Solved

ASA Basic Configuration

Posted on 2009-07-09
8
522 Views
Last Modified: 2012-05-07
I am a greenhorn when it comes to cisco, but I wanted to see if I could config an ASA 5505 with my cable modem. I am having trouble with accessing the internet. Basic problem I have been reading on many sites, but no one has the solution I am looking for. I cannot tell you how many times i have configured the inside/outside interfaces. I have the config factory-default command down to a science. Nonetheless, I have listed my show run below for viewing. I have my cable modem plugged into Ethernet0/0 as the outside interface for vlan 2 on dhcp server since my ISP does not give out static IP's. I would love to hear anyone's thoughts, the solution is bugging me all to hell.
interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/1

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/2

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/6

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/7

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Open in new window

0
Comment
Question by:phebos
  • 5
  • 2
8 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 300 total points
ID: 24811563
Hi,

- Did you registered your ASA's mac-address to your ISP?
- What is the appliance version?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24811570
DHCP Client

pixfirewall#show running-config
PIX Version 7.1(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0


!--- Configures the Security Appliance interface as a DHCP client.
!--- The setroute keyword causes the Security Appliance to set the default
!--- route using the default gateway the DHCP server returns.


 ip address dhcp setroute

!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.14 255.0.0.0


!--- Output is suppressed.



!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24

logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover

asdm image flash:/asdm-511.bin

no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 inside


!--- Output is suppressed.


!
service-policy global_policy global
Cryptochecksum:86dd1153e8f14214524359a5148a4989
: end
0
 
LVL 2

Author Comment

by:phebos
ID: 24813605
I wish it was that easy. My ISP only needs the MAC address of the cable modem, but doesn't require the MAC for the ASA. I am using Cox. The appliance version is 7.2. Thank you for any help you can offer.
0
 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 200 total points
ID: 24814062
from the pix, can you ping any address on the internet? www.google.com.is a good test. you will need to config a name-server address in the pix also, which your isp should have given to you.

if the pix works to the internet, then the problem is with translation through the pix. capture these commands when you have a pc on the inside network trying to browse:
sh arp
sh conns
sh xlate
sh route
and there must be some command to show the issued dhcp leases also, but i dont know the exact command. this will verify connectivity from the pc to the pix inside.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Author Comment

by:phebos
ID: 24815488
Hi pgolding,

Yes, I can currently ping from the PIX. I believe the issue is with going from the inside to the outside interface. Something I just don't understand enough to make sense of it. I listed the following commands for you to look at. I am beginning to think this is broken, but since I can ping from it, it's obviously the fact that I am just too green to figure this out.

The money question for me right now is: shouldn't this work with the current config I have now?
ciscoasa(config)# sh conn

4 in use, 48 most used

UDP out 129.219.17.11:137 in 192.168.1.2:137 idle 0:00:56 flags -

TCP out 129.219.103.50:443 in 192.168.1.2:65436 idle 0:00:04 bytes 22097 flags U

IO

ciscoasa(config)# sh xlate

2 in use, 132 most used

PAT Global 10.200.58.69(4) Local 192.168.1.2(137)

PAT Global 10.200.58.69(1141) Local 192.168.1.2(65436)

ciscoasa(config)# sh route
 

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route
 

Gateway of last resort is 10.200.56.1 to network 0.0.0.0
 

C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C    10.200.56.0 255.255.248.0 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 10.200.56.1, outside

Open in new window

0
 
LVL 2

Author Comment

by:phebos
ID: 24816599
I am looking at what I wrote previously and the configs are different. I am at work to see if this thing works and my last post is a result of the IP's given. I apologize if this confuses anyone. I shouldn't have posted it. I didn't know the asa 5505 would autoconfig at work. I will be back on here tonight to share the "sh" information at my home, so I can find a resolution for my home. I guess trying to do two things on different LAN's isn't going to work. :)
0
 
LVL 2

Author Comment

by:phebos
ID: 24819774
Hey pgolding,

I decided to call Cox again and the person I spoke with didn't need a MAC address, but did re-provision the  cable modem and wala! She could then see both devices and what would you know, the internet came right up. I think what I learned in this situation is that the factory-default settings allow you to get to the internet if there isn't anything blocking your way and to call your ISP more than once because you never get the same answer twice. :>

Thanks for everyone's help on this. I am probably going to ask more questions when I configure servers I have, security and etc.

0
 
LVL 2

Author Closing Comment

by:phebos
ID: 31601465
Thank you again for everyone who helped. I can't believe the solution was as easy as it was, but I did understand a lot more about what Cisco is about and how they configure their devices. Until then, I am sure I will have plenty of server, security, dns and routing questions coming. :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now