Link to home
Create AccountLog in
Avatar of RLComputing
RLComputing

asked on

Cisco ASA 5505 - No internet access

Hi Experts,

I have a brand new Cisco ASA 5505 router. I am trying to setup it up, however I can not get internet access. I also cannot ping the default gateway.

I believe the problem is, I cannot assign vlan1 to any interfaces.

For examples, my static ip is 72.0.0.130 and default gateway is 72.0.0.1. I've removed VPN information as well.

ASA Version 8.2(1)
!
hostname ciscoasa
enable password  encrypted
passwd  encrypted
names

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 72.0.0.130 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.237.161.12
 name-server 71.250.0.12
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network obj_any
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool 192.168.25.10-192.168.25.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 72.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

ASKER CERTIFIED SOLUTION
Avatar of Ken Boone
Ken Boone
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
VLAN 1 is assigned by default.  Unless you have a different VLAN assigned, the interface is in VLAN 1.

Your config generally looks good; NAT, ACL, interfaces, etc.  First question -- is Eth 0/0 "up"?  When you do a "show interface Eth0/0", what does it say?  Second question -- Do you know for sure the ISP gateway is reachable?  If you attach a PC to the line with the proper IP address, are you able to ping the gateway?  
Avatar of RLComputing
RLComputing

ASKER

Still no luck..

Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address e05f.b9e7.268f, MTU not set
        IP address unassigned
        1140 packets input, 84574 bytes, 0 no buffer
        Received 32 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        873 switch ingress policy drops
        1142 packets output, 84721 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
ciscoasa(config)# exit

PING TEST TO GATEWAY:

ciscoasa# ping 72.00.00.1 [used real gateway]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.88.81.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#

If you plug a PC up does it work?   If not call the provider.
yes, I can connect to the ISP no problem. I currently have the router they gave me in place (ISP is verizon FIOS and router is Actiontec)
So do you plug your PC into the router and set your PC on the 72.x address?  Or do you plug in and get a dynamic internal type address?
Yes that is correct, I can plug directly into the verizon fios box and give myself the 72.0.0.130 address and get on the internet.

It also works if I have the verizon actiontec router setup and I plug into that (get an internal IP from DHCP server as well)


ok so if you plug into the verizon fios box and statically configure you are good.  Did you by chance reboot the fios box before you plug the ASA in?  It may hang on to the MAC address of the first device that was plugged in to it.  Try rebooting the fios box then connect the ASA to it.  

Try that .. if that doesn't work call verizon.  they may have to reset something on their end.  You might even have to reset their box.  I would call first though.  for now reboot it with nothing connected and then plug the asa in and see what happens.
I will call Verizon however, the setup we are trying to achieve I dont want the actiontec router involved at all.
Agreed.  I have run into numerous occasions with different providers where you just have to call and they end up having to reset something when you change devices from the PC you are testing with to the firewall.  so hopefully a quick phone cal will get you going.
Well verizon wont help much. They just verified the static ips and gateway where up. Since the connection works with their actiontec router that is all they cared about.
So here is the deal:
#1)  The fios box must not be using PPPoE or the Pc wouldn't connect.
#2)  Xover cable shouldn't be needed as the ethernet is up/up
#3)  With the config you have you should be able to ping their device assuming you can do it with the PC.

So this means that either something is hung on their side (i.e. a mac address) or something needs to be reset on their end.  I would get them back on the phone and force the issue.  They need to watch and see if they are receiving any packets when you try to ping from the ASA.  You need to get to a level 2 person.

perfect answer and resolved issues.