Cisco ASA 5505 outside interface is down

Hi Experts,

I'm setting up my own test (Cisco) ASA 5505 firewall. I needed to set it up from scratch (software was installed) with the console. Later I used the ASDM application. All the Ethernet interfaces were assigned to the 'inside' interface after basic setup. So I created an 'outside' interface (DHCP client) for port 0/0 and enabled it.

I have the 1200+ page handbook, followed instructions provided there and as far as I can tell things should be working. But no matter what I try, the status of the outside interface is "Interface is down". I'm sure I misconfigured it somewhere, but where exactly would that be?

Any suggestions?
LVL 8
Mac2010Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
I was more thinking of forgetting a few commands like enable and conf t.

So it should be:
Enable
Conf t
interface Ethernet0/0
No shutdown
0
 
MikeKaneCommented:
What is the interface connected to?    Is that live?     What is shown at a "SHOW INTERFACE OUTSIDE"?
0
 
Mac2010Author Commented:
Interface is connected to an ADSL router, behind NAT. The ADSL router is live and has DHCP server running. The cable connecting the two is fine, I checked that.

This is the output of the "SHOW INTERFACE OUTSIDE" command:

Interface Vlan2 "outside", is down, line protocol is down
  Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 001d.7071.2376, MTU 1500
        IP address unassigned
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        0 packets output, 0 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec

Open in new window

0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
MikeKaneCommented:
Can I see the sanitized firewall config?
0
 
Mac2010Author Commented:
Can you be a little bit more specific? I'm not really an expert with the ASA...
What command should I use for that?
0
 
MikeKaneConnect With a Mentor Commented:
Easiest way is a SHOW RUN and then paste in the commands
0
 
Mac2010Author Commented:
Here it is; I hope it is complete since I needed to copy/paste it in parts from Mac OS X Terminal app.
Thanks for your quick replies!

ASA Version 8.2(1) 
!
hostname centrum
domain-name bbhq.nl
enable password kCxoqBVXImd4z4Px encrypted
passwd U9oM3UN2mc5OaHUS encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.17.8.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name bbhq.nl
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.17.8.0 255.255.255.0 inside
http 172.17.8.251 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 172.17.8.100-172.17.8.131 inside
dhcpd dns 172.17.8.1 194.109.6.66 interface inside
dhcpd lease 86400 interface inside
dhcpd domain bbhq.nl interface inside
dhcpd update dns interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f59d043bd8fa4212f5b804514b8e993c
: end

Open in new window

0
 
Ernie BeekExpertCommented:
If it might break in on this (sorry mike :)
Try:
interface Ethernet0/0
No shutdown
0
 
Ernie BeekExpertCommented:
Oh, and don't forget to save:
Wr mem
0
 
Mac2010Author Commented:
Thanks Ernie,

I tried the command (and a few variations) but get this Error message:

ERROR: % Invalid input detected at '^' marker.
0
 
Mac2010Author Commented:
A few more thoughts:

Could this problem be caused by a disfunctional port? Although I get the same error message when I type: interface Ethernet0/1 or interface Ethernet0/2
0
 
Mac2010Author Commented:
Thanks Ernie! The interface works fine now, although it would be interesting to know why it was down and the ASDM app tells it is enabled (in the Device Setup pane)...

Learned a few new things with the ASA now. I give Mike some credit too if you don't mind. I like that show run command.

Cheers
0
 
Ernie BeekExpertCommented:
No problem, we're not only here for the points (though the tshirts are nice ;).
You might want to think about upgrading the asdm and os, there are some bugs here and there like you mentioned.
Thx for the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.