.2.2
access-list cap permit ip host 4.2.2.2 any
capture capin access-list cap interface inside
capture capo access-list cap interface outside
also apply:
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
after that, try pinging 4.2.2.2 again, and collect the output of :
show cap capin
show cap capo
This would be very helpful in troubleshooting.
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-09-2012 03:06 PM
Sorry for the delay.
Varun, I followed the commands you suggested. After apply the following settings....
access-list cap permit ip any host 4.2.2.2
access-list cap permit ip host 4.2.2.2 any
capture capin access-list cap interface inside
capture capo access-list cap interface outside
access-list outside_access_in permit icmp any any
access-group outside_access_in in interface outside
these are my results:
Ping 99.66.167.69 from computer hooked to console port.
ping 99.66.167.69
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 99.66.167.69, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Ping 192.168.1.1 from computer hooked to console port
100% success rate
Ping 4.2.2.2 from computer connected to console port.
ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Results of show cap capin
15 packets captured
1: 16:44:28.681468 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
2: 16:44:30.677973 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
3: 16:44:32.677928 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
4: 16:44:34.678004 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
5: 16:44:36.677943 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
6: 16:45:15.972087 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
7: 16:45:17.967937 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
8: 16:45:19.967952 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
9: 16:45:21.967906 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
10: 16:45:23.967921 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
11: 16:48:15.667873 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
12: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
13: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
14: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
15: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
15 packets shown
Results show cap capo
5 packets captured
1: 16:48:15.667888 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
2: 16:48:17.657955 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
3: 16:48:19.657985 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
4: 16:48:21.657940 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
5: 16:48:23.657924 802.1Q vlan#2 P0 99.66.167.69 > 4.2.2.2: icmp: echo request
5 packets shown
Ping 99.66.167.69 from computer connected to ASA
Request Timed out 100% of time
Ping 4.2.2.2 from computer connected to ASA
100% success
Ping 192.168.1.1 from comptuer connected to ASA
Request Timed out
Unfortunately, I noticed I was still connected to a wireless network upon pinging. I turned that off and now get a response "192.168.43.75:Destination Unreachanble" when I ping any address.
Thanks
05-09-2012 03:40 PM
Hi Joffroi,
I am not sure about how you are connecting, because all you just need to test with is, connect the laptop directly to the inside interface of the ASA using an ethernet cable and then assign the laptop an ip 192.168.1.2, and then ping 4.2.2.2, is this how you exactly tested?
Thanks,
Varun Rao
Security Team,
Cisco TAC
05-09-2012 03:48 PM
I did assign 192.168.1.2 to my laptop.
When I ping 4.2.2.2 or 99.66.167.69 I get the Reply from 192.168.43.75: Destination unreachable error.
I can ping 192.168.1.1 though
Where is the 192.168.43.75 coming from?
Here is my latest config file just for the record
: Saved
:
ASA Version 8.2(5)
!
hostname UUFkcASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 99.66.167.69 255.255.255.248
!
ftp mode passive
access-list cap extended permit ip any host 4.2.2.2
access-list cap extended permit ip host 4.2.2.2 any
access-list outside_access_in extended permit icmp any any
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.66.167.70 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e6d997e51654139d99b017e8f62f4cc7
: end
05-09-2012 03:59 PM
You would need to find it out on the laptop, check the ipconfig on the command promp, what all network adapters are activated.
Thanks,
Varun
05-10-2012 07:27 AM
I went ahead and changed to a unix laptop. My other laptop may have corporte settings interfering.
Using DHCP, my laptop assignes itself a 169.254.83.145 IP address.
I went ahead and changed that to 192.168.1.2 as stated above. For 99.66.167.69 and 4.2.2.2 I still get a Host is down message. I am able to ping 192.168.1.1 from the laptop though.
Do DNS address play a role into any of this?
Thanks
05-10-2012 10:42 AM
Hello Joffroi,
DNS does not take a play role on this as you are not performing any Domain name resolution, you are just trying to access a host on the outside by its public ip address (4.2.2.2)
Here is what I want you to add:
policy-map global_policy
class inspection_default
inspect icmp
Then try to ping one more time if this does not work please do the following:
I want the Ifconfig or Ipconfig from the machine?
I want a packet-tracer.. On the ASA do packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2 and provide me the output
FYI using an ASA you will not be able to ping a distant interface, what is that?
As an example from that PC 168.1.2 you can ping the inside interface but the outside or dmz or any other interface besides the inside will be a distant interface. This is a security meassure that the ASA uses!!!.
Regards,
Julio
DO Rate all the helpful posts
05-10-2012 11:21 AM
99.66.167.69 is the static IP address assigned by the ISP for the port the ASA is connected to.
I followed your suggestions above but was unable to execute the inspect icmp command. I added the first two.
Below are the results for the packet-tracer. I'll track down a thumbdrive to transfer the output of the ifconfig if you still need it.
At this point, is it maybe easier for me to start over and try another set of instructions like this?http://www.youtube.com/watch?v=RYr3Vpm5uWA
Results
packet-tracer input inside icmp 192.168.1.2 8 0 4.2.2.2
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (99.66.167.69 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.2/0 to 99.66.167.69/59409 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 42, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Thanks for all the help thus far guys. It really is appreciated
05-10-2012 11:37 AM
Hello Joff,
Please add the following command:
-Fixup protocol ICMP
Give it a try,
The packet tracer shows that everything is fine.
05-10-2012 12:56 PM
I entered that command and got this response:
(config)# fixup protocol ICMP
INFO: converting 'fixup protocol icmp ' to MPF commands
From my laptop where I assigned the 192.168.1.3 IP address, I am still unable to ping 4.2.2.2 or browse the web. Below is the ifconfig
ifconfig
lo0: flags=8049
options=3
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
gif0: flags=8010
stf0: flags=0<> mtu 1280
en0: flags=8863
options=2b
ether 00:1f:f3:53:da:5f
inet6 fe80::21f:f3ff:fe53:da5f%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.3 netmask 0xffff0000 broadcast 192.168.255.255
media: autoselect (100baseTX
status: active
en1: flags=8823
ether 00:1f:5b:c4:02:6a
media: autoselect (
status: inactive
fw0: flags=8863
lladdr 00:1f:f3:ff:fe:60:16:f2
media: autoselect
status: inactive
vboxnet0: flags=8842
ether 00:76:62:00:00:00
Its pretty frustrating reading that everything looks fine. I was really hoping I missed 2-3 cruicial lines for a quick fix. Is it possible that it could be something with how my IT department set up the port?
I can get internet working on my laptop if I connect directly to the port and manually set the static IP, gateway, DNS1, DNS2 and subnet address so probably not.
Thanks
05-10-2012 01:02 PM
Hello Jofrroi,
What is connected between the ASA and the PC, and also from the ASA and the Internet (ISP router)
Also create the following capture:
capture asp type-asp all circular-buffer
Then do a clear :
clear cap capo
clear cap capin
clear cap asp
Please try to ping and provide the following:
cap asp | inc 4.2.2.2
cap capin
cap capo
Regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: