Setting up ASA5510 on Metro Ethernet. Config help

I'm having difficulty setting up an ASA5510 to pass internet traffic.  Bell gave me a sample config from a Cisco 2821 Router, however I'm not sure where the configs go on the ASA.  

Here's the information that Bell supplied me with:

!  MANUAL Router configuration - CE Configuration
!
! 10 Megabit MetroEthernet
!
!  CPR router Cisco 2821
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
service timestamps debug uptime  
service timestamps log uptime  
service password-encryption  
!  
hostname XXXXX
!  

!
aaa new-model  
!
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization exec default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+  
!  
 
!  
ip cef
ip subnet-zero  
no ip source-route  
no ip finger  
no ip domain-lookup  
!
ip name-server 205.152.37.23
!
interface GigabitEthernet0/0
 description 38.KQGN.600629 CUSTOMER: Global_Airways
 speed 100
 duplex full
 load-interval 30
!
 rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
 no shutdown
!
interface GigabitEthernet0/0.1
 description XXXCLIENT WAN   Remote:her02aep  Interface:gigabit4/1/1.24
encapsulation dot1Q 1188
 ip address 74.253.144.150 255.255.255.252
 no snmp trap link-status
 ip access-group 111 out  
 no shutdown
!
interface GigabitEthernet0/1
 ip address 74.255.62.97 0.0.0.3
 load-interval 30
 no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 74.253.144.149
!
ip classless  
no ip http server  
!  


no cdp run
!
access-list 111 permit ip 74.253.144.148 0.0.0.3 any                      
access-list 111 permit ip 74.255.49.96 0.0.0.31
LVL 1
cdharris2005Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stuknhawaiiCommented:
http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/setup.html
heres a link to configure the ASA via the startup wizard. It walks you through the setup wizard, very easy to use.
0
cdharris2005Author Commented:
I've gone through this startup wizard, however I still can't pass traffic.  I need to know if there are any routes, or other specifics that I'm missing.  
0
stuknhawaiiCommented:
OK...I'll look through the config above. In the meantime can you provide the results of a "show route". Thanks.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

stuknhawaiiCommented:
Also can you provide a the results from a "show run" so I can see what you currently have? Thanks.
0
cdharris2005Author Commented:
It's a fresh-out-of the box ASA.  No configuration at all, just need to know the steps to set it up.

0
stuknhawaiiCommented:
The Setup Wizard should have configured it for you but obviously it didn't. I still need to see a copy of the config because the wizard configures it for you. Maybe something was put in incorrectly. Also, from the ASA can you ping to an outside IP address?
0
cdharris2005Author Commented:
Well, I got so far as being able to setup another port Ethernet0/1.1 with some basic information, but I still am unable to ping outside the device.  I now also understand the vlan setup, but am unsure how to set that up in correlation to the internal DHCP as well as how to setup gateway information.

See attached code snippet.  

Thanks for your help so far. =)
ATLGBLASA01# show run
: Saved
:
ASA Version 7.0(7)
!
hostname ATLGBLASA01
domain-name global.local
enable password BxU7zi1WPwsDmZ9d encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif METRO
 security-level 0
 ip address 74.255.49.98 255.255.255.224
!
interface Ethernet0/0.1
 vlan 1188
 nameif GlobalAir
 security-level 0
 ip address 74.253.144.150 255.255.255.252
!
interface Ethernet0/1
 nameif LOCAL
 security-level 0
 ip address 10.0.1.10 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup METRO
same-security-traffic permit inter-interface
access-list LOCAL_access_in remark Fubar
access-list LOCAL_access_in extended permit tcp interface LOCAL interface GlobalAir
pager lines 24
logging asdm informational
mtu management 1500
mtu METRO 1500
mtu LOCAL 1500
mtu GlobalAir 1500
mroute 0.0.0.0 255.255.255.0 LOCAL dense METRO
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group LOCAL_access_in in interface LOCAL
route GlobalAir 0.0.0.0 0.0.0.0 74.253.144.149 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.50 management
dhcpd address 10.0.1.20-10.0.1.240 LOCAL
dhcpd dns 205.152.37.23 205.152.144.23
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config LOCAL
dhcpd enable management
dhcpd enable LOCAL
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:a83b85b9564fe3dc8ea9cdb6e13b02f4
: end

Open in new window

0
stuknhawaiiCommented:
Thank you for the config. Here is what I see right off the bat. The security level on the interfaces seems to maybe be incorrect. Let me explain. It's like standing on the top of a hill, the top of the hill being level 100, the bottom at level 0. If you drop a ball gravity will allow it to run downhill. Thats how the security levels work. Anything can go to a lower number but low numbers cant go to high numbers.
   With that said, the METRO interface is level 0 (lowest security) looks good, then teh GlobalAir and LOCAL interfaces are also zero. Are these two connections trusted? Meaning you've got users on them that access your network, which interface is used by your users? THen the last interface, "management" is level 100 (looks good). Which ip's are you trying to access the internet from? I'll keep looking and post again shortly.
0
stuknhawaiiCommented:
Next, according to the route statement, you want to route all traffic acrossed the GlobalAir interface? What is the Ethernet0/0.1 (sub-interface), GlobalAir used for? Is this another internet connection? Which interface are you wanting traffic to go out of?
If you want all traffic to go out your METRO interface then use the following:
no route GlobalAir 0.0.0.0 0.0.0.0 74.253.144.149 tunneled
route METRO 0.0.0.0 0.0.0.0 [ip of default gateway, provided by your METRO ISP]

Also, are you running any multicast traffic applications? Just curious, I saw the mroute command.
Thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cdharris2005Author Commented:
Well...

The Ethernet0/1 Interface is the physical connection to the Metro Ethernet handoff from the provider.  The Ethernet0/1.1 was (if I'm understanding this correctly) the vlan tunnel to be established for all incoming and outbound traffic to and from the metro ethernet interface.  That was named GlobalAir.  

The only interfaces that have trusted users are on the mgmt interface, and also on LOCAL.  Local is setup with an ip range of 10.0.1.X for distribution of IP leases to the network.  This will change more than likely once a DC comes into play later on down the road.

After looking at this all day, I have a better grasp of how it's supposed to go down.  For me the disconnect was looking at a "proposed" setup on a 2821 Router, and then trying to apply it to the ASA.  They're completely different pieces of equipment.  

I'll try changing the interfaces around tomorrow morning when I get in to see if it passes traffic.

Also, what you suggest setting the security levels at for each interface considering that the GlobalAir and Metro interfaces are public, and the LOCAL is internal?  

It should be noted that I'm simply getting this up and running until we can pass this over to another company for ongoing maintenance and support.
0
stuknhawaiiCommented:
OK. I see now. It's almost like a frame-relay setup. So yes, the LOCAL interface needs to be set to security-level 100. This should help.
0
cdharris2005Author Commented:
Alright, I'll do that.  

I'm still hazy on how to implement those changes through the CLI.  
0
stuknhawaiiCommented:
To set the security level, log into the ASA via command line, then:
enable
[enable password]
config t
int eth 0/1
security-level 100

That's it !
0
cdharris2005Author Commented:
What are the cli commansa for the int config based on the initial sample?  I feel like such a rookie  
0
stuknhawaiiCommented:
The CLI commands to set the security level are as follows:
1. log into the ASA via Telnet/SSH/console cable
2. enter password
3. User these commands:
enable , then enter password
configure terminal
interface ethernet 0/1
security-level 100
exit
copy run start

0
cdharris2005Author Commented:
I have no clue what I'm doing.  I've gone through the steps as outlined here, but I don't know how to configure each interface either through the CLI or through the GUI.

I was able to get the security level set at 100 for the local connection through the CLI, though....so that's a good thing....right?

At this point, I'd pay someone to remote in and take a look.  
0
stuknhawaiiCommented:
Good, the you did set the security level. Has that had any effect on internet traffic?
0
cdharris2005Author Commented:
Sadly, there's no internet traffic to be had....and yesterday afternoon I found out why.  

AT&T never provisioned their side of the line, so no matter what I did or didn't do...it wasn't going to work anyway.

Nothing like 2 days burned.  

Thank you so much for your help, I really appreciate it.  They're sending out a tech to provision both sides since my time is up.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.