Solved: newbie question, cannot make ASA5510 up running...

sc.bill.lee · ‎12-14-2011

hi there,

I follow the steps according to the basic settings provided by Cisco Support forum, but still failed to access the internet,

Would you advise anything I missed?

ASA5510# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA5510
domain-name xxx.com
enable password
passwd
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.161.9.14 255.255.255.0
ospf cost 10
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Management0/0
description Management interface
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server x.x.x.x
name-server x.x.x.x
domain-name starcruises.com
object-group network Internet-User
network-object 10.0.0.0 255.0.0.0
access-list inside_access_in extended permit ip object-group Internet-User any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 202.105.56.33 1
route inside 10.0.0.0 255.0.0.0 10.161.19.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password Jato7oimyIarVvyI encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d110aabfe29f038d89965851f2dbcd92
: end
ASA5510#

varrao · ‎12-14-2011

Add this and it shoudl work perfect after that:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

cheers,

Varun

Thanks,
Varun Rao

View solution in original post

Julio Carvajal · ‎12-15-2011

Hello Bill,

That is the problem.....Seems to be an arp issue

Can you try to do a clear arp, clear local-host, clear xlate and then try to ping the modem.

If that does not help, please provide another ip address to the outside interface and then put the old one back.

Example:

nterface Ethernet0/0

ip address x.x.x.y 255.255.255.248

Interface Ethernet 0/0

ip address x.x.x.x 255.255.255.248

Please verify the ASA is connected to the modem (modem got to be connected to por 0/0 on the ASA)

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

varrao · ‎12-14-2011

Add this and it shoudl work perfect after that:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

cheers,

Varun

Thanks,
Varun Rao

andrey.dugin · ‎12-14-2011

Apply your access-list inside_access_in as access-group on interface inside in "in"direction.

varrao · ‎12-14-2011

Access-list is not really required on any interface for the internet access, what is missing from the config is the translation for the traffic.

Varun

Thanks,
Varun Rao

sc.bill.lee · ‎12-14-2011

i did adding "nat (inside) 1 0.0.0.0 0.0.0.0" and "global (outside) 1 interface"

but seems still not working, one more stupid question:

how can I verify if the ASA is successfully connected to the internet without connecting a PC for browsing?

is that the gateway of the public IP should be pingable by the ASA if the configuration is fine?

Julio Carvajal · ‎12-14-2011

Hello Bill,

As soon as you provide a public ip address to the outside interface of the ASA and you set a route to the oustide you should be able to ping any host on the outside ( Please try4.2.2.2 from the ASA), unless the border router blocks that traffic.

And by the way you should be able to ping this host 202.105.56.33 if you cannot ping it the ASA will not be able to go to the outside ( if they are directly connected ) that means there might be a problem at the phisical layer, if there is a switch in the middle please give a look.

Please rate helpful posts.

Julio,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sc.bill.lee · ‎12-15-2011

i tried a laptop connecting to the broadband modem directly using the public ip and gateway , the internet works, the gateway is pingable

now the asa5510 is directly connecting with the broadband modem, the gateway 202.105.56.33 is not pingable......

Julio Carvajal · ‎12-15-2011

Hello Bill,

That is the problem.....Seems to be an arp issue

Can you try to do a clear arp, clear local-host, clear xlate and then try to ping the modem.

If that does not help, please provide another ip address to the outside interface and then put the old one back.

Example:

nterface Ethernet0/0

ip address x.x.x.y 255.255.255.248

Interface Ethernet 0/0

ip address x.x.x.x 255.255.255.248

Please verify the ASA is connected to the modem (modem got to be connected to por 0/0 on the ASA)

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

sc.bill.lee · ‎12-15-2011

thanks, i did it, i can ping the ISP now.

may I know what is the purpose of "clear arp, clear local-host, clear xlate"

Julio Carvajal · ‎12-15-2011

Hello Bill,

So the clear arp solved the problem! Great to hear that.

This commands are going to clear the entries on the ASA tables (Xlate[translation table},Local-host and arp table).

Seems like the router has an invalid entry of the ASA mac address so when we clear the arp we force the ASA to send a gratitious arp to the directly connected router so it learns the right mac address.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC