Craig Walker
asked on
Cisco ASA5501 Firewall setup
Hi,
I'm having difficulty setting up my ASA5505 Firewall.
I have done a write erase and reload noconfirm then wri mem then a reload but when I connect it to my network I can't ping anything locally or get anything outside either
My default gateway on my router is 192.168.1.1
But having followed some procedures online I gather it should default to 192.168.1.1 which then gives me a GUI interface I have tried this procedure connected and disconnected to the network to no avail. :(
so i'm presuming I will be looking at some help with a basic conf in the CLI interface instead now.
-------------------------- ------
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:96fef2c1720 1d26f68d05 0a6b77aabf 9
: end
I'm having difficulty setting up my ASA5505 Firewall.
I have done a write erase and reload noconfirm then wri mem then a reload but when I connect it to my network I can't ping anything locally or get anything outside either
My default gateway on my router is 192.168.1.1
But having followed some procedures online I gather it should default to 192.168.1.1 which then gives me a GUI interface I have tried this procedure connected and disconnected to the network to no avail. :(
so i'm presuming I will be looking at some help with a basic conf in the CLI interface instead now.
--------------------------
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:96fef2c1720
: end
You have a router and an ASA? I assume the router is connected to the broadband and the ASA behind the router? If so you'll not see anything on the ASA in terms of the BT connection...
I see in your router config details on the ADSL connection to BT which makes me think its the router that is connecting first...
Tell us how you are connecting everything together as it makes a difference...
Did you have the router connected ever before? Or why are you using both a router and a firewall if you don't mind me asking?
Connect your laptop to the router - do you get internet?
I see in your router config details on the ADSL connection to BT which makes me think its the router that is connecting first...
Tell us how you are connecting everything together as it makes a difference...
Did you have the router connected ever before? Or why are you using both a router and a firewall if you don't mind me asking?
Connect your laptop to the router - do you get internet?
ASKER
Yes the router is going to my broadband connection and I have taken my eth0/1 on my router to eth0 on the firewall and connected my netgear switch to eth1 on the firewall as the documenation said that eth0 is the outside and all others 1 to 7 are inside.
I have just tried to add the firewall as an extra the router works fine but I think it looks like an ip conflict as both are trying to access the same ip addy but I don't think that's the only issue.
Internet works fine as long as I don't try to go through the firewall.
I have just tried to add the firewall as an extra the router works fine but I think it looks like an ip conflict as both are trying to access the same ip addy but I don't think that's the only issue.
Internet works fine as long as I don't try to go through the firewall.
Ok good...now we can work with this...
Yes you have an ip conflict - VLAN0(eth0 on ASA) is 192.168.1.1 - this can't be this address since your router is using that address
Make that 192.168.1.2
So on your ASA you need
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
(note I'm putting this as 3.1 since you are already using 2.1 for guest on the router and don't want to overlap)
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
Further down the config you also need
http 192.168.3.0 255.255.255.0 inside
dhcpd address 192.168.3.5-192.168.3.36 inside
That 'should' get you somewhere closer I think...
Yes you have an ip conflict - VLAN0(eth0 on ASA) is 192.168.1.1 - this can't be this address since your router is using that address
Make that 192.168.1.2
So on your ASA you need
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
(note I'm putting this as 3.1 since you are already using 2.1 for guest on the router and don't want to overlap)
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
Further down the config you also need
http 192.168.3.0 255.255.255.0 inside
dhcpd address 192.168.3.5-192.168.3.36 inside
That 'should' get you somewhere closer I think...
ASKER
Hi,
It doesn't seem to be accepting that ?
------------------------
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# interface Vlan1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.3.1 255.255.255.0
Interface address is not on same subnet as DHCP pool
ERROR: ip address command failed
ciscoasa(config-if)#
-------------------------- ---
It doesn't seem to be accepting that ?
------------------------
ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# interface Vlan1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.3.1 255.255.255.0
Interface address is not on same subnet as DHCP pool
ERROR: ip address command failed
ciscoasa(config-if)#
--------------------------
Ok, remove the DHCP pool before you change the ip address
conf t
no dhcpd address 192.168.3.5-192.168.3.36 inside
Then do the other commands, once complete re-add the dhcp command...
conf t
no dhcpd address 192.168.3.5-192.168.3.36 inside
Then do the other commands, once complete re-add the dhcp command...
Note as well you'll lose access once you change the ip address...at that point you may need to assign a static ip to your laptop in the 192.168.3.x subnet to re-gain access...
ASKER
not accepting this command even tried without -
-------------------------
ciscoasa(config)# no dhcpd address 192.168.3.5-192.168.3.36 inside
Address range 192.168.3.5-192.168.3.36 doesn't match 192.168.1.5-192.168.1.36 for interface inside
ciscoasa(config)#
-------------------------
ciscoasa(config)# no dhcpd address 192.168.3.5-192.168.3.36 inside
Address range 192.168.3.5-192.168.3.36 doesn't match 192.168.1.5-192.168.1.36 for interface inside
ciscoasa(config)#
Sorry...my mistake
Meant
no dhcpd address 192.168.1.5-192.168.1.36 inside
Use the existing pool...not the new pool(notice the 1.5 - 1.36 above)
Then change the ip, then add the new dhcpd pool with this
dhcpd address 192.168.3.5-192.168.3.36 inside
Meant
no dhcpd address 192.168.1.5-192.168.1.36 inside
Use the existing pool...not the new pool(notice the 1.5 - 1.36 above)
Then change the ip, then add the new dhcpd pool with this
dhcpd address 192.168.3.5-192.168.3.36 inside
ASKER
Hi,
Just connected router to eth0 on firewall and laptop to eth1 but still no internet access.
--------------------------
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.5-192.168.3.36 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea50e4eea9c 4503247cd7 58a962fa8c 0
: end
Just connected router to eth0 on firewall and laptop to eth1 but still no internet access.
--------------------------
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.5-192.168.3.36 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea50e4eea9c
: end
Ok, don't see a route command...add this to global config
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
ASKER
still no joy m8 :(
Everything connected is giving my a 169 i.p. addy even after a reload on firewall I've also done a ipconfig/release & renew on laptop but still the same.
Should I try a reload on the router as well ??
Everything connected is giving my a 169 i.p. addy even after a reload on firewall I've also done a ipconfig/release & renew on laptop but still the same.
Should I try a reload on the router as well ??
Think I'm half asleep here...again apologies I missed this bit
No nothing to do with the router...leave it as is...
Add these lines
dhcpd dns 208.67.220.220 208.67.222.222 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
Reason you are getting 169 address is DHCP isn't working...adding those should bring it to life
If not can you for a test setup a static ip on the laptop with these details to see?
IP - 192.168.3.40
Subnet - 255.255.255.0
GW - 192.168.3.1
DNS - 208.67.222.222
No nothing to do with the router...leave it as is...
Add these lines
dhcpd dns 208.67.220.220 208.67.222.222 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
Reason you are getting 169 address is DHCP isn't working...adding those should bring it to life
If not can you for a test setup a static ip on the laptop with these details to see?
IP - 192.168.3.40
Subnet - 255.255.255.0
GW - 192.168.3.1
DNS - 208.67.222.222
ASKER
my wireless access point seems to be working ok but I can't see anything else on my network although there is connectivity lights on the switch.?
I also can't access my aquarium controller remotely on 3G which is 192.168.1.140 but can ping my dns server to it ok.?
I use fing on my ipad to see all connected devices on my network but can't see everything I will try and post a screen shot.
I also can't access my aquarium controller remotely on 3G which is 192.168.1.140 but can ping my dns server to it ok.?
I use fing on my ipad to see all connected devices on my network but can't see everything I will try and post a screen shot.
ASKER
I think I've sussed it after looking at it.
It appears to only be showing the devices that I haven't assigned a static ip to and that the router was assigning ip's above 100+
I will change something and now at get back to you in 5.
It appears to only be showing the devices that I haven't assigned a static ip to and that the router was assigning ip's above 100+
I will change something and now at get back to you in 5.
ASKER
that seems to have cured it, I have changed my aquarium controller to 192.168.3.40 and I can now see it locally will I have to alter the router for that now as it was setup for 192.168.1.140 so that I can see it remotely ??
I will need to change all the static ip devices I setup, couldn't figure out why I could only see the wifi because I left them dynamic.
See this forum is educating me slowly i'm now doing basic diagnostics now :)
I will need to change all the static ip devices I setup, couldn't figure out why I could only see the wifi because I left them dynamic.
See this forum is educating me slowly i'm now doing basic diagnostics now :)
Good stuff...yes since you are technically on a different subnet now you have to get all on the same ip range...so you are moving in the right direction!
Glad you are working...good luck ;)
Glad you are working...good luck ;)
ASKER
I have removed 192.168.1.140 and added this to the router but I still can't see this remotley
ip nat inside source static tcp 192.168.3.40 80 interface Dialer0 80
Unsure if I have to change everything on the router config that starts with 192.168.1.1 to 192.168.3.1 just in case I screw it up.?
ip nat inside source static tcp 192.168.3.40 80 interface Dialer0 80
Unsure if I have to change everything on the router config that starts with 192.168.1.1 to 192.168.3.1 just in case I screw it up.?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No problem I will do thanks for you help yet again.
I will leave this as is till the end of the week and add a new post regarding this as i'm working away till then and don't want to screw the internet for the family while i'm away in case there maybe complications in setting this side up.
I will leave this as is till the end of the week and add a new post regarding this as i'm working away till then and don't want to screw the internet for the family while i'm away in case there maybe complications in setting this side up.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for cannonz's comment #a39519588
for the following reason:
Thanks again for your help much appreciated.
Accepted answer: 0 points for cannonz's comment #a39519588
for the following reason:
Thanks again for your help much appreciated.
Note you've closed this incorrectly...you need to click the 'Accept Answer' button when closing a question...you've closed it by clicking the wrong button as no points are being assigned that way...
ASKER
Thanks again for your help.
ASKER
I use BT Broadband (residential) so I don't have a static ip address, how would I go about changing this to suit a dynamic one.?
I've also attached my latest running-config of both my router & firewall.
I'm also getting this on the firewall CLI:-
--------------------------
ciscoasa# ERROR: Failed to apply IP address to interface Vlan2, as the network overlaps with interface Vlan1. Two interfaces cannot be in the same subnet.
--------------------------
Sorry I hope this is a bit more in depth and helps more.
screen-dump.docx
Firewall.txt
router.txt