Can someone help me figure out why this base config for an ASA 5505 won't work?
Hello,
We will preface this by stating that I am a total Cisco noob. I know that there are reams of documentation out there, but unfortunately I don't have the time at this point to go through it all, so I am hoping someone can give me some assistance.
I need to install a new ASA 5505 in an office that currently has NO firewall protection. It has a cable modem with a static IP address assignment (we actually have a block of 8).
I went through the initial startup and configuration wizard with the ASA, and couldn't get it to pass traffic through to the internet... well, that may NOT be true (I am a noob in the worst way), but at any rate I cannot get a pc attached to the inside vlan to resolve a web page.
To try to troubleshoot, I took the patch cable connecting the cable modem to the ASA's port 0 (outside vlan) and attached it directly to my pc. I then configured the nic on the pc with the static assigned IP, subnet, and gateway information provided by my cable ISP... the pc worked perfectly, and I was able to resolve web pages.
However, no matter what I try, I can't seem to make the ASA ping out, much less allow a machine on it's inside network to access the internet.
I have attached the configuration... can someone please take a look and tell me if you can spot the error?
Thanks,
Scott show-20running-config-20asdm-san.txt
We will preface this by stating that I am a total Cisco noob. I know that there are reams of documentation out there, but unfortunately I don't have the time at this point to go through it all, so I am hoping someone can give me some assistance.
I need to install a new ASA 5505 in an office that currently has NO firewall protection. It has a cable modem with a static IP address assignment (we actually have a block of 8).
I went through the initial startup and configuration wizard with the ASA, and couldn't get it to pass traffic through to the internet... well, that may NOT be true (I am a noob in the worst way), but at any rate I cannot get a pc attached to the inside vlan to resolve a web page.
To try to troubleshoot, I took the patch cable connecting the cable modem to the ASA's port 0 (outside vlan) and attached it directly to my pc. I then configured the nic on the pc with the static assigned IP, subnet, and gateway information provided by my cable ISP... the pc worked perfectly, and I was able to resolve web pages.
However, no matter what I try, I can't seem to make the ASA ping out, much less allow a machine on it's inside network to access the internet.
I have attached the configuration... can someone please take a look and tell me if you can spot the error?
Thanks,
Scott show-20running-config-20asdm-san.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
YMMV? Sorry... it's really late here!
I just rebooted the cable modem, and after it came back up, rebooted the ASA. No change to my problem though.
I will keep your advice on the cable modem in mind though... thanks!
I just rebooted the cable modem, and after it came back up, rebooted the ASA. No change to my problem though.
I will keep your advice on the cable modem in mind though... thanks!
ASKER
removed the dhcpd auto_config outside line with no change...
As for the IP address settings, I checked them again and they seem in order. I know that they worked when inputted directly into the pc earlier this evening. I will re-verify them with the ISP tomorrow to be sure.
A silly question, but there isn't some sort of registration process that needs to be done on the ASA before you configure it, is there? I am just using the base license, no anyconnect or security plus licenses or anything like that...
As for the IP address settings, I checked them again and they seem in order. I know that they worked when inputted directly into the pc earlier this evening. I will re-verify them with the ISP tomorrow to be sure.
A silly question, but there isn't some sort of registration process that needs to be done on the ASA before you configure it, is there? I am just using the base license, no anyconnect or security plus licenses or anything like that...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
YMMV = Your Mileage May Vary
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ikalmar,
thanks for weighing in... I disabled DHCP on the inside interface (didn't post the updated running config, but just removed the dhcp auto_config outside line), and set manual DNS entries in the defaultDNS server-group.
enrniebeek,
From a pc attached to VLAN 1, I can ping the inside interface (192.168.1.250). However, I cannot ping the outside interface... but I don't know if I should be able to ping my external interface from inside the ASA.
I cannot ping the dns servers at this point.
Scott
thanks for weighing in... I disabled DHCP on the inside interface (didn't post the updated running config, but just removed the dhcp auto_config outside line), and set manual DNS entries in the defaultDNS server-group.
enrniebeek,
From a pc attached to VLAN 1, I can ping the inside interface (192.168.1.250). However, I cannot ping the outside interface... but I don't know if I should be able to ping my external interface from inside the ASA.
I cannot ping the dns servers at this point.
Scott
That's correct, you can only ping the interface facing you.
So did you try to do a ping from the ASA to the internet?
Also try to connect to the ASDM to have a look at the logs when you try to connect to the internet.
So did you try to do a ping from the ASA to the internet?
Also try to connect to the ASDM to have a look at the logs when you try to connect to the internet.
ASKER
yes, I tried pinging the dns servers on the interent, with no success. Also tried pinging a website, but the ASA is unable to resolve the host name (which also points to it not being able to pass traffic).
I am unfamiliar with the ASA product.. I will certainly check the logs. Can you give me some direction there?
I am unfamiliar with the ASA product.. I will certainly check the logs. Can you give me some direction there?
ASKER
I found where to enable logging, and turned it on. I then did a ping test to 4.2.2.2 and saved the log file (logging level was set to debug... is this correct?).
I then cleared the logs and tried to open internet explorer and go to google.com. I attached the resulting logs from that as well.
I don't see anything 'negative' in the logs though... or am I reading them wrong? 7883PingLogDebugLevel
I then cleared the logs and tried to open internet explorer and go to google.com. I attached the resulting logs from that as well.
I don't see anything 'negative' in the logs though... or am I reading them wrong? 7883PingLogDebugLevel
ASKER
and here are the results from trying to access google...
forgot to mention, both tests were run from a pc attached to the inside interface of the ASA. 7883WebRequestLogDebugLevel
forgot to mention, both tests were run from a pc attached to the inside interface of the ASA. 7883WebRequestLogDebugLevel
Hm, nothing strage there in the first log. In the second I can only see your connection to the firewall, nothing going to google.
Let's try it step by step. From the ASA, can you ping the cable modem?
Let's try it step by step. From the ASA, can you ping the cable modem?
ASKER
the modem itself doesn't have an address, but we have a gateway assignment for our block of IP addresses. Ping requests to this gateway fail.
As for the second log, I am guessing we are only seeing connections to the firewall because I tried to navigate to google.com... the ASA is curently set as my DNS server, so it should have tried to resolve google.com... would that be in the log?
As for the second log, I am guessing we are only seeing connections to the firewall because I tried to navigate to google.com... the ASA is curently set as my DNS server, so it should have tried to resolve google.com... would that be in the log?
Ok......................
Afaik the ASA cannot be used as a DNS server. So if you get your connectivity right, you'll need to set your client to a different dns server.
Afaik the ASA cannot be used as a DNS server. So if you get your connectivity right, you'll need to set your client to a different dns server.
ASKER
thanks for the info... what is the DNS server group that is defined in the config then? who is it resolving addresses for?
thansk!
thansk!
which should be removed, I don't see an obvious problem. If removing that line and rebooting the cablemodem doesn't get you online, can you be sure you're XXXXX config parameters are correct?