[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2191
  • Last Modified:

setup asa 5505

Hello experts,

I have a Cisco asa 5505 which I am in the process of setting up as a firewall.  I have T1 connection, using Netvanta Adtran 3200 router.   Both are configured, and can get to the internet, get mail without any problems, but when I check my internet public ip address at www.whatismpip.com on computers within the network, I get different public ip,  which are from the command ' global (outside) 1 63.220.44.169-63.220.44.180 netmask 255.255.255.240 .  I don't know what is missing.  Can some one help please.

 configuration for ASA 5505

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name ciscoasa.com
enable password ODHXBoP0gHidLhxx encrypted
multicast-routing
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 63.220.44.168 255.255.255.240
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ciscoasa.com
access-list mailserver extended permit tcp any host 63.220.44.180 eq smtp
access-list mailserver extended permit tcp any host 63.220.44.180 eq pop3
access-list mailserver extended permit tcp any host 63.220.44.180 eq https
access-list mailserver extended permit tcp any host 63.220.44.180 eq 993
access-list mailserver extended permit tcp any host 63.220.44.180 eq 995
access-list mailserver extended permit tcp any host 63.220.44.180 eq 587
access-list mailserver extended permit icmp any any
access-list terminalserver extended permit tcp any host 63.220.44.169 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 63.220.44.169-63.220.44.190 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.1.1 63.220.44.167 netmask 255.255.255.255
static (inside,outside) 63.220.44.180 192.168.1.200 netmask 255.255.255.255
static (inside,outside) 63.220.44.169 192.168.1.150 netmask 255.255.255.255
access-group mailserver in interface outside
route outside 0.0.0.0 0.0.0.0 63.220.44.167 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 6 ip 192.168.1.156
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6a3816b0ffd8c8636792f00e725ab66e
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
0
ctwalla
Asked:
ctwalla
  • 5
  • 5
1 Solution
 
rsivanandanCommented:
>>global (outside) 1 63.220.44.169-63.220.44.190 netmask 255.255.255.240

The problem is here;

You have specified a range in which couple of ip addresses are already defined. Do this, just remove off this one by pasting the below;

no global (outside) 1 63.220.44.169-63.220.44.190 netmask 255.255.255.240

that should be fine.

Cheers,
Rajesh
0
 
ctwallaAuthor Commented:
Hello,

I have removed the command and replaced it with the last 3 IP address block.  I need to setup one IP to be used to connect to the internet, how I do that.  I have another problem that is why I didnt reply on time, some of the computers on the network are not connecting to the internet, it is work just fine on the network, can connect the servers but not the internet.  Is it the ASA or am I having some other problem?  Help please
0
 
ctwallaAuthor Commented:
How can I turn NAT on the ASA, help some clients can't connect to the internet?  I can not ping the public ip's from my network.

this is my ASA runing config:
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name ciscoasa.com
enable password ODHXBoP0gHidLhxx encrypted
multicast-routing
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 63.220.44.168 255.255.255.240
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ciscoasa.com
access-list mailserver extended permit tcp any host 63.220.44.180 eq smtp
access-list mailserver extended permit tcp any host 63.220.44.180 eq pop3
access-list mailserver extended permit tcp any host 63.220.44.180 eq https
access-list mailserver extended permit tcp any host 63.220.44.180 eq 993
access-list mailserver extended permit tcp any host 63.220.44.180 eq 995
access-list mailserver extended permit tcp any host 63.220.44.180 eq 587
access-list mailserver extended permit icmp any any
access-list terminalserver extended permit tcp any host 63.220.44.169 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 63.220.44.178-63.220.44.180 netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.1.1 63.220.44.167 netmask 255.255.255.255
static (inside,outside) 63.220.44.180 192.168.1.200 netmask 255.255.255.255
static (inside,outside) 63.220.44.169 192.168.1.150 netmask 255.255.255.255
access-group mailserver in interface outside
route outside 0.0.0.0 0.0.0.0 63.220.44.167 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 6 ip 192.168.1.156
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6a3816b0ffd8c8636792f00e725ab66e
: end
asdm image disk0:/asdm-522.bin
no asdm history enable
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rsivanandanCommented:
You don't understand, please perform what I asked you and see if it helps you. Again you have overlapping as below;

>>global (outside) 1 63.220.44.178-63.220.44.180 netmask 255.255.255.240
>>static (inside,outside) 63.220.44.180 192.168.1.200 netmask 255.255.255.255

See the overlap there ? 63.220.44.178

Just remove off the above mentioned global statement;

global (outside) 1 interface  => This is enough!

Cheers,
Rajesh
0
 
ctwallaAuthor Commented:
Thank you,

I have removed it, but still having same problem with some computers on the network not connecting to the internet, but can get all the network resources.  It was work last week, I added ASA this weekend.  I believe I am missing a command.  
0
 
rsivanandanCommented:
Don't give up, lets finish troubleshooting.

So on this couple of machines, pick one where the problem is consistent, open up a command prompt and do this for me;

route print

tracert yahoo.com

Post it here.

Again, go to a computer in which it works and then post the output of 'route print'. Lets see if there is any difference.

Cheers,
Rajesh
0
 
ctwallaAuthor Commented:
Hello Rajesh

I don't know why some of the private IP's were not working; yesterday before I left the office I have to find a solution to this problem.  I tested the connections by connecting a laptop to the line, which work just fine, I knew it was the ip on the machine. so I changed the ip of all the machines that were not working to an  ip address that was not used on the network and it  worked just fine.  This morning, those ip addresses that were not working (192.168.1.12, 38, 54, 53,) are working.

I cant tell what was wrong with them.  Anyway here is the route print report of both

Working machine  

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.20       10
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.20    192.168.1.20       10
     192.168.1.20  255.255.255.255        127.0.0.1       127.0.0.1       10
    192.168.1.255  255.255.255.255     192.168.1.20    192.168.1.20       10
        224.0.0.0        240.0.0.0     192.168.1.20    192.168.1.20       10
  255.255.255.255  255.255.255.255     192.168.1.20    192.168.1.20       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Not working M



Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.38       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0     192.168.1.38    192.168.1.38       20
     192.168.1.38  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255     192.168.1.38    192.168.1.20       20
        224.0.0.0        240.0.0.0     192.168.1.38    192.168.1.38       20
  255.255.255.255  255.255.255.255     192.168.1.38    192.168.1.38       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None
0
 
rsivanandanCommented:
It is probably the nat translations not cleared in the ASA.

So now everything is in control right ?

Cheers,
Rajesh
0
 
ctwallaAuthor Commented:
tracert yahoo.com for the working machine, I could not perform a tracert yesterday.

Tracing route to yahoo.com [216.109.112.135]
over a maximum of 30 hops:

  1     1 ms    <1 ms    <1 ms  g-hfusa.hf.org [63.220.44.167]
  2     6 ms     5 ms     5 ms  Loopback0.GW9.DCA5.ALTER.NET [137.39.3.68]
  3    78 ms    48 ms     7 ms  0.ge-1-2-0.XT1.DCA5.ALTER.NET [152.63.40.18]
  4     6 ms     6 ms     6 ms  0.so-0-0-0.XL1.IAD8.ALTER.NET [152.63.36.25]
  5     7 ms     6 ms     6 ms  0.so-6-0-0.BR1.IAD8.ALTER.NET [152.63.32.157]
  6   186 ms   192 ms    66 ms  204.255.169.2
  7    18 ms     9 ms     9 ms  tbr1.wswdc.ip.att.net [12.123.8.106]
  8     7 ms     7 ms     7 ms  gar8.wswdc.ip.att.net [12.122.113.21]
  9    27 ms     8 ms     9 ms  12.86.111.22
 10     9 ms     8 ms     8 ms  ge-1-0-0-p120.msr1.dcn.yahoo.com [216.115.108.49
]
 11     8 ms     8 ms    13 ms  ge10-2.bas1-m.dcn.yahoo.com [216.109.120.203]
 12     8 ms     8 ms     8 ms  w2.rc.vip.dcn.yahoo.com [216.109.112.135]

Trace complete.
0
 
rsivanandanCommented:
Cool. It is the nat translations not being cleared up.

Cheers,
Rajesh
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now