Solved

ASA 5505 down will not nat or get outside

Posted on 2014-01-15
21
268 Views
Last Modified: 2014-04-25
I reconfigured my asa 5505 and now it will not give out nat addresses and I can't even get out to the internet when I use a static IP on my desktop.  This is a small business box and the whole network is down.  

I need some serious help, please.

Dan
0
Comment
Question by:dloj
  • 13
  • 7
21 Comments
 

Expert Comment

by:BrandNull
Comment Utility
What version of firmware is install on this box?
0
 

Author Comment

by:dloj
Comment Utility
6.4.5
0
 

Author Comment

by:dloj
Comment Utility
8.2(5)
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
sh run

and exclude any usernames, passwords or keys.

Put an "X" as the first octet of any public IP.
0
 

Author Comment

by:dloj
Comment Utility
Thanks for the replies.  I fell ill soon after I posted this.  I will go get my box tomorrow morning and put in my config.  I pulled the box off the network and I really want to  get it back.  Aside from your help what is the best place to gather information about the ASA 5505?
0
 

Author Comment

by:dloj
Comment Utility
Hi Everyone,
Thanks for the site it has helped and confused me more.  :)

I inhereited an ASA 5505 in this new position I have and I found firewall.cx and followed the setup process.for Basic ASA 5505 configuration and it did not work. I could not access the outside (internet) that was a few months ago, see above.

I got back to it the other day and still couldn't connect to the internet until I started playing around with outside and inside. When I set the computer I am using to access the console as dhcp I get out but the IP address of the computer is using my main network ip naming scheme rather than the ASA box naming scheme.


So I am confused I am attaching my running-config. Any help would be appreciated.
If someone could look at my running-config and give me a push in the right direction, that would be great.  
FILE ATTACHMENT:
Dan-running-config.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
What do you mean by "naming scheme"?

Do you want your inside clients to get a dhcp address?

If you statically IP an inside host, does it get a translation ("show xlate")?
0
 

Author Comment

by:dloj
Comment Utility
Thanks for the reply.

I want the inside clients to get dhcp addresses from the ASA box as I believe is shown in the running-config I attached.  

And that could be my issue it is not configured correctly.

when I show xlate I get:
0 in use, 0 most used

I think I should have said ip addressing scheme.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The nat id shouldn't matter as long as they match but for the hey of it, I'd like to see the results with the inside and outside nat id changed from '10' to '1'.

I'd also like to see the results of:

packet-tracer input inside udp 192.168.17.24 5000 8.8.8.8 53 detailed
0
 

Author Comment

by:dloj
Comment Utility
Thanks for the reply to I need to setup the whole command to change the id from 10 to 1?
 I will be able to get this tomorrow.

Thanks again.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dloj
Comment Utility
I finally was able to get back to it and I started over.
I am including my show ru and your request for packet-tracer.

I am going from a Basic ASA 5505 instructions from firewall.cx and a book by Don Crawley The Accidental Administrator: Cisco ASA Security Appliance

I have never been able to get out to the internet just by following either directions but once I started hacking around I could.
packet-tracer.txt
Dan-running-config-4-3.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Here is the problem => Drop-reason: (interface-down) Interface is down

Did you "no shut" the inside interface (to include any of the port interfaces that you are using on the inside vlan)?

Did you verify your cabling?

We need the inside interface to be up/up.
0
 

Author Comment

by:dloj
Comment Utility
So I opened all the ethernet ?/? ports with no shutdown then my system behind the ASA retrieved an IP from the Outside router and I was able to get out to the outside network and the internet.  

So I enabled dhcpd and I received an address from my ASA box but cannot get out of the ASA box.

I even had dhcpd auto_config outside interface inside but when  a box on my outside network rebooted it received the 18.x address so I deleted that.  

I am attaching my new running-config and my new packet-tracer, which is much improved.

Thanks for hanging in there with me.
4-4-14-show-ru.txt
4-4-14-packet-tracer.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I don't see this statement:

global (outside) 1 interface
0
 

Author Comment

by:dloj
Comment Utility
It is not allowing me to input that statement.  I should have told you yesterday.   It is saying that invalid input directed at '^' marker.    And ^ is under the o in outside.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
Comment Utility
config t
global ?
global ( ?

show what?
0
 

Author Comment

by:dloj
Comment Utility
current available interface:
inside Name of interface Vlan1

let me look at that
0
 

Author Comment

by:dloj
Comment Utility
I got it for some reason I lost my outside vlan 2 configuration or forgot to put it in?  It was late friday, so much for being tired.  :)

I readded this:

interface vlan 2
ip address dhcp setroute
nameif outside
global (outside) 1 interface

and it seems to be working fine.

And this is how we learn it IT
Thanks for everything.  I am sure you will hear more from me.
0
 

Author Comment

by:dloj
Comment Utility
Hi,
I had everything working fine behind one router then I went to ATT Uverse modem/router and it is not allowing me to get out.   Still getting DHCP from the Uverse Router and the Router sees the ASA box, but not allowing me out.  
I am attaching my running config.

If someone could look at it and let me know why I might not be able to get out I would appreciate it.

Thanks.
4-21-14-show-ru.txt
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Did you re-add this:

interface vlan 2
ip address dhcp setroute
0
 

Author Comment

by:dloj
Comment Utility
Thanks _jesper_ I didn't think I had to.  I just unplugged and unplugged in behind another router.  But I will add it and let you know.

Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now