RLComputing
asked on
Cisco ASA 5505 - No internet access
Hi Experts,
I have a brand new Cisco ASA 5505 router. I am trying to setup it up, however I can not get internet access. I also cannot ping the default gateway.
I believe the problem is, I cannot assign vlan1 to any interfaces.
For examples, my static ip is 72.0.0.130 and default gateway is 72.0.0.1. I've removed VPN information as well.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.0.0.130 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.237.161.12
name-server 71.250.0.12
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj_any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.25.10-192.168.25.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
I have a brand new Cisco ASA 5505 router. I am trying to setup it up, however I can not get internet access. I also cannot ping the default gateway.
I believe the problem is, I cannot assign vlan1 to any interfaces.
For examples, my static ip is 72.0.0.130 and default gateway is 72.0.0.1. I've removed VPN information as well.
ASA Version 8.2(1)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.0.0.130 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.237.161.12
name-server 71.250.0.12
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network obj_any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.25.10-192.168.25.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still no luck..
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address e05f.b9e7.268f, MTU not set
IP address unassigned
1140 packets input, 84574 bytes, 0 no buffer
Received 32 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
873 switch ingress policy drops
1142 packets output, 84721 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
ciscoasa(config)# exit
PING TEST TO GATEWAY:
ciscoasa# ping 72.00.00.1 [used real gateway]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.88.81.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address e05f.b9e7.268f, MTU not set
IP address unassigned
1140 packets input, 84574 bytes, 0 no buffer
Received 32 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
873 switch ingress policy drops
1142 packets output, 84721 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
ciscoasa(config)# exit
PING TEST TO GATEWAY:
ciscoasa# ping 72.00.00.1 [used real gateway]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.88.81.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
If you plug a PC up does it work? If not call the provider.
ASKER
yes, I can connect to the ISP no problem. I currently have the router they gave me in place (ISP is verizon FIOS and router is Actiontec)
So do you plug your PC into the router and set your PC on the 72.x address? Or do you plug in and get a dynamic internal type address?
ASKER
Yes that is correct, I can plug directly into the verizon fios box and give myself the 72.0.0.130 address and get on the internet.
It also works if I have the verizon actiontec router setup and I plug into that (get an internal IP from DHCP server as well)
It also works if I have the verizon actiontec router setup and I plug into that (get an internal IP from DHCP server as well)
ok so if you plug into the verizon fios box and statically configure you are good. Did you by chance reboot the fios box before you plug the ASA in? It may hang on to the MAC address of the first device that was plugged in to it. Try rebooting the fios box then connect the ASA to it.
Try that .. if that doesn't work call verizon. they may have to reset something on their end. You might even have to reset their box. I would call first though. for now reboot it with nothing connected and then plug the asa in and see what happens.
Try that .. if that doesn't work call verizon. they may have to reset something on their end. You might even have to reset their box. I would call first though. for now reboot it with nothing connected and then plug the asa in and see what happens.
ASKER
I will call Verizon however, the setup we are trying to achieve I dont want the actiontec router involved at all.
Agreed. I have run into numerous occasions with different providers where you just have to call and they end up having to reset something when you change devices from the PC you are testing with to the firewall. so hopefully a quick phone cal will get you going.
ASKER
Well verizon wont help much. They just verified the static ips and gateway where up. Since the connection works with their actiontec router that is all they cared about.
So here is the deal:
#1) The fios box must not be using PPPoE or the Pc wouldn't connect.
#2) Xover cable shouldn't be needed as the ethernet is up/up
#3) With the config you have you should be able to ping their device assuming you can do it with the PC.
So this means that either something is hung on their side (i.e. a mac address) or something needs to be reset on their end. I would get them back on the phone and force the issue. They need to watch and see if they are receiving any packets when you try to ping from the ASA. You need to get to a level 2 person.
#1) The fios box must not be using PPPoE or the Pc wouldn't connect.
#2) Xover cable shouldn't be needed as the ethernet is up/up
#3) With the config you have you should be able to ping their device assuming you can do it with the PC.
So this means that either something is hung on their side (i.e. a mac address) or something needs to be reset on their end. I would get them back on the phone and force the issue. They need to watch and see if they are receiving any packets when you try to ping from the ASA. You need to get to a level 2 person.
ASKER
perfect answer and resolved issues.
Your config generally looks good; NAT, ACL, interfaces, etc. First question -- is Eth 0/0 "up"? When you do a "show interface Eth0/0", what does it say? Second question -- Do you know for sure the ISP gateway is reachable? If you attach a PC to the line with the proper IP address, are you able to ping the gateway?