?
Solved

Need help with basic Cisco ASA5505 configuration

Posted on 2008-11-08
10
Medium Priority
?
3,770 Views
Last Modified: 2012-05-05
I need help with the following:

1. I am unable to access the internet.  The problem appears to be the lack of a route from the Internal network to the external network.  I receive an error that states "Failed to locate egress interface for UDP from inside:192.168.1.5/49534 to 68.94.156.1/53"

2. In addition, I need help reviewing the Running Config for errors/additions/deletions.  I have a very basic setup with a DSL router connected to the internet and a Cisco ASA5505 connected to the DSL router.  The 2 Wire (AT&T) DSL router has the following settings:
IP: 68.92.124.191
Subnet: 255.255.255.255
Default Gateway: 68.92.125.254
DNS1: 68.94.156.1
DNS2: 68.94.157.1

and the settings if I plug directly into the 2 Wire (AT&T) router with my notebook are:
IP: 192.168.1.72
Subnet: 255.255.255.0
Default Gateway: 192.168.1.254
DHCP Server: 192.168.1.254
DNS: 192.168.1.254

I am not familiar with the Cisco CLI and have only briefly used the ASDM.  The config script on my Cisco ASA5505 is as follows:

Version 8.0(2)
!
hostname MSHOME
domain-name MSHOME
enable password M0KUCZtEMBb0sdbj encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name MSHOME
pager lines 24
logging enable
logging asdm informational
logging from-address bryan@genesisfundingsource.com
logging recipient-address bryan@genesisfundingsource.com level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f518ef3fbad8a5cbf8410d83bce8d7c4
: end

0
Comment
Question by:bkwatts
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 2

Expert Comment

by:dano2112
ID: 22913268

bkwatts...

Hello!  I think this may be an easy fix for you.  Let's look at your current config for your outside interface, which happens to be Vlan2:

interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute

That last line says that you want to receive an IP address from your provider using DHCP and that "setroute" option says that the default-route to the provider's network should also be set via DHCP when the IP address is assigned.

However, further down in your config, you've got a static default route statement that reads:
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

With this statement in the config, that's going to override any default route that's received via DHCP.  Go ahead and remove that statement.  From a command line, you would do the following:

asa#config t
asa(config)#no route outside 0.0.0.0 0.0.0.0 192.168.1.254 1

Save that config and reset your ASA.  Your default route should get set automatically via DHCP.  If it doesn't, you may need to manually specify a different default route statement.  That would be something like this:

asa#config t
asa(config)#route outside 0.0.0.0 0.0.0.0 68.92.125.254 1

I'm thinking, though, that just removing your current static route outside statement and restarting the ASA should allow you to pick up the correct route from the provider.

Hope this helps!
0
 

Author Comment

by:bkwatts
ID: 22913395
I still get the same error "Failed to locate egress interface for UDP" after trying both deleting the static route and also when I add the suggested static route.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22913803
The issue is that your DSL router is assigning you a 192.168.1.x ip address, and that is the same IP subnet that you are using on the inside interface of the ASA. So basically you have the same network on both sides which cannot work.
If you put the 2-wire into pure bridge mode, the ASA would get the 68.92.x.x IP address directly on the outside interface instead of the 192.168.1.x being handed out by the modem.
You may have to setup the PPPoE username/password in the ASA config.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:dano2112
ID: 22914967

bk...

I believe lrmoore is absolutely correct.  To verify, you can login to the ASA GUI screen and on the home page, in the upper right corner, it should give you an interface summary.  The outside interface should be listed and it should also tell you what IP you picked up from DHCP.  If the IP is 192.168.1.x, then you definitely picked up an address from the 2wire DSL device instead of directly from your ISP.

Your ISP support department should be able to help you put that 2wire into bridge mode.  You can probably connect your laptop directly to it like you did previously and then browse to http://192.168.1.254 but more than likely, you'll need some type of username and password to get into it.

Good luck!
0
 

Author Comment

by:bkwatts
ID: 22915117
Thank you for the suggestions.  I went to the 2 Wire Router and modified the DHCP settings to a subnet that is different from the internal network.  I now have internet access and it is working fine.  

I have two issues that I will need to resolve.  First, I am still getting the following error ... "Failed to locate egress interface for UDP from inside:fe80::e5bf:9532:87a9:dbef/57161 to ff02::1:3/5355".
Second, are there any config changes that I should make to the current config file?

ASA Version 8.0(2)
!
hostname MSHOME
domain-name MSHOME
enable password M0KUCZtEMBb0sdbj encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name MSHOME
pager lines 24
logging enable
logging asdm informational
logging from-address bryan@genesisfundingsource.com
logging recipient-address bryan@genesisfundingsource.com level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.5-192.168.1.33 inside
dhcpd dns 68.94.156.1 68.94.157.1 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fd429d2586ad3a1c862eb93a8e88d763
: end

0
 
LVL 5

Expert Comment

by:devangshroff
ID: 22915748
is there DHCP servr enable on At&T router , if yes just diable first
that on outside intehave of ASA gine ip add 192.168.1.1

inside as 10.10.10.1

and gaeway in ASA as
router outside 0.0.0.0 0.0.0.0 ip address oj AT& T router ip address.

this will do double nating , on ASA
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22916403
>ASA Version 8.0(2)
I know there are lots of bugs in this version. Suggest 8.0(4)
You can also clear arp cache or reboot the asa and see if that error goes away.

Glad you got Internet working!
I don't see anything glaring in the config that you would need to change. It's pretty well secured out of the box with just the basic configs on it.
0
 

Author Comment

by:bkwatts
ID: 22916730
Thank you lrmoore for all you assistance.  You have been spot on with all your comments.  And a big thank you to everyone else for your suggestions.

I do have one last question.  I purchased a SmartNet subscription when I purchased the ASA 5505 and did not receive the documentation yet.  Will I need to wait to receive those documents and some sort of key before I can upgrade to ASA Version 8.0(4)?

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22916759
Smartnet registration is supposed to be electronic, done by the reseller. The reseller should be able to provide you the smartnet contract number. If you don't already have a CCO login and an active smartnet contract on anything else, then yes, you'll need that before you can register to get a login that will allow you to download the update.
0
 

Author Closing Comment

by:bkwatts
ID: 31514690
lrmoore,  Thank you for the quick and accurate information.  I really appreciate the help.
bkwatts
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question