Link to home
Start Free TrialLog in
Avatar of jody_j_houghton
jody_j_houghton

asked on

How to configure basic settings on Cisco ASA 5510

I have an ASA 5510 the I've aquired for my home lab, I have Comcast Residential grade Internet so I do not have a static IP block.  How do I configure the router as my primary firewall.  The modem is in passthrough mode, but that only means the ports are all forwarded and not the public IP address, not that I would stick the dynamic IP on my router anyways.  I've set the router back to factory defaults so I don't have a config to post.  PLEASE HELP!  I have putty and asdm access to the device as well.  Thanks for your time in advance!

Also, I would like eth0/1 to be my dhcp server as well with whatever subnet works, it's a small lab with only about 15 devices on it.
Avatar of arnold
arnold
Flag of United States of America image

You would configure the interface to which you are connecting the comcast router as outside interface usng DHCP. You would then power off the comcast router for 10 minutes, then bring it up and the public/Internet IP will be assigned on the ASA outside interface.
Using ASDM should be straight forward.
The port you connect the comcast router to should be labeled as outside/external with DHCP IP.
You then setup the internal/LAN with private IP space that you connect to an internal switch.
http://www.dslreports.com/faq/14231
Avatar of jody_j_houghton
jody_j_houghton

ASKER

Thanks for the reply Arnold, however I was hoping for something a little more specific.  Here' s my config. , can someone please tell me what's wrong?

asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password wkgmxot9C..o9mxY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.0.0.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 management
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 172.0.0.2-172.0.0.253 inside
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:4fd9aef86428cf31f94aa986207f7d17
: end
172.0.0.0 are not suitable for LAN IPs as this a public IP space.
172.16.0.0-172.31.255.255 is the private IP block.

You are missing route outside 0.0.0.0 0.0.0.0 e0/0

http://www.ccie.net/blogs/asa-basic-configuration
http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html
Has references on configuring using the command line tool or the ASDM tool.

Not sure why you are using global 10 and nat inside 10
Sorry, yeah you're totally right.  I'm clearly new-ish at this.  Basically I'm just trying to use my 5510 for home use.  Comcast residential modem with no static.  I've gone through the setup wizard 50 times, and followed a TON of setup forums and I just can't get it to work.  The comcast modem gives out a 10.0.0.2\24 (?) on the inside interface, if it's not too much to ask, how would I configure this router from scratch....  I'm clearly not going in the right direction with my ip schema...
Here's my new config:  Please advise!

asdm image disk0:/asdm-508.bin
no asdm history enable
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password wkgmxot9C..o9mxY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.3 255.255.255.128
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.10-192.168.15.200 inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:029a874b85a1b889efae490f266babfa
: end
You should not alter the outside interface to set an IP.
Your outside interface configuration was correct as it was being assigned by DHCP.


Which method are you using to configure your ASA?

You should only set an external IP when you know what it is.
Looking back, the IP address DHCP setroute
The problem is that it is not clear what issues you had.
The comcast adapter locks in and caches the MAC address of the first system that connects to it. If you switch what connects to the device, you have to power off the comcast device to clear the cached data.

The link provides you a clear example. Your difference is that you do not have a static IP on the outside interface.  

After changing the outside interface to IP address DHCP setroute
And removing the IP route 0.0.0.0 0.0.0.0 10.0.0.3
Post the "show IP route" output
This will display the routing table.
Often there are ACL rules one would use in the nat (inside) to define which networks are natted. Not sure why you are using nat (inside) 10.
https://www.experts-exchange.com/questions/26873909/ASA5520-Cannot-ping-from-inside-to-dmz.html

Provides an example of deinng access-lists and access-groups to allow traffic.
Thank you Arnold, I'm aware that the Comcast Gateway needs to be restarted each time a new device is plugged into to gain Internet access.  Also, thank you for the link, I'll have a look.  It should be noted that I had a L3 Networking guy do the last config, and he said something about there may be an issue with the OS ver, I think it's ver 7.  Also, even with this new config, I cannot ping either interface on the asa from aninternal host, but can ping everything from the asa interfaces.  Here's my "show IP route" output.

**************
ciscoasa(config-if)# show IP route
                             ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-if)# ERROR: % Invalid input detected at '^' marker.

**************

ciscoasa(config-if)# sho ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0              outside                10.0.0.3        255.255.255.128 DHCP
Ethernet0/1              inside                 192.168.15.1    255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method
Ethernet0/0              outside                10.0.0.3        255.255.255.128 DHCP
Ethernet0/1              inside                 192.168.15.1    255.255.255.0   manual

******************
Are you supposed to get a private IP from comcast?
I.e. your Comcast device is setup in routed versus bridged mode.

can you post show ip route (for the routing table that gets set)

To allow the ASA to respond to pings, you need to add  inspect ICMP to the global policy_map

version 7 is old, if you have Cisco account access rights, you could update to 8.x
yeah, these routers can't be put in bridged mode I guess, I even called comcast.  I think all that bridged mode does on this router is open all ports. I planned just running no-ip to keep track of the public ip address.  Unfortunatly I don't have a cisco account, otherwise I'd love to flash it.  I even looked for a download somewhere online and I couldn't find one incuding torrents.  Here's my show route.

ciscoasa(config)# show route

S    0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside
C    10.0.0.0 255.255.255.128 is directly connected, outside
C    192.168.15.0 255.255.255.0 is directly connected, inside
Thought you might wanna see this too:

ciscoasa(config)# ping 8.8.8.8
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 30/36/40 ms
ciscoasa(config)# ping 10.0.0.1
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ciscoasa(config)# ping 10.0.0.3
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping 192.168.15.1
Sending 5, 100-byte ICMP Echos to 192.168.15.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)# ping 192.168.15.11
Sending 5, 100-byte ICMP Echos to 192.168.15.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ciscoasa(config)#
From host can ping 192.168.15.1 and also 10.0.0.1, but I can't ping 10.0.0.3 or 8.8.8.8 obviously.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Weird, so nslookup is showing the IP's of those sites:

C:\Users\jody>nslookup
Default Server:  google-public-dns-
Address:  8.8.8.8

> 8.8.8.8
Server:  google-public-dns-a.google
Address:  8.8.8.8

Name:    google-public-dns-a.google
Address:  8.8.8.8

I also tried to add:

access-list 102 permit tcp any any established - This one failed.
access-list 102 permit tcp any any eq telnet
access-list 102 permit icmp any any
!

Here's my new config: still no internet from internal host though.

ciscoasa(config)# sho config
: Saved
: Written by enable_15 at 11:26:03.033 UTC Sat Nov 17 2012
!
ASA Version 7.0(8)
!
hostname ciscoasa
enable password wkgmxot9C..o9mxY encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.15.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
ftp mode passive
access-list 101 extended permit icmp any any echo-reply
access-list 102 extended permit tcp any any eq telnet
access-list 102 extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 192.168.15.10-192.168.15.200
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.10-192.168.15.200 inside
dhcpd dns 8.8.8.8
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable inside
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:0e201a656cf21378f9bd6b1e30419b47
ciscoasa(config)#


https://www.experts-exchange.com
Server:  google-public-dns-a.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    lb-cms.l3.redsrci.com
Address:  64.156.132.150
Aliases:  https://www.experts-exchange.com
Oh, also I am only useing putty, not the gui, I can if needed though
Also, I take back the nslookup working.  It must have been cached, but after I restarted the host, I can no longer get a valid response through nslookup.
Turns out the config was correct, there's something going on with the isp or the firmware....  Thank's for your help!