[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 outside interface is down

Posted on 2011-10-24
13
Medium Priority
?
2,329 Views
Last Modified: 2012-05-12
Hi Experts,

I'm setting up my own test (Cisco) ASA 5505 firewall. I needed to set it up from scratch (software was installed) with the console. Later I used the ASDM application. All the Ethernet interfaces were assigned to the 'inside' interface after basic setup. So I created an 'outside' interface (DHCP client) for port 0/0 and enabled it.

I have the 1200+ page handbook, followed instructions provided there and as far as I can tell things should be working. But no matter what I try, the status of the outside interface is "Interface is down". I'm sure I misconfigured it somewhere, but where exactly would that be?

Any suggestions?
0
Comment
Question by:Mac2010
  • 6
  • 4
  • 3
13 Comments
 
LVL 33

Expert Comment

by:MikeKane
ID: 37019563
What is the interface connected to?    Is that live?     What is shown at a "SHOW INTERFACE OUTSIDE"?
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37019602
Interface is connected to an ADSL router, behind NAT. The ADSL router is live and has DHCP server running. The cable connecting the two is fine, I checked that.

This is the output of the "SHOW INTERFACE OUTSIDE" command:

Interface Vlan2 "outside", is down, line protocol is down
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 001d.7071.2376, MTU 1500
        IP address unassigned
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

Open in new window

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 37020413
Can I see the sanitized firewall config?
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
LVL 8

Author Comment

by:Mac2010
ID: 37020583
Can you be a little bit more specific? I'm not really an expert with the ASA...
What command should I use for that?
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 400 total points
ID: 37021291
Easiest way is a SHOW RUN and then paste in the commands
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37022643
Here it is; I hope it is complete since I needed to copy/paste it in parts from Mac OS X Terminal app.
Thanks for your quick replies!

ASA Version 8.2(1) 
!
hostname centrum
domain-name bbhq.nl
enable password kCxoqBVXImd4z4Px encrypted
passwd U9oM3UN2mc5OaHUS encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.8.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name bbhq.nl
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.17.8.0 255.255.255.0 inside
http 172.17.8.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.17.8.100-172.17.8.131 inside
dhcpd dns 172.17.8.1 194.109.6.66 interface inside
dhcpd lease 86400 interface inside
dhcpd domain bbhq.nl interface inside
dhcpd update dns interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f59d043bd8fa4212f5b804514b8e993c
: end

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37023880
If it might break in on this (sorry mike :)
Try:
interface Ethernet0/0
No shutdown
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37023885
Oh, and don't forget to save:
Wr mem
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37024127
Thanks Ernie,

I tried the command (and a few variations) but get this Error message:

ERROR: % Invalid input detected at '^' marker.
0
 
LVL 8

Author Comment

by:Mac2010
ID: 37024143
A few more thoughts:

Could this problem be caused by a disfunctional port? Although I get the same error message when I type: interface Ethernet0/1 or interface Ethernet0/2
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 1600 total points
ID: 37024326
I was more thinking of forgetting a few commands like enable and conf t.

So it should be:
Enable
Conf t
interface Ethernet0/0
No shutdown
0
 
LVL 8

Author Closing Comment

by:Mac2010
ID: 37024865
Thanks Ernie! The interface works fine now, although it would be interesting to know why it was down and the ASDM app tells it is enabled (in the Device Setup pane)...

Learned a few new things with the ASA now. I give Mike some credit too if you don't mind. I like that show run command.

Cheers
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37024957
No problem, we're not only here for the points (though the tshirts are nice ;).
You might want to think about upgrading the asdm and os, there are some bugs here and there like you mentioned.
Thx for the points.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question