Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

ASA Basic Configuration

I am a greenhorn when it comes to cisco, but I wanted to see if I could config an ASA 5505 with my cable modem. I am having trouble with accessing the internet. Basic problem I have been reading on many sites, but no one has the solution I am looking for. I cannot tell you how many times i have configured the inside/outside interfaces. I have the config factory-default command down to a science. Nonetheless, I have listed my show run below for viewing. I have my cable modem plugged into Ethernet0/0 as the outside interface for vlan 2 on dhcp server since my ISP does not give out static IP's. I would love to hear anyone's thoughts, the solution is bugging me all to hell.
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

Open in new window

0
phebos
Asked:
phebos
  • 5
  • 2
3 Solutions
 
Istvan KalmarCommented:
Hi,

- Did you registered your ASA's mac-address to your ISP?
- What is the appliance version?
0
 
Istvan KalmarCommented:
DHCP Client

pixfirewall#show running-config
PIX Version 7.1(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0


!--- Configures the Security Appliance interface as a DHCP client.
!--- The setroute keyword causes the Security Appliance to set the default
!--- route using the default gateway the DHCP server returns.


 ip address dhcp setroute

!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.14 255.0.0.0


!--- Output is suppressed.



!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24

logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover

asdm image flash:/asdm-511.bin

no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 inside


!--- Output is suppressed.


!
service-policy global_policy global
Cryptochecksum:86dd1153e8f14214524359a5148a4989
: end
0
 
phebosAuthor Commented:
I wish it was that easy. My ISP only needs the MAC address of the cable modem, but doesn't require the MAC for the ASA. I am using Cox. The appliance version is 7.2. Thank you for any help you can offer.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
pgolding00Commented:
from the pix, can you ping any address on the internet? www.google.com.is a good test. you will need to config a name-server address in the pix also, which your isp should have given to you.

if the pix works to the internet, then the problem is with translation through the pix. capture these commands when you have a pc on the inside network trying to browse:
sh arp
sh conns
sh xlate
sh route
and there must be some command to show the issued dhcp leases also, but i dont know the exact command. this will verify connectivity from the pc to the pix inside.
0
 
phebosAuthor Commented:
Hi pgolding,

Yes, I can currently ping from the PIX. I believe the issue is with going from the inside to the outside interface. Something I just don't understand enough to make sense of it. I listed the following commands for you to look at. I am beginning to think this is broken, but since I can ping from it, it's obviously the fact that I am just too green to figure this out.

The money question for me right now is: shouldn't this work with the current config I have now?
ciscoasa(config)# sh conn
4 in use, 48 most used
UDP out 129.219.17.11:137 in 192.168.1.2:137 idle 0:00:56 flags -
TCP out 129.219.103.50:443 in 192.168.1.2:65436 idle 0:00:04 bytes 22097 flags U
IO
ciscoasa(config)# sh xlate
2 in use, 132 most used
PAT Global 10.200.58.69(4) Local 192.168.1.2(137)
PAT Global 10.200.58.69(1141) Local 192.168.1.2(65436)
ciscoasa(config)# sh route
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 10.200.56.1 to network 0.0.0.0
 
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.200.56.0 255.255.248.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 10.200.56.1, outside

Open in new window

0
 
phebosAuthor Commented:
I am looking at what I wrote previously and the configs are different. I am at work to see if this thing works and my last post is a result of the IP's given. I apologize if this confuses anyone. I shouldn't have posted it. I didn't know the asa 5505 would autoconfig at work. I will be back on here tonight to share the "sh" information at my home, so I can find a resolution for my home. I guess trying to do two things on different LAN's isn't going to work. :)
0
 
phebosAuthor Commented:
Hey pgolding,

I decided to call Cox again and the person I spoke with didn't need a MAC address, but did re-provision the  cable modem and wala! She could then see both devices and what would you know, the internet came right up. I think what I learned in this situation is that the factory-default settings allow you to get to the internet if there isn't anything blocking your way and to call your ISP more than once because you never get the same answer twice. :>

Thanks for everyone's help on this. I am probably going to ask more questions when I configure servers I have, security and etc.

0
 
phebosAuthor Commented:
Thank you again for everyone who helped. I can't believe the solution was as easy as it was, but I did understand a lot more about what Cisco is about and how they configure their devices. Until then, I am sure I will have plenty of server, security, dns and routing questions coming. :)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now