Solved

ASA Basic Configuration

Posted on 2009-07-09
8
525 Views
Last Modified: 2012-05-07
I am a greenhorn when it comes to cisco, but I wanted to see if I could config an ASA 5505 with my cable modem. I am having trouble with accessing the internet. Basic problem I have been reading on many sites, but no one has the solution I am looking for. I cannot tell you how many times i have configured the inside/outside interfaces. I have the config factory-default command down to a science. Nonetheless, I have listed my show run below for viewing. I have my cable modem plugged into Ethernet0/0 as the outside interface for vlan 2 on dhcp server since my ISP does not give out static IP's. I would love to hear anyone's thoughts, the solution is bugging me all to hell.
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/6
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/7
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context

Open in new window

0
Comment
Question by:phebos
  • 5
  • 2
8 Comments
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 300 total points
ID: 24811563
Hi,

- Did you registered your ASA's mac-address to your ISP?
- What is the appliance version?
0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 300 total points
ID: 24811570
DHCP Client

pixfirewall#show running-config
PIX Version 7.1(1)
!
hostname pixfirewall
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0


!--- Configures the Security Appliance interface as a DHCP client.
!--- The setroute keyword causes the Security Appliance to set the default
!--- route using the default gateway the DHCP server returns.


 ip address dhcp setroute

!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.0.0.14 255.0.0.0


!--- Output is suppressed.



!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24

logging enable
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover

asdm image flash:/asdm-511.bin

no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.0.0 255.0.0.0 inside


!--- Output is suppressed.


!
service-policy global_policy global
Cryptochecksum:86dd1153e8f14214524359a5148a4989
: end
0
 
LVL 2

Author Comment

by:phebos
ID: 24813605
I wish it was that easy. My ISP only needs the MAC address of the cable modem, but doesn't require the MAC for the ASA. I am using Cox. The appliance version is 7.2. Thank you for any help you can offer.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 8

Assisted Solution

by:pgolding00
pgolding00 earned 200 total points
ID: 24814062
from the pix, can you ping any address on the internet? www.google.com.is a good test. you will need to config a name-server address in the pix also, which your isp should have given to you.

if the pix works to the internet, then the problem is with translation through the pix. capture these commands when you have a pc on the inside network trying to browse:
sh arp
sh conns
sh xlate
sh route
and there must be some command to show the issued dhcp leases also, but i dont know the exact command. this will verify connectivity from the pc to the pix inside.
0
 
LVL 2

Author Comment

by:phebos
ID: 24815488
Hi pgolding,

Yes, I can currently ping from the PIX. I believe the issue is with going from the inside to the outside interface. Something I just don't understand enough to make sense of it. I listed the following commands for you to look at. I am beginning to think this is broken, but since I can ping from it, it's obviously the fact that I am just too green to figure this out.

The money question for me right now is: shouldn't this work with the current config I have now?
ciscoasa(config)# sh conn
4 in use, 48 most used
UDP out 129.219.17.11:137 in 192.168.1.2:137 idle 0:00:56 flags -
TCP out 129.219.103.50:443 in 192.168.1.2:65436 idle 0:00:04 bytes 22097 flags U
IO
ciscoasa(config)# sh xlate
2 in use, 132 most used
PAT Global 10.200.58.69(4) Local 192.168.1.2(137)
PAT Global 10.200.58.69(1141) Local 192.168.1.2(65436)
ciscoasa(config)# sh route
 
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
 
Gateway of last resort is 10.200.56.1 to network 0.0.0.0
 
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.200.56.0 255.255.248.0 is directly connected, outside
C    192.168.1.0 255.255.255.0 is directly connected, inside
d*   0.0.0.0 0.0.0.0 [1/0] via 10.200.56.1, outside

Open in new window

0
 
LVL 2

Author Comment

by:phebos
ID: 24816599
I am looking at what I wrote previously and the configs are different. I am at work to see if this thing works and my last post is a result of the IP's given. I apologize if this confuses anyone. I shouldn't have posted it. I didn't know the asa 5505 would autoconfig at work. I will be back on here tonight to share the "sh" information at my home, so I can find a resolution for my home. I guess trying to do two things on different LAN's isn't going to work. :)
0
 
LVL 2

Author Comment

by:phebos
ID: 24819774
Hey pgolding,

I decided to call Cox again and the person I spoke with didn't need a MAC address, but did re-provision the  cable modem and wala! She could then see both devices and what would you know, the internet came right up. I think what I learned in this situation is that the factory-default settings allow you to get to the internet if there isn't anything blocking your way and to call your ISP more than once because you never get the same answer twice. :>

Thanks for everyone's help on this. I am probably going to ask more questions when I configure servers I have, security and etc.

0
 
LVL 2

Author Closing Comment

by:phebos
ID: 31601465
Thank you again for everyone who helped. I can't believe the solution was as easy as it was, but I did understand a lot more about what Cisco is about and how they configure their devices. Until then, I am sure I will have plenty of server, security, dns and routing questions coming. :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question