what do i need to do to get cisco asa 5505 to allow computers on default vlan1 to see internet?

I can't get the cisco asa 5505 to allow computers to see the internet. The default config is supposed to allow this but I can't get it to. I've treid everything. Forget even trying to set up the VPN!! I need to be able to get my server and computers to work. Currently I have my server (2003) set up to get it's IP address using DHCP just for now. The computer running the ASDM software is also configured for DHCP. Both are on vlan1. I have the internet connection on vlan2 configured for DHCP. I still can't get it to work. The way I want it configured is to have my server use a static IP provided by our ISP (AT&T). I want the server to control DHCP. I just need the 2 vlans.
dw1958Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

poweruser32Commented:
it looks like the nat is not set up correctly -you might need to post in the config on the asa to us
for users to be able to initiate outbound connections NAT must be configured correctly
0
dw1958Author Commented:
Right now it is set up with the default PAT. Should it be changed to NAT?
0
dw1958Author Commented:
Ok here is the config. Please bear in mind that I am using ASDM to configure.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

lrmooreCommented:
Is your outside interface getting an IP address?
Check results of show interface outside and show route
0
dw1958Author Commented:
I am about to go back to that office. will arrive there approx. 11AM Central and will post configs.
0
dw1958Author Commented:
Ok, I'm at the office so I have a little more information. Our ISP is AT&T (DSL). The router is a Netopia is model 3346N. I made the outside interface static with one of the 5 IP addresses assigned by AT&T. It actually passed traffic for a few minutes and then stopped abruptly. Following is the show interface and show run.
Result of the command: "show interface"

Interface Vlan1 "inside", is up, line protocol is up
  Hardware is EtherSVI
      MAC address 0007.0e4e.2726, MTU 1500
      IP address 192.168.1.1, subnet mask 255.255.255.0
  Traffic Statistics for "inside":
      663 packets input, 59586 bytes
      623 packets output, 339783 bytes
      86 packets dropped
      1 minute input rate 0 pkts/sec,  8 bytes/sec
      1 minute output rate 0 pkts/sec,  340 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 2 pkts/sec,  186 bytes/sec
      5 minute output rate 1 pkts/sec,  868 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
  Hardware is EtherSVI
      MAC address 0007.0e4e.2726, MTU 1500
      IP address 76.247.252.133, subnet mask 255.255.255.248
  Traffic Statistics for "outside":
      701 packets input, 48614 bytes
      30 packets output, 16184 bytes
      661 packets dropped
      1 minute input rate 2 pkts/sec,  193 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 2 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  53 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 0007.0e4e.271e, MTU not set
      IP address unassigned
      696 packets input, 61190 bytes, 0 no buffer
      Received 238 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      30 packets output, 16760 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/1 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.271f, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/2 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 0007.0e4e.2720, MTU not set
      IP address unassigned
      655 packets input, 72080 bytes, 0 no buffer
      Received 89 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      617 packets output, 351452 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/3 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.2721, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/4 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.2722, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/5 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.2723, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/6 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.2724, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
Interface Ethernet0/7 "", is down, line protocol is down
  Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex, Auto-Speed
      Available but not configured via nameif
      MAC address 0007.0e4e.2725, MTU not set
      IP address unassigned
      0 packets input, 0 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      0 switch ingress policy drops
      0 packets output, 0 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops


Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f0de19899fcd2dc00a3a66699ba2c8a2
: end




0
lrmooreCommented:
You need a default gateway:

route outside 0.0.0.0 0.0.0.0 76.247.252.129 1

Using your mask of 255.255.255.248, I assume that .129 will be your gateway. You might have to check with at&t
0
dw1958Author Commented:
I addes the route outside 76.247.252.133 255.255.255.255 76.247.252.134 1
It wouldn't let me use any other mask than .255
I'm still unable to hit the Internet. Do you think it could be that the router provided by AT&T is configured incorrectly? I didn't get a warm/fuzzy from them. They gave us the wrong IP addresses the 1st time out. I can get into the AT&T Netopia router. I just don't know what to look for.
Here's the current config of the asa 5505.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 retries 4
 timeout 8
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 76.247.252.133 255.255.255.255 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:23f8fb66bb7f245c6fce7ef6fce033a2
: end
0
lrmooreCommented:

no route outside 76.247.252.133 255.255.255.255 76.247.252.134 1
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dw1958Author Commented:
Ok corrected that route. I still can't get to the internet.
Here's what we have now.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 retries 4
 timeout 8
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:43a403408fca004ee23d73b8a8273bdd
: end
0
lrmooreCommented:
>76.247.252.134
Then this may not be the correct IP address to use as the next hop gateway. You need to check with the ISP to be sure what the correct address is.

Add ICMP inspect and you can use Ping/traceroute from PC for troubleshooting:
 
policy-map global_policy
 class inspection_default
  inspect icmp
0
dw1958Author Commented:
That is the Ip address on the LAN interface of the router provided by AT&T. I added ICMP. I did a traceroute from my computer to the WAN interface on the cisco asa 5505. It couln't find it! Can't ping it either.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 retries 4
 timeout 8
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any traceroute inside
icmp permit any traceroute outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9a49e0d4e1ac8ca20e9166da095df582
: end
0
lrmooreCommented:
You did not add the inspect icmp, so you cannot ping anything from the PC
You cannot ping your own outside IP address from an inside PC - ever
Can you ping the ISP router .134 from the ASA?
0
dw1958Author Commented:
Sorry, I'm using the ASDM and there wasn't an inspect option. I haven't used command line in years. When I ping or traceroute from the ASA it drops the packet. Says it is due to an implicit rule. When I look at the rules there are 2 there. I can't delete or modify these rules.
0
dw1958Author Commented:
here are the current configs. I cahnged NAT to use the public IP's. That may be a mistake and it's not really what I want but I'm getting desperate.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 retries 4
 timeout 8
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any traceroute inside
icmp permit any traceroute outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 76.247.252.129-76.247.252.132 netmask 255.255.255.248
global (outside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
0
lrmooreCommented:
Use Tools | Command line tool
Select Multi line command.
Copy/paste the following into the box and hit submit:

policy-map global_policy
 class inspection_default
  inspect icmp

If the original PAT using the interface doesn't work, neither will using NAT with a pool of IPs...
If you can't ping the gateway from the tools | ping utility, then there is something wrong with the modem or connection. Can you confirm that the DSL modem is in bridge mode, or that the ISP is routing your block of IP's to the DSL modem's IP address properly?
0
dw1958Author Commented:
I will add the configs. I am in the ISP's router now. The only setting I see for bridged mode has 2 check boxes. Both are unchecked. One is Enable System Bridge, the other is Enable Concurrent Bridging/Routing under the heading Ethernet bridge. I was finally able to get hold of someone at AT&T, they said that the config was correct. I still don't have much confidence in them. All of the static IP's we were issued do work from the modem. Do I need to enable one of the bridging choices?
0
dw1958Author Commented:
Here are the configs after adding inspect imcp. Do I need to enable bridging on the ISP's router?

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 retries 4
 timeout 8
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any traceroute inside
icmp permit any traceroute outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.10-192.168.1.33 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1ec7bbbb8d7e25913549f36f53d68fb8
: end


Here are the ISP's router configs.

WAN IP Interface
(PPP over Ethernet vcc1)
Address Mapping (NAT)   off
Local Address   0.0.0.0
Peer Address   0.0.0.0
ISP Username   xxxxxx
ISP Password   xxxxxx
Connection Type  Instant-OnAlways-On



ATM Circuits
VCC 1
VPI 0
 VCI 35
 Encapsulation PPP over Ethernet
 Multiplexing LLC/SNAP
PPPoE Sessions 1

IP Gateway
Enable Gateway Option   enablrd
Interface Type  PPP (vcc1)


 
LAN IP Interface
(Ethernet 100BT)
IP Address   76.247.252.134
IP Netmask   255.255.255.248

General
System Name  



DHCP Server  
Enable Server   enabled
Starting IP Address   76.247.252.129
Ending IP Address     76.247.252.132



DNS
Domain Name   sbcglobal.net

Primary DNS Server Address   68.94.156.1
Secondary DNS Server Address   68.94.157.1

0
lrmooreCommented:
I don't think you need to enable bridging on the modem since the LAN interface has a public IP and the proper mask.
Everything looks good on  your config now. All the right things are there.
0
dw1958Author Commented:
When back down to the office today to give it a try and it still isn't working. I'm starting to think that vlan1 (inside) is not being allowed to pass infor to/through vlan2(outside). I turned on syslog and tried to browse the Internet. Here are the logs.

6      Sep 30 2007   16:04:12   110001    No route to ff02::1:3 from fe80::1507:f98d:329e:21c

6      Sep 30 2007   16:06:12    302014      192.168.1.4      192.168.1.1       Teardown TCP connection 27 for inside:192.168.1.4/49194 to NP Identity Ifc:192.168.1.1/443 duration 0:00:00 bytes 1851 TCP FINs

6    Sep 30 2007   16:06:12    725007      192.168.1.4   SSL session with client inside:192.168.1.4/49194 terminated.

6   Sep 30 2007    16:06:12   605005      192.168.1.4      192.168.1.1       Login permitted from 192.168.1.4/49194 to inside:192.168.1.1/https for user "enable_15"

6   Sep 30 2007   16:06:12      725002  192.168.1.4    Device completed SSL handshake with client inside:192.168.1.4/49194

6   Sep 30 2007   16:06:12      725001   192.168.1.4   Starting SSL handshake with client inside:192.168.1.4/49194 for TLSv1 session.

6   Sep 30 2007   16:06:12      302013   192.168.1.4   192.168.1.1   Built inbound TCP connection 27 for inside:192.168.1.4/49194 (192.168.1.4/49194) to NP Identity Ifc:192.168.1.1/443 (192.168.1.1/443)

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.