We help IT Professionals succeed at work.

help setting up an ASA 5505 Firewall

I have a Cisco ASA 5505 Firewall behind a Netopia DSL Router.  I'm new to Cisco firewalls but since they had a Start up Wizard I figured it would be no problem, famous last words.  So I used the start up wizard and I'm able to ping the Netopia DSL Router from the firewalls outside interface but nothing beyond that which also means that none of the computers behind the firewall can get out either, is this a static route issue or DNS issue?  I realize my information is vague but I figured it would be easier to answer someones questions than to just fill my question with useless information.  I know this is a real newbie question but be gentle:)  Thanks you  anybody for your time.    
Watch Question

If your DSL router has an IP address that you can ping, it means that it is currently configured to perform network address translation (NAT).  Have you checked to make sure that the DSL router is set up properly?  Probably the easiest way to do this is to connect a machine directly to one of the LAN (inside) interfaces of the DSL router, see if you get an IP address from it via DHCP and then try to get to the Internet.  This would mean that you're taking the ASA 5505 out of the picture as the possible cause of the connectivity issue.

If you can get to the Internet in this fashion, then we have to look at the ASA as the possible problem and you should post it's current running configuration (sanitized, of course).  If you still cannot get to the Internet from a PC or other machine directly attached to the DSL router, then you need to look at the configuration of the DSL router itself as the source of your issue.

Have you modified the configuration of the DSL router from the way it came originally from your ISP?


batry boy

I have a static dsl account through SBC so as far as I know I am not receiving any IP addresses via DHCP, we were given a range of 5 addresses.  I have successfully attached a computer to just the Netopia router and ,with manually configuring the IP address with one of the static IP's given to use from SBC, surfed the Internet.  If this helps I've configured the Netopia router via this link from Netopia.  http://www.netopia.com/support/hardware/technotes/CQG_042.html
I am not in front of the cisco firewall at the moment so I will post the config later tonight.  Thanks
In particular, you want to verify that the outside ASA interface has one of the 5 public IP's assigned to you and that the "route outside" statement on the ASA points to the Netopia's IP address on that same subnet.


Here is my running config from the ASA.  Let me know what you think.

: Saved
ASA Version 7.2(3)
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address (outside IP)
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
 switchport access vlan 3
interface Ethernet0/7
 switchport access vlan 3
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
route outside (outside IP) (Netopia IP) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

The "route outside" command needs to be changed.  It should look like this:

route outside (Netopia IP)

To change it, use these commands:

no route outside (outside IP) (Netopia IP)
route outside (Netopia IP)

Substitute the appropriate values for the ones in parentheses...:)


I will try this tomorrow and let you know how it goes.  Thanks


I changed the outside route but it hasn't changed my problem.  One thing I did forget to mention was that, I used the packet tracer tool to see if that would give me any info on the connection.  I run through the process and it stops at the Access list and says any IP outbound is dropped by an implicit rule.  If you go to the Security Policy settings it will not let you delete this implicit rule.  Does this shed any light on the problem?
I don't quite understand that since you don't have any ACL's defined.  In the absence of ACL's, the default behavior is to allow all traffic from a higher security level interface (inside) to a lower security level interface (outside).  The ASA config you posted above is the current running configuration?


The config above is the current running config, except for the changes you had me make which I forgot to mention that when I changed the outside static route to the (Netopia)  I am now able to ping from the ASA to any outside IP address which I couldn't do before.  But if I do a packet trace it drops the packet when it comes to the ACL.  And any computers behind the firewall are still not able to connect to the Internet.  


I feel stupid but I found the no internet connection problem.  I forgot to plug my DNS server back in, total rookie mistake.  So what fixed the problem was the static route you mentioned before.  Thanks.  Would you have any good documentation or sites about securing ASA 5505?  Thanks again.  


Thanks again.
Glad you got it resolved!

Explore More ContentExplore courses, solutions, and other research materials related to this topic.