Solved

Cisco ASA 5505 won't connect to Internet through Comcast Cable Modem

Posted on 2011-03-22
3
4,230 Views
Last Modified: 2013-02-11
Set-Up
------------

I have a Comcast Cable modem that physically connects to my ASA 5505. I utilized the ASDM start-up wizard to configure my ASA 5505. The IP address scheme is as followed:
 
Gateway:173.8.22.142
Outside interface on ASA: Public IP (vlan 2)
Inside interface: 192.168.1.1/24 (vlan 1)

Problem:
--------------

The Comcast Cable modem was originally configured to assign private IP addresses dynamically to the local area network. I purchased an ASA to better secure my traffic.
When I obtained my new ASA I just plugged my computer into one of the ethernet ports, then accessed the ASDM locally to configure the device through the startup wizard.
Once this was completed,I physically connected the Vlan2 interface (public) to the Comcast cable modem. I then disable DHCP on the Cable Modem, to allow my ASA's outside
interface to utilize a static Public IP address. Unfortunately, this set-up is preventing my inside interface (private) from accessing the internet.

Now, the funny thing is, if I re-enable DHCP on the Comcast cable modem (private IP addresses), then make my public interface on the ASA obtain its IP address via DHCP
from the cable modem, everything works fine. Meaning the inside interface (private) can access the internet.


Question
----------

How can I utilize a statically assigned public IP address on my ASA's outside interface to allow my inside private computers to reach the internet?
I have attached the ASDM start-up configuration. Any ideas?


: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.X 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:092065a5757543b8962896d487439cb8
: end
no asdm history enable

Open in new window

0
Comment
Question by:Stormtwista
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
gestradakws earned 500 total points
Comment Utility
Vlan2 make sure you set to "Ip address dhcp setroute"

it's missing a route inside 0.0.0.0 0.0.0.0 inside IP
0
 

Author Comment

by:Stormtwista
Comment Utility
Thanks for your response. If I configure the Vlan2 for "IP address DHCP setroute" the outside interface will be set to obtain an ip address dynamically. It is for this reason, that I have associated a statically assigned Public IP to this interface as illustrated in the following line:

interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.X 255.255.255.248

Also, for your second comment "its missing a route inside 0.0.0.0.0.0.0.0 inside IP", are you referring to configuring the default route as 192.168.1.1 255.255.255.0 173.8.22.142? IP address 173.8.22.142 is my ISP's Gateway address.

I have attached the working code that i was referring to originally when I stated the following;

 "Now, the funny thing is, if I re-enable DHCP on the Comcast cable modem (private IP addresses), then make my public interface on the ASA obtain its IP address via DHCP
from the cable modem, everything works fine. Meaning the inside interface (private) can access the internet."


 
: Saved
:
ASA Version 8.2(2) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:98d75991e7b0fc43a5d871e2a38d63e8
: end
no asdm history enable

Open in new window

0
 

Author Comment

by:Stormtwista
Comment Utility
That was it! I added the route 0.0.0.0 0.0.0.0 (default Gateway) and everything worked. Thanks.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now