Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

configure ASA 5505

Hello, This is the first time I am setting up a ASA5505 using ASDM but no luck yet. My ISP provided my block of 16 public ip addresses with Static IP. How can I configure theses ip on asa 5505 properly, information as mention below: WAN IP: 186.165.180.198 Gatway: 186.165.180.199 Subnet mask: : 255.255.255.252 ----------------------------------- LAN SUBNET: 180.185.160.208/28 16 public ips: 180.185.160.208 – 180.185.160.223 Gateway: 180.185.160.209 Mask 255.255.255.240 --------------------------------------- I tried This: Outside: 186.165.180.198, mask: : 255.255.255.252 INside IP: 180.185.160.210, mask: 255.255.255.240 enable dhcp server: Start ip: 180.185.160.211 - end ip: 180.185.160.222 route (outside) 0.0.0.0 0.0.0.0 186.165.180.199 ..........................but its not working, Please help me to configure these setting correctly on asa 5505

1 ACCEPTED SOLUTION

Accepted Solutions

Well I'm running out of ideas

Well I'm running out of ideas. I can't figure out what is wrong...

What I think is strange is that you can't ping 8.8.8.8, which means that your ISP is either blocking your IP address (186.165.180.198), doesn't tell other ISP about that subnet, blocking ICMP or blocking connections to 8.8.8.8. You should try to ping other IP addresses and see if it is just 8.8.8.8 not working.

Also another thing that is a bit strange is that your gateway is using a broadcast address on the interface.

 

You were earlier telling me something that if you set up a Mikrotik router with a NAT exempt rule, it worked? Maybe your ISP is blocking your IP address on the ASA and allows only your block of IP addresses? If you want to try, I think this is the correct configuration for this: (Or you could remove the NAT configuration all together)

access-list EXEMPT extended permit ip 180.185.160.208 255.255.255.240 any
nat (inside) 0 access-list EXEMPT

 

One last troubleshooting thing you could do is this:

capture TEST type asp-drop acl-drop

capture TEST

And then send some traffic through your ASA and then look at what the capture says by typing this:

show capture TEST

If this doesn't reveal anything I would start from scratch, by typing configure factory-default. And just do the basic config and see if it works.

14 REPLIES

HiWhat is not working? Host

Hi

What is not working? Host not getting IP address from DHCP pool or no internet access?

What will you use the public IP address to?

Post your running-config file.

New Member

h.grankvist, I can get ip

h.grankvist, I can get ip address and dns on my pc but no internet access. What so far I know is that:

 ISP will be routing the 180.185.160.208/28 block to over the wan static ip 186.165.180.198

ASA configure file:

ASA Version 8.2(5)

!

hostname asa

names

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 180.185.160.210 255.255.255.240

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 186.165.180.198 255.255.255.252

!

interface Vlan5

 no nameif

 security-level 50

 no ip address

!

regex domainlist1 "\.youtube\.com"

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 186.165.180.197 255.255.255.252 186.165.180.199 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 180.185.160.0 255.255.255.0 inside

http 180.185.160.0 255.255.255.240 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

 crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

====================================================

Thanks for helping me, 

New Member

Im not expert on networking

Im not expert on networking but just want to mention one thing that will help you. I tried this network setup on Mikrotik router. This network only work with this NAT setting on mikrotik router:

NAT rule to exclude source ip 180.185.160.208/28

add action=masquerade chain=srcnat src-address=!180.185.160.208/28 out-interface=wan

but i really do not know how to setup this thing on asa 5505

I think your problem is that

I think your problem is that you dont have a default route.

So add this:

route outside 0 0 186.168.180.199 1

And you can remove this (it is not needed):

route outside 186.165.180.197 255.255.255.252 186.165.180.199 1

I can't help you with the NAT, I only know 8.3 and later code for NAT. But I dont think there is a problem. At the moment the ASA translates all IP addresses on the inside network to the IP address of the outside interface.

New Member

thanks for your quick reply,

thanks for your quick reply, I tried this new route but no luck so far, here is configure file:

ASA Version 8.2(5)

!

hostname asa

enable password

passwd

names

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 180.185.160.210 255.255.255.240

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 186.165.180.198 255.255.255.252

!

interface Vlan5

 no nameif

 security-level 50

 no ip address

!

regex domainlist1 "\.youtube\.com"

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 186.165.180.199 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 180.185.160.0 255.255.255.0 inside

http 180.185.160.0 255.255.255.240 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint _SmartCallHome_ServerCA

 crl configure

crypto ca certificate chain _SmartCallHome_ServerCA

 certificate ca 6ecc7aa5a7032009b8cebcf4e952d491

-----------------------------------------------------------------------------

please help me

Hmm, okay.Well lets see what

Hmm, okay.

Well lets see what packet-tracer says. Run this command:

packet-tracer input inside tcp 180.185.160.210 54322 123.123.123.123 132

Can you ping your gateway (186.165.180.199) from the ASA?

If you can, can you ping 8.8.8.8 from you ASA?

 

New Member

please check detail of tracer

please check detail of tracer:

asa> enable

Password: *******

asa# packet-tracer input inside tcp 180.185.160.210 54322 123.123.123.123 132

 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

 

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

------------------------------------------------------------------------

ping result:

ping

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 186.165.180.199, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/102/400 ms

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

-----------------------------------------------

thanks for your help,I'm looking forward to your reply 

Well I'm running out of ideas

Well I'm running out of ideas. I can't figure out what is wrong...

What I think is strange is that you can't ping 8.8.8.8, which means that your ISP is either blocking your IP address (186.165.180.198), doesn't tell other ISP about that subnet, blocking ICMP or blocking connections to 8.8.8.8. You should try to ping other IP addresses and see if it is just 8.8.8.8 not working.

Also another thing that is a bit strange is that your gateway is using a broadcast address on the interface.

 

You were earlier telling me something that if you set up a Mikrotik router with a NAT exempt rule, it worked? Maybe your ISP is blocking your IP address on the ASA and allows only your block of IP addresses? If you want to try, I think this is the correct configuration for this: (Or you could remove the NAT configuration all together)

access-list EXEMPT extended permit ip 180.185.160.208 255.255.255.240 any
nat (inside) 0 access-list EXEMPT

 

One last troubleshooting thing you could do is this:

capture TEST type asp-drop acl-drop

capture TEST

And then send some traffic through your ASA and then look at what the capture says by typing this:

show capture TEST

If this doesn't reveal anything I would start from scratch, by typing configure factory-default. And just do the basic config and see if it works.

New Member

Hello H.Grankvist, I tried

Hello H.Grankvist, I tried this: access-list EXEMPT extended permit ip 180.185.160.208 255.255.255.240 any
nat (inside) 0 access-list EXEMPT....

Guess what? IT's working.Thank you so much h.grankvist. Thanks for your quick reply, its really helped me.....

God bless you....

New Member

Hello h.grankvist ,I have one

Hello h.grankvist ,

I have one more question for you. How do i create User ID and Password for wifi users (using customer laptop mac address) on asa 5505 & set speed limit to customers? is it possible to create login page for wifi users on asa 5505? 

thanks in advance

Hello againI think you would

Hello again

I think you would have to use a RADIUS server for this (which can be integrated into Active Directory on windows server).

You should create a new question about this, I can't help you with this.

New Member

 hello ranadeo01, First you

 

hello ranadeo01,

 

First you need to load the ASDM image on ASA and then use the command:

 

asdm image dosk0:/asdm888.bin     (assuming the ASDM image name is asdm888.bin)

 

then on the ASA CLI issue the following commands:

 

http server enable

http 1.0.0.0 255.0.0.0 inside      (assuming your machine is in 1.0.0.0 subnet belonging to INside interface)

then from your browser put your ASA managment IP and hit enter, it will open HTTPS management to the ASA from the browser...

 

about the NAT i would suggest you to review the following links:

http://www.youtube.com/watch?v=CNMrFksSdrc

http://www.youtube.com/watch?v=F1hK5iFlNKE

 

Kind Regards,

/Osama

New Member

osamasalmanThanks for the

osamasalman

Thanks for the reply, I can access asa 5505 using ACL and asdm. Only problem is that i can not access to internet through asa 5505. please check my configure file

thanks

New Member

Hello H.Grankvist, I tried

Hello H.Grankvist, I tried this: access-list EXEMPT extended permit ip 180.185.160.208 255.255.255.240 any
nat (inside) 0 access-list EXEMPT....

Guess what? IT's working.Thank you so much h.grankvist. Thanks for your quick reply, its really helped me.....

God bless you....

239
Views
0
Helpful
14
Replies
CreatePlease to create content