jilted
asked on
Unable to connect to internet
Hi, I´m having some issues with this new ASA 5505. It´s connected to an ADSL-modem and the ISP provides IP through DHCP. The ASA should then provide the internal LAN with DCHP from the range 192.168.1.x. The ASA receives its IP and the clients as well, but it stops there. The clients cannot connect to the internet and the ASA cannot ping public ip's.
Am I missing something basic here?
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name customer
enable password zKA/m.Jc5AIGrhWx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name customer
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 195.7.64.3 195.7.64.131 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ead0f1d5ab
: end
Am I missing something basic here?
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name customer
enable password zKA/m.Jc5AIGrhWx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name customer
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 195.7.64.3 195.7.64.131 interface inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ead0f1d5ab
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Um...
nat-control is an additional security feature that tells the that all packets passing from the inside interface to the outside interface on the ASA MUST match a NAT rule. I have never used this additial feature and if he is having trouble my recommendation would be to disable it.
You do not need a default route as this will be suppled via DHCP per your current config.
nat-control is an additional security feature that tells the that all packets passing from the inside interface to the outside interface on the ASA MUST match a NAT rule. I have never used this additial feature and if he is having trouble my recommendation would be to disable it.
You do not need a default route as this will be suppled via DHCP per your current config.
ASKER
Hi!
I entered the nat statements but they made no difference (at first) and there was definitely something wrong with my default route. show route did not give me the usual 0.0.0...., it gave me a 127.0...
This morning i erased the entire config and started over from the beginning, only setting the interface ip´s (vlan 1 --ip address 192.168.1.254 255.255.255.0 and vlan 2 -- ip address dhcp setroute). I also entered the "dhcp-client client-id interface outside" for our ISP's dhcp to accept the ASA. That´s all and it worked!
sh run gives me the global and nat (inside) lines and there is no nat-control to be found. Besides that the config is identical. I have no idea why it didn´t work when i removed nat-control and entered the global /nat lines but hey, it works and i´m happy...
Thank´s!
I entered the nat statements but they made no difference (at first) and there was definitely something wrong with my default route. show route did not give me the usual 0.0.0...., it gave me a 127.0...
This morning i erased the entire config and started over from the beginning, only setting the interface ip´s (vlan 1 --ip address 192.168.1.254 255.255.255.0 and vlan 2 -- ip address dhcp setroute). I also entered the "dhcp-client client-id interface outside" for our ISP's dhcp to accept the ASA. That´s all and it worked!
sh run gives me the global and nat (inside) lines and there is no nat-control to be found. Besides that the config is identical. I have no idea why it didn´t work when i removed nat-control and entered the global /nat lines but hey, it works and i´m happy...
Thank´s!
ASKER