Setting up ASA5510 on Metro Ethernet. Config help
I'm having difficulty setting up an ASA5510 to pass internet traffic. Bell gave me a sample config from a Cisco 2821 Router, however I'm not sure where the configs go on the ASA.
Here's the information that Bell supplied me with:
! MANUAL Router configuration - CE Configuration
!
! 10 Megabit MetroEthernet
!
! CPR router Cisco 2821
!
!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXX
!
!
aaa new-model
!
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization exec default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
!
!
ip cef
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
ip name-server 205.152.37.23
!
interface GigabitEthernet0/0
description 38.KQGN.600629 CUSTOMER: Global_Airways
speed 100
duplex full
load-interval 30
!
rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
no shutdown
!
interface GigabitEthernet0/0.1
description XXXCLIENT WAN Remote:her02aep Interface:gigabit4/1/1.24
encapsulation dot1Q 1188
ip address 74.253.144.150 255.255.255.252
no snmp trap link-status
ip access-group 111 out
no shutdown
!
interface GigabitEthernet0/1
ip address 74.255.62.97 0.0.0.3
load-interval 30
no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 74.253.144.149
!
ip classless
no ip http server
!
no cdp run
!
access-list 111 permit ip 74.253.144.148 0.0.0.3 any
access-list 111 permit ip 74.255.49.96 0.0.0.31
Here's the information that Bell supplied me with:
! MANUAL Router configuration - CE Configuration
!
! 10 Megabit MetroEthernet
!
! CPR router Cisco 2821
!
!!!!!!!!!!!!!!!!!!!!!!!!!!
!
!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XXXXX
!
!
aaa new-model
!
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa authorization exec default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
!
!
ip cef
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
!
ip name-server 205.152.37.23
!
interface GigabitEthernet0/0
description 38.KQGN.600629 CUSTOMER: Global_Airways
speed 100
duplex full
load-interval 30
!
rate-limit output 10000000 250000 250000 conform-action transmit exceed-action drop
no shutdown
!
interface GigabitEthernet0/0.1
description XXXCLIENT WAN Remote:her02aep Interface:gigabit4/1/1.24
encapsulation dot1Q 1188
ip address 74.253.144.150 255.255.255.252
no snmp trap link-status
ip access-group 111 out
no shutdown
!
interface GigabitEthernet0/1
ip address 74.255.62.97 0.0.0.3
load-interval 30
no shutdown
!
!
ip route 0.0.0.0 0.0.0.0 74.253.144.149
!
ip classless
no ip http server
!
no cdp run
!
access-list 111 permit ip 74.253.144.148 0.0.0.3 any
access-list 111 permit ip 74.255.49.96 0.0.0.31
ASKER
I've gone through this startup wizard, however I still can't pass traffic. I need to know if there are any routes, or other specifics that I'm missing.
OK...I'll look through the config above. In the meantime can you provide the results of a "show route". Thanks.
Also can you provide a the results from a "show run" so I can see what you currently have? Thanks.
ASKER
It's a fresh-out-of the box ASA. No configuration at all, just need to know the steps to set it up.
The Setup Wizard should have configured it for you but obviously it didn't. I still need to see a copy of the config because the wizard configures it for you. Maybe something was put in incorrectly. Also, from the ASA can you ping to an outside IP address?
ASKER
Well, I got so far as being able to setup another port Ethernet0/1.1 with some basic information, but I still am unable to ping outside the device. I now also understand the vlan setup, but am unsure how to set that up in correlation to the internal DHCP as well as how to setup gateway information.
See attached code snippet.
Thanks for your help so far. =)
See attached code snippet.
Thanks for your help so far. =)
ATLGBLASA01# show run
: Saved
:
ASA Version 7.0(7)
!
hostname ATLGBLASA01
domain-name global.local
enable password BxU7zi1WPwsDmZ9d encrypted
names
dns-guard
!
interface Ethernet0/0
nameif METRO
security-level 0
ip address 74.255.49.98 255.255.255.224
!
interface Ethernet0/0.1
vlan 1188
nameif GlobalAir
security-level 0
ip address 74.253.144.150 255.255.255.252
!
interface Ethernet0/1
nameif LOCAL
security-level 0
ip address 10.0.1.10 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup METRO
same-security-traffic permit inter-interface
access-list LOCAL_access_in remark Fubar
access-list LOCAL_access_in extended permit tcp interface LOCAL interface GlobalAir
pager lines 24
logging asdm informational
mtu management 1500
mtu METRO 1500
mtu LOCAL 1500
mtu GlobalAir 1500
mroute 0.0.0.0 255.255.255.0 LOCAL dense METRO
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat (management) 0 0.0.0.0 0.0.0.0
access-group LOCAL_access_in in interface LOCAL
route GlobalAir 0.0.0.0 0.0.0.0 74.253.144.149 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.50 management
dhcpd address 10.0.1.20-10.0.1.240 LOCAL
dhcpd dns 205.152.37.23 205.152.144.23
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config LOCAL
dhcpd enable management
dhcpd enable LOCAL
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a83b85b9564fe3dc8ea9cdb6e13b02f4
: end
Thank you for the config. Here is what I see right off the bat. The security level on the interfaces seems to maybe be incorrect. Let me explain. It's like standing on the top of a hill, the top of the hill being level 100, the bottom at level 0. If you drop a ball gravity will allow it to run downhill. Thats how the security levels work. Anything can go to a lower number but low numbers cant go to high numbers.
With that said, the METRO interface is level 0 (lowest security) looks good, then teh GlobalAir and LOCAL interfaces are also zero. Are these two connections trusted? Meaning you've got users on them that access your network, which interface is used by your users? THen the last interface, "management" is level 100 (looks good). Which ip's are you trying to access the internet from? I'll keep looking and post again shortly.
With that said, the METRO interface is level 0 (lowest security) looks good, then teh GlobalAir and LOCAL interfaces are also zero. Are these two connections trusted? Meaning you've got users on them that access your network, which interface is used by your users? THen the last interface, "management" is level 100 (looks good). Which ip's are you trying to access the internet from? I'll keep looking and post again shortly.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well...
The Ethernet0/1 Interface is the physical connection to the Metro Ethernet handoff from the provider. The Ethernet0/1.1 was (if I'm understanding this correctly) the vlan tunnel to be established for all incoming and outbound traffic to and from the metro ethernet interface. That was named GlobalAir.
The only interfaces that have trusted users are on the mgmt interface, and also on LOCAL. Local is setup with an ip range of 10.0.1.X for distribution of IP leases to the network. This will change more than likely once a DC comes into play later on down the road.
After looking at this all day, I have a better grasp of how it's supposed to go down. For me the disconnect was looking at a "proposed" setup on a 2821 Router, and then trying to apply it to the ASA. They're completely different pieces of equipment.
I'll try changing the interfaces around tomorrow morning when I get in to see if it passes traffic.
Also, what you suggest setting the security levels at for each interface considering that the GlobalAir and Metro interfaces are public, and the LOCAL is internal?
It should be noted that I'm simply getting this up and running until we can pass this over to another company for ongoing maintenance and support.
The Ethernet0/1 Interface is the physical connection to the Metro Ethernet handoff from the provider. The Ethernet0/1.1 was (if I'm understanding this correctly) the vlan tunnel to be established for all incoming and outbound traffic to and from the metro ethernet interface. That was named GlobalAir.
The only interfaces that have trusted users are on the mgmt interface, and also on LOCAL. Local is setup with an ip range of 10.0.1.X for distribution of IP leases to the network. This will change more than likely once a DC comes into play later on down the road.
After looking at this all day, I have a better grasp of how it's supposed to go down. For me the disconnect was looking at a "proposed" setup on a 2821 Router, and then trying to apply it to the ASA. They're completely different pieces of equipment.
I'll try changing the interfaces around tomorrow morning when I get in to see if it passes traffic.
Also, what you suggest setting the security levels at for each interface considering that the GlobalAir and Metro interfaces are public, and the LOCAL is internal?
It should be noted that I'm simply getting this up and running until we can pass this over to another company for ongoing maintenance and support.
OK. I see now. It's almost like a frame-relay setup. So yes, the LOCAL interface needs to be set to security-level 100. This should help.
ASKER
Alright, I'll do that.
I'm still hazy on how to implement those changes through the CLI.
I'm still hazy on how to implement those changes through the CLI.
To set the security level, log into the ASA via command line, then:
enable
[enable password]
config t
int eth 0/1
security-level 100
That's it !
enable
[enable password]
config t
int eth 0/1
security-level 100
That's it !
ASKER
What are the cli commansa for the int config based on the initial sample? I feel like such a rookie
The CLI commands to set the security level are as follows:
1. log into the ASA via Telnet/SSH/console cable
2. enter password
3. User these commands:
enable , then enter password
configure terminal
interface ethernet 0/1
security-level 100
exit
copy run start
1. log into the ASA via Telnet/SSH/console cable
2. enter password
3. User these commands:
enable , then enter password
configure terminal
interface ethernet 0/1
security-level 100
exit
copy run start
ASKER
I have no clue what I'm doing. I've gone through the steps as outlined here, but I don't know how to configure each interface either through the CLI or through the GUI.
I was able to get the security level set at 100 for the local connection through the CLI, though....so that's a good thing....right?
At this point, I'd pay someone to remote in and take a look.
I was able to get the security level set at 100 for the local connection through the CLI, though....so that's a good thing....right?
At this point, I'd pay someone to remote in and take a look.
Good, the you did set the security level. Has that had any effect on internet traffic?
ASKER
Sadly, there's no internet traffic to be had....and yesterday afternoon I found out why.
AT&T never provisioned their side of the line, so no matter what I did or didn't do...it wasn't going to work anyway.
Nothing like 2 days burned.
Thank you so much for your help, I really appreciate it. They're sending out a tech to provision both sides since my time is up.
AT&T never provisioned their side of the line, so no matter what I did or didn't do...it wasn't going to work anyway.
Nothing like 2 days burned.
Thank you so much for your help, I really appreciate it. They're sending out a tech to provision both sides since my time is up.
heres a link to configure the ASA via the startup wizard. It walks you through the setup wizard, very easy to use.