[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 510
  • Last Modified:

Cisco 5505 behind 2811 router

Hello everyone,
 
I am having a small issue I have setup a ASA 5505 that is setting behind my 2811 router. I am not able to ping the outside ISP IP address not sure if my config is correct.


I will upload both config router and firewall
 


0
wmilton
Asked:
wmilton
  • 11
  • 6
1 Solution
 
wmiltonAuthor Commented:
0
 
wmiltonAuthor Commented:
ASA Version 8.3(1)
!

names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.128.1.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.127.1.2 255.255.0.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list 101 extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 172.127.1.1 1
route outside 172.128.1.0 255.255.255.0 172.127.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.128.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:e026f137f00393f4c40f486befe78644
pacinoASA#
0
 
wmiltonAuthor Commented:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dallas
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog

!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside
 ip address 75.XXX.240.XX 255.255.255.248
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.127.1.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface IDS-Sensor1/0
 no ip address
 shutdown
 hold-queue 60 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.XXX.240.XX
ip route 172.128.1.0 255.255.255.0 172.127.1.2
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
IronmannenCommented:
Hello
Instead of using an accesslist for permitting icmp I would use inspection for icmp:

class-map inspection_default
policy-map global_policy
class inspection_default
inspect icmp
0
 
IronmannenCommented:
Hello
You also have a subnet mask mismatch

interface Vlan2
 nameif outside
 security-level 0
 ip address 172.127.1.2 255.255.0.0

interface FastEthernet0/1
 ip address 172.127.1.1 255.255.255.252
0
 
IronmannenCommented:
Hello again
This rule states that the 172.128.1.0 (inside) network is available on the firewall outside
route outside 172.128.1.0 255.255.255.0 172.127.1.1 1
remove the rule by issuing:
no route outside 172.128.1.0 255.255.255.0 172.127.1.1 1
0
 
wmiltonAuthor Commented:
@Ironmannen:

i did see that I have a mismatch ip  I will fix that right away
0
 
wmiltonAuthor Commented:
Ok  I am uploading a new config interface Vlan1
 nameif inside
 security-level 100
 ip address 172.128.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.127.1.2 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
access-list 101 extended permit icmp any any echo-reply
pager lines 24
logging enable
logging asdm informational
l
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 75.XX.240.42 1
route outside 172.128.1.0 255.255.255.0 172.127.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.128.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
Cryptochecksum:9841bbaf3ce204ffa2f299f6045406c3
pacinoASA# ping 75.XX.240.41 ISP
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.XX.240.41, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
pacinoASA# ping 75.XX.240.42
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.XXX.240.42, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pacinoASA# ping 172.127.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.127.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pacinoASA# ping 172.127.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.127.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pacinoASA# ping 172.128.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.128.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pacinoASA# ping 75.XX.240.42
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.xx.240.42, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
pacinoASA# ping 75.XX.240.41 ISP IP w
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.139.240.41, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)I can ping everythig but the ISP ip that is my issue
0
 
wmiltonAuthor Commented:
I can ping everthing but the ISP
0
 
IronmannenCommented:
Ok you are missing some NAT configuration on the router:

interface fa 0/0
ip nat outside

interface fa 0/1
ip nat inside

The ping is going out unNATed and have no route back from your isp, correct with the above code on the router
0
 
lrmooreCommented:
Good eye, Ironmannen - Welcome to EE!
The information above should get you going.

On the ASA, you still need to remove a route statement

route outside 0.0.0.0 0.0.0.0 75.XX.240.42 1
route outside 172.128.1.0 255.255.255.0 172.127.1.1 1 <== REMOVE this


0
 
wmiltonAuthor Commented:
Still having some problem I erase the old config started over. I guess I have created a new set of issues.  I can't ping the F0/1 of the router 172.127.1.1 I always thought that anything that was directly connected you could ping without putting in a rout for it.  

I also can not ping the ISP ip 75.xxx.xxx.41 but I can ping F0/0  75.xxx.xxx.42 which is connected to the ISP modem




PacinoAS# ping 172.128.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.128.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PacinoAS# ping 172.127.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.127.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
PacinoAS# ping 172.127.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.127.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PacinoAS# ping 75.xxx.xxx.42
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.xx.xxx.42, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
PacinoAS# ping 75.xxx.xxx.41
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 75.xxx.xxx.41, timeout is 2 seconds:
???
0
 
wmiltonAuthor Commented:
SA Version 8.3(1)
!
hostname PacinoAS
enable password Xa40Nt0afIZZLC2N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.128.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.127.1.2 255.255.255.252
!
interface Vlan3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
object network internal_lan
 subnet 0.0.0.0 0.0.0.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit udp any any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 75.xxx.xxx.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:fd620efe02cf966f2a1478915a2b8b1b
0
 
IronmannenCommented:
Hello
Can you post your new router config
0
 
wmiltonAuthor Commented:
Router config



version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dallas
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog


!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside
 ip address 75.xxx.xxx.42 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.127.1.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface IDS-Sensor1/0
 no ip address
 shutdown
 hold-queue 60 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.xxx.xx.41 ISP
ip route 172.128.1.0 255.255.255.0 172.127.1.2
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
0
 
IronmannenCommented:
Hello
I can see one error in your config:

interface FastEthernet0/1
 ip address 172.127.1.1 255.255.255.252
 ip nat outside

should be
ip nat inside
0
 
wmiltonAuthor Commented:
I have fix ip nat issue  I will check  on the ASA and see if I can ping all Interfaces



version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dallas
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$29jT$EWqhFCv6gBC41tfNCDaGv/
enable password zingenuity
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside
 ip address 75.xxx.xxx.42 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.127.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface IDS-Sensor1/0
 no ip address
 shutdown
 hold-queue 60 out
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.xxx.xxx.41
ip route 172.128.1.0 255.255.255.0 172.127.1.2
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 66
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 login
!
scheduler allocate 20000 1000
end
0
 
wmiltonAuthor Commented:
thanks The issue is fixed I am able to connect a computer to the switch and get to the internet
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 11
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now