We help IT Professionals succeed at work.

Setting up ASA5510 on Metro Ethernet.  Config help

I'm having difficulty setting up an ASA5510 to pass internet traffic.  Bell gave me a sample config from a Cisco 2821 Router, however I'm not sure where the configs go on the ASA.  

Here's the information that Bell supplied me with:

!  MANUAL Router configuration - CE Configuration
!
! 10 Megabit MetroEthernet
!
!  CPR router Cisco 2821
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
service timestamps debug uptime  
service timestamps log uptime  
service password-encryption  
!  
hostname XXXXX
!  

!
aaa new-model  
!
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization exec default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+  
!  
 
!  
ip cef
ip subnet-zero  
no ip source-route  
no ip finger  
no ip domain-lookup  
!
ip name-server 205.152.37.23
!
interface GigabitEthernet0/0
 description 38.KQGN.600629 CUSTOMER: Global_Airways
 speed 100
 duplex full
 load-interval 30
!
 rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
 no shutdown
!
interface GigabitEthernet0/0.1
 description XXXCLIENT WAN   Remote:her02aep  Interface:gigabit4/1/1.24
encapsulation dot1Q 1188
 ip address 74.253.144.150 255.255.255.252
 no snmp trap link-status
 ip access-group 111 out  
 no shutdown
!
interface GigabitEthernet0/1
 ip address 74.255.62.97 0.0.0.3
 load-interval 30
 no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 74.253.144.149
!
ip classless  
no ip http server  
!  


no cdp run
!
access-list 111 permit ip 74.253.144.148 0.0.0.3 any                      
access-list 111 permit ip 74.255.49.96 0.0.0.31
Comment
Watch Question

http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/setup.html
heres a link to configure the ASA via the startup wizard. It walks you through the setup wizard, very easy to use.

Author

Commented:
I've gone through this startup wizard, however I still can't pass traffic.  I need to know if there are any routes, or other specifics that I'm missing.  
OK...I'll look through the config above. In the meantime can you provide the results of a "show route". Thanks.
Also can you provide a the results from a "show run" so I can see what you currently have? Thanks.

Author

Commented:
It's a fresh-out-of the box ASA.  No configuration at all, just need to know the steps to set it up.

The Setup Wizard should have configured it for you but obviously it didn't. I still need to see a copy of the config because the wizard configures it for you. Maybe something was put in incorrectly. Also, from the ASA can you ping to an outside IP address?

Author

Commented:
Well, I got so far as being able to setup another port Ethernet0/1.1 with some basic information, but I still am unable to ping outside the device.  I now also understand the vlan setup, but am unsure how to set that up in correlation to the internal DHCP as well as how to setup gateway information.

See attached code snippet.  

Thanks for your help so far. =)
ATLGBLASA01# show run
: Saved
:
ASA Version 7.0(7)
!
hostname ATLGBLASA01
domain-name global.local
enable password BxU7zi1WPwsDmZ9d encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif METRO
 security-level 0
 ip address 74.255.49.98 255.255.255.224
!
interface Ethernet0/0.1
 vlan 1188
 nameif GlobalAir
 security-level 0
 ip address 74.253.144.150 255.255.255.252
!
interface Ethernet0/1
 nameif LOCAL
 security-level 0
 ip address 10.0.1.10 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup METRO
same-security-traffic permit inter-interface
access-list LOCAL_access_in remark Fubar
access-list LOCAL_access_in extended permit tcp interface LOCAL interface GlobalAir
pager lines 24
logging asdm informational
mtu management 1500
mtu METRO 1500
mtu LOCAL 1500
mtu GlobalAir 1500
mroute 0.0.0.0 255.255.255.0 LOCAL dense METRO
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group LOCAL_access_in in interface LOCAL
route GlobalAir 0.0.0.0 0.0.0.0 74.253.144.149 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.50 management
dhcpd address 10.0.1.20-10.0.1.240 LOCAL
dhcpd dns 205.152.37.23 205.152.144.23
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config LOCAL
dhcpd enable management
dhcpd enable LOCAL
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:a83b85b9564fe3dc8ea9cdb6e13b02f4
: end

Open in new window

Thank you for the config. Here is what I see right off the bat. The security level on the interfaces seems to maybe be incorrect. Let me explain. It's like standing on the top of a hill, the top of the hill being level 100, the bottom at level 0. If you drop a ball gravity will allow it to run downhill. Thats how the security levels work. Anything can go to a lower number but low numbers cant go to high numbers.
   With that said, the METRO interface is level 0 (lowest security) looks good, then teh GlobalAir and LOCAL interfaces are also zero. Are these two connections trusted? Meaning you've got users on them that access your network, which interface is used by your users? THen the last interface, "management" is level 100 (looks good). Which ip's are you trying to access the internet from? I'll keep looking and post again shortly.
Next, according to the route statement, you want to route all traffic acrossed the GlobalAir interface? What is the Ethernet0/0.1 (sub-interface), GlobalAir used for? Is this another internet connection? Which interface are you wanting traffic to go out of?
If you want all traffic to go out your METRO interface then use the following:
no route GlobalAir 0.0.0.0 0.0.0.0 74.253.144.149 tunneled
route METRO 0.0.0.0 0.0.0.0 [ip of default gateway, provided by your METRO ISP]

Also, are you running any multicast traffic applications? Just curious, I saw the mroute command.
Thanks.

Author

Commented:
Well...

The Ethernet0/1 Interface is the physical connection to the Metro Ethernet handoff from the provider.  The Ethernet0/1.1 was (if I'm understanding this correctly) the vlan tunnel to be established for all incoming and outbound traffic to and from the metro ethernet interface.  That was named GlobalAir.  

The only interfaces that have trusted users are on the mgmt interface, and also on LOCAL.  Local is setup with an ip range of 10.0.1.X for distribution of IP leases to the network.  This will change more than likely once a DC comes into play later on down the road.

After looking at this all day, I have a better grasp of how it's supposed to go down.  For me the disconnect was looking at a "proposed" setup on a 2821 Router, and then trying to apply it to the ASA.  They're completely different pieces of equipment.  

I'll try changing the interfaces around tomorrow morning when I get in to see if it passes traffic.

Also, what you suggest setting the security levels at for each interface considering that the GlobalAir and Metro interfaces are public, and the LOCAL is internal?  

It should be noted that I'm simply getting this up and running until we can pass this over to another company for ongoing maintenance and support.
OK. I see now. It's almost like a frame-relay setup. So yes, the LOCAL interface needs to be set to security-level 100. This should help.

Author

Commented:
Alright, I'll do that.  

I'm still hazy on how to implement those changes through the CLI.  
To set the security level, log into the ASA via command line, then:
enable
[enable password]
config t
int eth 0/1
security-level 100

That's it !

Author

Commented:
What are the cli commansa for the int config based on the initial sample?  I feel like such a rookie  
The CLI commands to set the security level are as follows:
1. log into the ASA via Telnet/SSH/console cable
2. enter password
3. User these commands:
enable , then enter password
configure terminal
interface ethernet 0/1
security-level 100
exit
copy run start

Author

Commented:
I have no clue what I'm doing.  I've gone through the steps as outlined here, but I don't know how to configure each interface either through the CLI or through the GUI.

I was able to get the security level set at 100 for the local connection through the CLI, though....so that's a good thing....right?

At this point, I'd pay someone to remote in and take a look.  
Good, the you did set the security level. Has that had any effect on internet traffic?

Author

Commented:
Sadly, there's no internet traffic to be had....and yesterday afternoon I found out why.  

AT&T never provisioned their side of the line, so no matter what I did or didn't do...it wasn't going to work anyway.

Nothing like 2 days burned.  

Thank you so much for your help, I really appreciate it.  They're sending out a tech to provision both sides since my time is up.