Solved

Cisco ASA 5505 to replace a router

Posted on 2010-08-14
17
1,199 Views
Last Modified: 2012-06-21
First time ASA configuration.  This is a Cisco ASA 5505.  Our client wants to use this to replace a Cisco 831 router that is borrowed.  I am wondering why I can’t get to the http cloud.  Do I need to enter a specific allow statement or ACL?  Inside packets seem to pass just fine.  Link lights are all okay.

MyCompanyASA(config)# show run

: Saved

:

ASA Version 7.2(4)

!

hostname MyCompanyASA

domain-name MyCompanyinc.com

enable password c64tlJ0D0gDB8JnX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif outside

 security-level 0

 ip address 69.XXX.XXX.23 255.255.255.128

!

interface Vlan2

 nameif inside

 security-level 100

 ip address 10.1.1.254 255.255.255.0

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp

             
!

interface Ethernet0/0

!

interface Ethernet0/1

 switchport access vlan 2

!

interface Ethernet0/2

 switchport access vlan 2

!

interface Ethernet0/3

 switchport access vlan 2

!

interface Ethernet0/4

 switchport access vlan 2

!

interface Ethernet0/5

 switchport access vlan 2

!

interface Ethernet0/6

 switchport access vlan 2

!

interface Ethernet0/7

 switchport access vlan 2

             
ftp mode passive

dns server-group DefaultDNS

 domain-name MyCompanyinc.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config inside

!


username MyCompanyadmin password gnTcJZB1KpVJqadF encrypted

!

prompt hostname context

Cryptochecksum:cf7cea9437976fed499b65b72e0968a9

: end


MyCompanyASA#
0
Comment
Question by:careydodson
  • 7
  • 4
  • 3
  • +3
17 Comments
 
LVL 17

Assisted Solution

by:Kvistofta
Kvistofta earned 150 total points
Comment Utility
You must do address translation, which is missing in your configuration. Easiest way to do this is:

nat (inside) 1 0 0
global (outside) 1 interface

This means that all hosts (0 0) on "(inside)" will have the global "(outside)" address of the interface. That is, hiding all hosts between the firewalls outside ip address.

/Kvistofta
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
Regarding your question about acl: no. No ACL applied from inside means that you are allowing all traffic outbound.

/Kvistofta
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

and you missed default route:
route outside 0.0.0.0 0.0.0.0 x.x.x.x


please show the old config
0
 

Author Comment

by:careydodson
Comment Utility
Thank you, Kvistoffa and ikalmar,

Here are the config updates based on your advice:

MyCompanyASA(config)#nat(inside)1 10.1.1.0 255.255.255.0
MyCompanyASA(config)#global(outside) 1 69.XXX.XXX.23 netmask 255.255.255.128

MyCompanyASA(config)# route outside 0.0.0.0 0.0.0.0 69.XXX.XXX.1

I’m about to leave to try this.  I will also configure SSH so I do not have to travel for future config updates.

Ikalmar, Here is the config from the Cisco 831:

Admin#show run
Building configuration...

Current configuration : 2230 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Admin
!
no logging buffered
enable secret 5 $1$qK45$i6utck/c.1wujq4ycweYm1
!
username CRWS_dheeraj privilege 15 password 7 06425E657B1F0F38411843043F213A2A7C7C6665744655475B
username CRWS_Prem privilege 15 password 7 06425E657B1F0F38411843043F213A2A75796660724257425058
username Admin password 7 05081506601D1C5A
username CRWS_Srini privilege 15 password 7 0242551F3C570900084158163632020A5F517A7C777065637B
username CRWS_Giri privilege 15 password 7 08651D0A3E48033656045D0B190E342960657A4451425B5900
username CRWS_Venky privilege 15 password 7 114D484120430D2D40257A2B1B1625234156445259030C0F0602
ip subnet-zero
ip name-server 24.XXX.XXX.34
ip name-server 24.XXX.XXX.5
ip dhcp excluded-address 10.1.1.125
!
ip audit notify log
ip audit po max-events 100
!
interface Ethernet0
 description CRWS Generated text. Please do not delete this:10.1.1.254-255.255.255.0
 ip address 10.1.1.254 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
 !
interface Ethernet1
 ip address 69.XXX.XXX.23 255.255.255.128
 ip nat outside
 no ip mroute-cache
 no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.1.1.125 3389 interface Ethernet1 3389
ip nat inside source static tcp 10.1.1.125 443 interface Ethernet1 443
ip nat inside source static tcp 10.1.1.125 80 interface Ethernet1 80
ip nat inside source static tcp 10.1.1.125 21 interface Ethernet1 21
ip nat inside source static tcp 10.1.1.125 110 interface Ethernet1 110
ip nat inside source static tcp 10.1.1.125 25 interface Ethernet1 25
ip nat outside source static 69.XXX.XXX.23 255.255.255.128
ip classless
ip route 0.0.0.0 0.0.0.0 69.XXX.XXX.1
ip http server
!
access-list 23 permit 10.1.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
 no cdp run
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login local
 length 0
!
scheduler max-task-time 5000
end


0
 
LVL 34

Assisted Solution

by:Istvan Kalmar
Istvan Kalmar earned 150 total points
Comment Utility
Hi,

I regret to tell you that ASA not supporting secondary IP addresses!

so code that you need:
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 443
access-list outside_access_in extended permit tcp any interface outside eq 80
access-list outside_access_in extended permit tcp any interface outside eq 21
access-list outside_access_in extended permit tcp any interface outside eq 110
access-list outside_access_in extended permit tcp any interface outside eq 25
! for ASDM
http server enable 4443

static (inside,outside) tcp interface 3389 10.1.1.125  3389 netmask 255.255.255.255
static (inside,outside) tcp interface 443 10.1.1.125  443 netmask 255.255.255.255
static (inside,outside) tcp interface 80 10.1.1.125  80 netmask 255.255.255.255
static (inside,outside) tcp interface 21 10.1.1.125  21 netmask 255.255.255.255
static (inside,outside) tcp interface 110 10.1.1.125  110 netmask 255.255.255.255
static (inside,outside) tcp interface 25 10.1.1.125  25 netmask 255.255.255.255

clear xlate
0
 

Author Comment

by:careydodson
Comment Utility
Thank you.  As far as I can tell, I have applied everything.  But I still cannot ping or http outside.  In fact, I can no longer ping inside but I'll address that one later.  Here is the current config of the ASA:

show run

: Saved

:

ASA Version 7.2(4)

!

hostname MyCompany-ASA

domain-name default.domain.invalid

enable password c64tlJ0D0gDB8JnX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 description INSIDE_Private_Net

 nameif inside

 security-level 100

 ip address 10.1.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 69.xxx.xxx.23 255.255.255.128

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1


             
!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq pop3

access-list outside_access_in extended permit tcp any interface outside eq smtp

pager lines 24

logging asdm informational
         
mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 10.1.1.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.1.1.125 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.1.1.125 https netmask 255.255.255.255

static (inside,outside) tcp interface www 10.1.1.125 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.1.1.125 ftp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 10.1.1.125 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.1.1.125 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.23 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable 4443

http 0.0.0.0 0.0.0.0 outside
         
http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.1.1.10 255.255.255.255 inside

ssh 10.1.1.125 255.255.255.255 inside

ssh 69.xxx.xxx.146 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
username MyCompanyadmin password gnTcJZB1KpVJqadF encrypted

!

class-map inspection_default

 match default-inspection-traffic


policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy


             
 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:f2d861c7fa544f65565d18d933d64ba4

: end


MyCompany-ASA#
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
please show me the following:

sh arp
sh xlate

do oyu able to ping the 148.6.0.1 from ASA?
0
 

Author Comment

by:careydodson
Comment Utility
Here are the results:

show arp

      inside 10.1.1.125 001f.29c9.c624 35

      outside 69.xxx.xxx.1 0001.5c23.be42 488


MyCompany-ASA# show xlate

6 in use, 117 most used

PAT Global 69.xxx.xxx.1(3389) Local 10.1.1.125(3389)

PAT Global 69.xxx.xxx.1(443) Local 10.1.1.125(443)

PAT Global 69.xxx.xxx.1(80) Local 10.1.1.125(80)

PAT Global 69.xxx.xxx.1(21) Local 10.1.1.125(21)

PAT Global 69.xxx.xxx.1(110) Local 10.1.1.125(110)

PAT Global 69.xxx.xxx.1(25) Local 10.1.1.125(25)


MyCompany-ASA# ping 148.6.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 148.6.0.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

! But I can ping the inside server:

MyCompany-ASA# ping 10.1.1.125

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.125, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


MyCompany-ASA#
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
it seems that you missed default route... it is pointed your outside interface not the ISP!

route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.23 1
0
 

Author Comment

by:careydodson
Comment Utility
I've made the revisions and it feels like we're getting closer.  Here is the latest configuration and test results:

show run

: Saved

:

ASA Version 7.2(4)

!

hostname MyCompany-ASA

domain-name MyCompanyinc.com

enable password c64tlJ0D0gDB8JnX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 description INSIDE_Private_Net

 nameif inside

 security-level 100

 ip address 10.10.10.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 69.xxx.xxx.23 255.255.255.128

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1


             
!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 24.116.2.5

 name-server 24.116.2.34

 domain-name MyCompanyinc.com

access-list outside_access_in extended permit tcp any interface outside eq 3389

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in extended permit tcp any interface outside eq pop3
             
access-list outside_access_in extended permit tcp any interface outside eq smtp

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended deny ip any any log

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.1.1.125 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.1.1.125 https netmask 255.255.255.255

static (inside,outside) tcp interface www 10.1.1.125 www netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.1.1.125 ftp netmask 255.255.255.255

static (inside,outside) tcp interface pop3 10.1.1.125 pop3 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 10.1.1.125 smtp netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 69.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
         
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable 4443

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.1.1.10 255.255.255.255 inside

ssh 10.1.1.125 255.255.255.255 inside

ssh 69.xxx.xxx.146 255.255.255.255 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

username MyCompanyadmin password gnTcJZB1KpVJqadF encrypted

class-map inspection_default

 match default-inspection-traffic
             
policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:34bf9cfe654771fae5d0b86a382561bb

: end


MyCompany-ASA# show arp

      inside 10.1.1.125 001f.29c9.c624 62

      outside 69.xxx.xxx.1 0001.5c23.be42 0


MyCompany-ASA# show xlate

6 in use, 117 most used

PAT Global 69.xxx.xxx.23(3389) Local 10.1.1.125(3389)

PAT Global 69.xxx.xxx.23(443) Local 10.1.1.125(443)

PAT Global 69.xxx.xxx.23(80) Local 10.1.1.125(80)

PAT Global 69.xxx.xxx.23(21) Local 10.1.1.125(21)

PAT Global 69.xxx.xxx.23(110) Local 10.1.1.125(110)

PAT Global 69.xxx.xxx.23(25) Local 10.1.1.125(25)


MyCompany-ASA# ping 10.1.1.125

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.125, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


MyCompany-ASA# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


MyCompany-ASA# ping 69.xxx.xxx.23

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 69.xxx.xxx.23, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


MyCompany-ASA# ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


MyCompany-ASA#
0
 
LVL 17

Expert Comment

by:Kvistofta
Comment Utility
So you cant ping your isp gateway? Does it show up in ARP table after trying to ping it (sh arp)?

Do you have link on your Ethernet0/0-interface? Paste output regarding that interface from "show int" here...

If IP addressing is correct in your config I cant see that there should be anything in the config preveting things to work. Try to reboot the ISP gateway (69.xxx.xxx.23) to make sure that its ARP-entry for your firewall isnt bad.

Last resort is that the error is not in the ASA but somewhere else (ISP, cabling et c...)

/Kvistofta
0
 

Author Comment

by:careydodson
Comment Utility
Thanks, Kvistofta.  Actually I can ping the isp gateway.  But it did not show up in the ARP table afterwards. See below.

One thing I find interesting between the router and the ASA is that the router has a primary and secondary IP address to wit:

ip address 10.1.1.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0

Not sure how to configure both on the same interface on the ASA.  But that isn't really my main concern since we're still trying to allow traffic outside.  

Here is the info.

ping 69.xxx.xxx.23

!(isp)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 69.xxx.xxx.23, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


MyCompany-ASA# ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


MyCompany-ASA# show int

Interface Vlan1 "inside", is up, line protocol is up

  Hardware is EtherSVI

      Description: INSIDE_Private_Net

      MAC address 5475.d0e3.9370, MTU 1500

      IP address 10.10.10.1, subnet mask 255.255.255.0

  Traffic Statistics for "inside":

      342 packets input, 27592 bytes

      0 packets output, 0 bytes

      337 packets dropped

      1 minute input rate 1 pkts/sec,  109 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 1 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

  Hardware is EtherSVI

      MAC address 5475.d0e3.9370, MTU 1500

      IP address 69.xxx.xxx.23, subnet mask 255.255.255.128

  Traffic Statistics for "outside":

      5886 packets input, 315628 bytes

      0 packets output, 0 bytes

      158 packets dropped

      1 minute input rate 25 pkts/sec,  1343 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec


             
      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

      Available but not configured via nameif

      MAC address 5475.d0e3.9368, MTU not set

      IP address unassigned

      6089 packets input, 436972 bytes, 0 no buffer

      Received 6037 broadcasts, 0 runts, 0 giants

      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

      0 L2 decode drops

      119 switch ingress policy drops

      0 packets output, 0 bytes, 0 underruns

      0 output errors, 0 collisions, 0 interface resets

      0 babbles, 0 late collisions, 0 deferred

      0 lost carrier, 0 no carrier

      0 rate limit drops

      0 switch egress policy drops

Interface Ethernet0/1 "", is up, line protocol is up

  Hardware is 88E6095, BW 100 Mbps

      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
             
      Available but not configured via nameif

      MAC address 5475.d0e3.9369, MTU not set

      IP address unassigned

      518 packets input, 85292 bytes, 0 no buffer

      Received 355 broadcasts, 0 runts, 0 giants

      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

      0 L2 decode drops

      0 switch ingress policy drops

      0 packets output, 0 bytes, 0 underruns

      0 output errors, 0 collisions, 0 interface resets

      0 babbles, 0 late collisions, 0 deferred

      0 lost carrier, 0 no carrier

      0 rate limit drops

      0 switch egress policy drops

!<snip>

MyCompany-ASA# ping 10.1.1.125

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.125, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


MyCompany-ASA# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)


MyCompany-ASA#
0
 

Author Comment

by:careydodson
Comment Utility
Also the link LEDs appear to be fine.  The cables appear to be fine since we are switching the LAN and WAN cable back and forth from ASA to Router today.  (That is how I'm able to reply...by switching them back to the Router.)
0
 
LVL 9

Accepted Solution

by:
Donboo earned 200 total points
Comment Utility
First the ISP address 69.xxx.xxx.23 is you own IP on the outside interface according to the configuration posted thats why you get a response.

2nd the IP 69.xxx.xxx.1 is your ISP GW and you can ping this? (Btw it shows up in the ARP table so layer 2 is working "outside 69.xxx.xxx.1 0001.5c23.be42 0")

3rd While the ASA dosn´t support secondary IPs as you´d normally think you can using tricks get it to simulate a secondary IP and make it work as if.

Most of the times when switching equipment around you might run into problems with MAC addresses on the bording network equipment. Have you tried having you ISP clearing his ARP table after you switched to the ASA?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Enable ICMP inspect to help troubleshoot

policy-map global_policy
 class inspection_default
  inspect icmp

0
 
LVL 3

Expert Comment

by:DeltaR7
Comment Utility
try adding following lines:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
0
 

Author Closing Comment

by:careydodson
Comment Utility
Donboo, you nailed the reason I wasn't getting anything outside: contact the ISP and register the new Mac address!  Interestingly I had to call twice because the mac address to the physical port did not do the trick.  They needed to know the mac address to the VLANs; which BTW, is the same for all the VLANs.

iKalmar and Kvistoffa, thank you for the time-saving configuration tips!  You all got it running far far quicker than I would've been able to do by myself.  THANK YOU!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now