Solved

ASA Basic Configuration

Posted on 2009-07-09
8
523 Views
Last Modified: 2012-05-07
I am a greenhorn when it comes to cisco, but I wanted to see if I could config an ASA 5505 with my cable modem. I am having trouble with accessing the internet. Basic problem I have been reading on many sites, but no one has the solution I am looking for. I cannot tell you how many times i have configured the inside/outside interfaces. I have the config factory-default command down to a science. Nonetheless, I have listed my show run below for viewing. I have my cable modem plugged into Ethernet0/0 as the outside interface for vlan 2 on dhcp server since my ISP does not give out static IP's. I would love to hear anyone's thoughts, the solution is bugging me all to hell.
interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/6

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/7

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:phebos
  • 5
  • 2
8 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 300 total points
ID: 24811563
Hi,

- Did you registered your ASA's mac-address to your ISP?
- What is the appliance version?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24811570
DHCP Client

pixfirewall#show running-config
PIX Version 7.1(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0


!--- Configures the Security Appliance interface as a DHCP client.
!--- The setroute keyword causes the Security Appliance to set the default
!--- route using the default gateway the DHCP server returns.


 ip address dhcp setroute

!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.14 255.0.0.0


!--- Output is suppressed.



!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24

logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover

asdm image flash:/asdm-511.bin

no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 inside


!--- Output is suppressed.


!
service-policy global_policy global
Cryptochecksum:86dd1153e8f14214524359a5148a4989
: end
0
 
LVL 2

Author Comment

by:phebos
ID: 24813605
I wish it was that easy. My ISP only needs the MAC address of the cable modem, but doesn't require the MAC for the ASA. I am using Cox. The appliance version is 7.2. Thank you for any help you can offer.
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 200 total points
ID: 24814062
from the pix, can you ping any address on the internet? www.google.com.is a good test. you will need to config a name-server address in the pix also, which your isp should have given to you.

if the pix works to the internet, then the problem is with translation through the pix. capture these commands when you have a pc on the inside network trying to browse:
sh arp
sh conns
sh xlate
sh route
and there must be some command to show the issued dhcp leases also, but i dont know the exact command. this will verify connectivity from the pc to the pix inside.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 2

Author Comment

by:phebos
ID: 24815488
Hi pgolding,

Yes, I can currently ping from the PIX. I believe the issue is with going from the inside to the outside interface. Something I just don't understand enough to make sense of it. I listed the following commands for you to look at. I am beginning to think this is broken, but since I can ping from it, it's obviously the fact that I am just too green to figure this out.

The money question for me right now is: shouldn't this work with the current config I have now?
ciscoasa(config)# sh conn

4 in use, 48 most used

UDP out 129.219.17.11:137 in 192.168.1.2:137 idle 0:00:56 flags -

TCP out 129.219.103.50:443 in 192.168.1.2:65436 idle 0:00:04 bytes 22097 flags U

IO

ciscoasa(config)# sh xlate

2 in use, 132 most used

PAT Global 10.200.58.69(4) Local 192.168.1.2(137)

PAT Global 10.200.58.69(1141) Local 192.168.1.2(65436)

ciscoasa(config)# sh route
 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route
 

Gateway of last resort is 10.200.56.1 to network 0.0.0.0
 

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C    10.200.56.0 255.255.248.0 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 10.200.56.1, outside

Open in new window

0
 
LVL 2

Author Comment

by:phebos
ID: 24816599
I am looking at what I wrote previously and the configs are different. I am at work to see if this thing works and my last post is a result of the IP's given. I apologize if this confuses anyone. I shouldn't have posted it. I didn't know the asa 5505 would autoconfig at work. I will be back on here tonight to share the "sh" information at my home, so I can find a resolution for my home. I guess trying to do two things on different LAN's isn't going to work. :)
0
 
LVL 2

Author Comment

by:phebos
ID: 24819774
Hey pgolding,

I decided to call Cox again and the person I spoke with didn't need a MAC address, but did re-provision the  cable modem and wala! She could then see both devices and what would you know, the internet came right up. I think what I learned in this situation is that the factory-default settings allow you to get to the internet if there isn't anything blocking your way and to call your ISP more than once because you never get the same answer twice. :>

Thanks for everyone's help on this. I am probably going to ask more questions when I configure servers I have, security and etc.

0
 
LVL 2

Author Closing Comment

by:phebos
ID: 31601465
Thank you again for everyone who helped. I can't believe the solution was as easy as it was, but I did understand a lot more about what Cisco is about and how they configure their devices. Until then, I am sure I will have plenty of server, security, dns and routing questions coming. :)
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Excessive tcp resends from my ASA 7 63
DHCP on ASA 3 53
Connecting two physical networks that reside in the same building 6 36
Open a port on Cisco Router 1941 23 35
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now