Solved

Problem connecting to Internet

Posted on 2008-10-16
9
329 Views
Last Modified: 2011-10-19
Hi Experts,

For some reason my ASA 5505 router has stopped connecting to the internet. Few days, ago the ADSL router for some reason, it stopped functioning so it has to be replaced. So bought in a new ADSL router, configured and everything is working find. Configure the ASA WAN as DCHP client to obtain its ip from the adsl router its, running config is shown below

ciscoasa# show running-configline protocol is downmedia 0:
: Savedp-invit
:0
ASA Version 7.2(3)ct 0:02:00y
  Hard
!r
hostname ciscoasa00 Mbps          
domain-name default.domain.invalidto-Duplex, Auto-Speed            
enable password 8Ry2YjIyt7RRXU24 encryptedt configured via nameif
timeout uauth 0:05
namessolut
!
interface Vlan1       MAC addr
 nameif LAN8.13ea, MTU
 security-level 100                
c
 ip address 10.49.0.5 255.255.255.0unassigned.255.255.0 insidew runnin
 ospf cost 10 packets inpu
!
interface Vlan2ffer          
 nameif WAN          
 security-level 0  Received 0 broa
 ip address dhcp setroute:
ASA Version 7.2(3)    
 ospf cost 10
no snmp
   
!
interface Ethernet0/0, 0 frame, 0 overrun,
 switchport access vlan 2    
                   
 speed 100          
 duplex fu    
   
interface Ethernet0/5          
        0
!t
interface Ethernet0/6ns, 0 interface reset
!
interface Ethernet0/7        
ssh timeout
!
passwd 2KFQnbNIdI.2KYOU encryptede collisions, 0 deferredide      
ftp mode passive
dhcpd auto_conf
dns server-group DefaultDNSr, 0 no carrier            
 domain-name default.domain.invalidate limit dropsrnet0/3licy        
access-list inside_access_in extended permit udp interface LAN interface WAN  
Interface Ethernet0/6 "", is down, line protocol is down global_policynet
access-list outside_access_out extended permit udp interface WAN interface LANlt/6                        
        Auto-Duplex, Auto-SpeedapMbps          
access-list inside_access_out extended permit udp interface LAN interface WAN                  
  inspect h3
        MAC address 001f.catp mode        
 
icmp unreachable rate-limit 1 burst-size 1                    
  inspect sunrpcce i
asdm image disk0:/asdm-523.binode drops    
  inspect xdmcp
no asdm history enablengress policy drops  
arp timeout 14400    
  inspect n

global (WAN) 1 interface 0 bytes, 0 underrunstft
nat (LAN) 1 0.0.0.0 0.0.0.0config-if)#    
        0 o
access-group inside_access_out out interface LANbinollisions,                                  
timeout xlate 3:00:00es, 0 late collisions
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02   0 lost carrier, 0 no carrier 14400 0 no carrier              
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-ptch egress policy drops                
                   
       
 
ssh timeout 5 0 broadcasts
console timeout 0spection_defaulto
dhcp-client client-id interface WAN     0 input errors, 0 CRC, 0 frame
dhcpd auto_config WAN, 0 abortbytesraffic"
!
dhcpd address 10.49.0.6-10.49.0.133 LAN              
        0 L2 decode drop
dhcpd enable LAN        
     
!0

!i
class-map inspection_default32824 bytesp                
 match default-inspection-trafficytes, 0 un8E6095, BW 1          
!
!
 class ins
  inspect dns preset_dns_map0 rate limit drops1 minute o
  inspect ftpkt
        0
  inspect h323 h225 dropsMTU not      
  inspect h323 ras    
ciscoasa(conf
  inspect rsh            
  inspect rtspg-if)#        
  inspect esmtpcoasa(config-if
  inspect sqlnetect h
ciscoasa(c
  inspect skinny/0              
  inspect sunrpciscoasa(config-i
  inspect xdmcps/sec,  33 byte
  inspect sipa(config-if)#
  inspect netbios            
  i
  inspect tftperface Vlan1 "
!N
service-policy global_policy globalinute output rate 0 pkts/sec,  13 b
prompt hostname contextre is EtherSVI        
Cryptochecksum:b0433fe778d85319b15f8331762e7a3d, MTU 1500 0 in                    
      5 mi
: endr
   
ciscoasa#dress 10.
ciscoasa#bn      
ciscoasa#        
!
hostname ciscoasa965 packets outpu
domain-name default.domain.invalid    
cis  
        0
        57
enable password 8Ry2YjIyt7RRXU24 encrypted
      1 minute input rate 0 pkts/sec,  0
names/sec
!
interface Vlan1        0 rate
 nameif LAN  
      1
 security-level 1000 pkts/sec,  0 byte
 ip address 10.49.0.5 255.255.255.0                    
      1 minute
 ospf cost 10pkts/secrnet0
!
interface Vlan2protocol is
 
 nameif WAN input rate
 security-level 0tes/sec          
 ip address dhcp setroute              
      5 mi
 ospf cost 10te 0 pkts/sec
!
interface Ethernet0/0                    
 switchport access vlan 2  5 minute drop rate, 0 p
 speed 100Speed(100
 duplex full        
In
!r
interface Ethernet0/1p, line protocol is u
!
interface Ethernet0/27.2(3)              
!
interface Ethernet0/3VI                  
!
interface Ethernet0/                  
 domain-name default.domain.invalid        
        194 packets output
access-list inside_access_in extended permit udp interface LAN interface WANopped                        

 
      1 minute input rate 0 pkts/sec,  0
access-list outside_access_out extended permit udp interface WAN interface LANut rate 0 pkts/sec,  0 bytes/secignednes 24ss 001f.ca08.1                    
access-list inside_access_out extended permit udp interface LAN interface WAN
      5 minute input rate 0 pkts/sec,  9 bytes/sec                          
access-list inside_access_out extended permit tcp interface LAN interface WANeceived 0 broadcasts, 0 runts, 0 giantsurst-size
      5 minute drop rate, 0
pager lines 24              
arp timeout 14400ured via nameiftc
global (WAN) 1 interface0.0                
   
nat (LAN) 1 0.0.0.0 0.0.0.03e5, MTU not settput, 0 byt
access-group inside_access_out out interface LANddress unassigned  
        19 switch ingress
 
timeout xlate 3:00:00nput, 6367881 bytes,
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        Received 4754 broadcasts, 0 runts, 0 giantsbps          
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:000 overrun, 0 ignored, 0 abortuto-Speedttp server enableterface Ethern        
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:004 switch ingress policy drops                                    
           
telnet timeout 5ropsAC addr    
ssh timeout 5
        0 sw
console timeout 0 dropscasts, 0 ru
dhcp-client client-id interface WANEthernet0/1 "", is down, line proto
dhcpd auto_config WANss                  
!
dhcpd address 10.49.0.6-10.49.0.133 LAN095, BW 100 Mbpsswitch ingress policy d
dhcpd enable LAN   Auto-Duplex,
!t

!p
class-map inspection_default    
        Available but
 match default-inspection-traffictput, 0 bytes, 0 underruns      
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b0433fe778d85319b15f8331762e7a3d
: end

Appreciate any help
mcse2007
0
Comment
Question by:mcse2007
  • 4
  • 3
  • 2
9 Comments
 
LVL 10

Expert Comment

by:kyleb84
ID: 22736615
Are you getting a DHCP lease on your WAN if?

  sh ip int br

Can you ping your DSL modem from the PIX?

  ping [ip]

0
 
LVL 7

Author Comment

by:mcse2007
ID: 22736654
Yes
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22736702
Can you copy paste your config again, use something like PuTTY to connect to it, what you've pasted looks like garbage - I'm assuming you used Hyperterminal?

0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22736708
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 7

Author Comment

by:mcse2007
ID: 22736748
Is that better?

TarkettPIX# show running-config
: Saved
:
ASA Version 7.2(3)
!
hostname TarkettPIX
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif LAN
 security-level 100
 ip address 10.49.0.5 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif WAN
 security-level 0
 ip address dhcp setroute
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list inside_access_in extended permit udp interface LAN interface WAN
access-list outside_access_out extended permit udp interface WAN interface LAN
access-list inside_access_out extended permit udp interface LAN interface WAN
access-list inside_access_out extended permit tcp interface LAN interface WAN
access-list LAN_access_in extended permit udp interface LAN interface WAN
access-list outside-in extended permit icmp any any
pager lines 24
logging asdm informational
mtu LAN 1500
mtu WAN 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
access-group LAN_access_in in interface LAN
access-group inside_access_out out interface LAN
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.49.0.0 255.255.255.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface WAN
dhcpd auto_config WAN
!
dhcpd address 10.49.0.6-10.49.0.133 LAN
dhcpd enable LAN
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:33dfce0de2de061e11f4461fe3abd53b
: end
TarkettPIX#
0
 
LVL 8

Expert Comment

by:Jay_Gridley
ID: 22741773
What your are missing is a default route to the outside. This must be the next hop to the outside (either the (inside) IP address of your ADSL modem or the first hop to your internet provider depending on your configuration.
Use the following command:
route outside 0.0.0.0 0.0.0.0

Also, I would suggest changing your NAT from all (0.0.0.0) to just your LAN:
no nat (LAN) 1 0.0.0.0 0.0.0.0
nat (LAN) 1 10.49.0.0 255.255.255.0

JG.
0
 
LVL 7

Author Comment

by:mcse2007
ID: 22746540
Still no luck after adding the above config. I must say ASA is a good device to secure your network but if you cannot bluddy use it, it is worthless and quite frustrating. I've enclosed my latest running config
runn-config.txt
0
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 300 total points
ID: 22747128
You are missing a NAT statement now.
You have succesfully removed the 'nat all' part. You need to add the following:

nat (LAN) 1 10.49.0.0 255.255.255.0

If this still doesn't help you can try to remove the access-lists on the inside interface, as these often cause unexpected behaviour:
no access-group LAN_access_in_1 in interface LAN
no access-group LAN_access_out out interface LAN

And I agree on the frustration part, but I find that's with a lot of things ;-)
0
 
LVL 7

Author Closing Comment

by:mcse2007
ID: 31506952
Thank You Jay Gridley

Happy Days !!!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now