Link to home
Start Free TrialLog in
Avatar of JoesCat
JoesCatFlag for United States of America

asked on

ASA 5505 no internet access

This question has been asked before, and I've applied some of the solutions presented as solved, but none of them have worked for me.
New ASA 5505 running ASA 8.2(5).  No matter what I've tried, config wizard, configuring manually, and sending some configs found here have made any difference in allowing inside hosts access to the outside internet.  I never see any bytes count on the outside interface.  I've not been able to ping anything on the outside, from the ASDM ping option nor hosts on the inside.

The initial config desire is to use our new ISP's static ip address, and the 5505 provide DHCP to the inside hosts. No DMZ is needed. The ISP is new, not a lot of testing of the service has taken place.  I did connect up a WD MyNet N750 in router mode, using the ISP's internet and gateway addresses with success for the inside hosts.  The same cables and addresses are being used for the 5505.

Ultimately, this 5505 is intended to establish a site-to-site vpn with another 5505 at a customer's location.  Their techs will be on the phone guiding that vpn setup.  Ideally then, I envision using the first internet address from our block for the vpn, and use the next one for general internet access.  I mention it here only as an ideal, but first it would be great if I could at least get internet access to begin with!

I have a 2nd device on order, to hopefully verify that my device is defective.

I've downloaded and lightly modified a configuration found here, as below:

: Saved
:
ASA Version 8.2(5)
!
hostname gsibsi-fw01
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.27.nnn.74 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 0.0.0.0 0.0.0.0
access-group acl_inside_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.27.nnn.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 8.8.8.8
dhcpd domain bsi.lan.gsiinc.com
!
dhcpd address 192.168.1.5-192.168.1.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
no asdm history enable
Obtained001-sanitized.txt
Avatar of Don Johnston
Don Johnston
Flag of United States of America image

Have you tried the packet tracer to see where the traffic is getting dropped?

Not sure why you've got "nat (outside)" commands. I would remove those two statements.

Also the "access-group acl_inside_in in interface inside" and associated ACL aren't helping so delete those as well.
First thing I would suggest is to do the following tests.

1.

ping 96.27.nnn.73
At the very least you should be able to ping your upstream router. If this fails, it might be a physical cabling issue. Try using different cabling if necessary (Cat5 or Cat5e).
If you can ping the next-hop router, try doing a "traceroute 8.8.8.8" and see if you are able to reach it.

2.

ping192.168.1.x
Try and ping an internal IP, preferably if you have a directly connected device that is on the same subnet as 192.168.1.x

3.

Looking at your NAT config
It looks like you are using software version older than 8.3
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.1.0 255.255.255.0
nat (outside) 1 0.0.0.0 0.0.0.0

Open in new window

Lines 3-5 are not necessary. If you wish to NAT 192.168.1.0/24 to the outside interface, Lines 1-2 is all you need.

3.

Checking you ACL
access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
!
access-group acl_inside_in in interface inside

Open in new window

Line 1 is permitting all IP traffic from 192.168.1.0/24 to any (internet) but it does not permit ICMP. Add the following "access-list acl_inside_in extended permit icmp 192.168.1.0 255.255.255.0 any"
Allowing ICMP going out (inside-to-outside) is one part, you'll need to allow the ICMP/echo-reply incoming to your outside as well.
access-list acl_outside_in extended permit icmp any host 96.27.1.74 echo-reply
!
access-group acl_outside_in in interface outside

Open in new window

For now those are a few things you could check. Hope this helps!
Avatar of JoesCat

ASKER

I made the above changes.  Still no joy, I cannot access the internet in any fashion.

Yes, this device shipped with ASA version 8.2(5).  Why it ships so old I don't know.  I'm currently trying to update the IOS, as nothing else has allowed any use.

I verified again, using an Ethernet straight-thru cable, I can swap this unit out with my trusty old WS MyNet N750, immediately link up and browse the internet (plugged in, wireless is disabled).  So cabling has been tested, as is the internet connection itself.  The docs indicate a straight-thru cable is needed for the 5505 as well, although two packages comes with pictorials showing the cables are included, they are not.

I recall reading there's a fundamental change in the way NAT packets are handled beyond version 8.2 - is the above running config FOR above 8.2?

I did try the packet tracer, though I'm not sure of the details of that utility, it did report that the packet was dropped due to an ACL.  I didn't save the result, having moved on to confirm cabling etc.  I'll get back to that after trying to update the ASA version . . .

Thanks for all help, this has been going on too long, and the delays are showing.
I'm running 8.2(5) on my ASA at home as well as on a number of other ASA's for clients. There was a change with the commands in later releases that I just don't want to deal with.  Many people have stuck with 8.2 for that reason.  Your config is correct for 8.2.

Please post the current config and we'll see if we can identify the issue.
Avatar of JoesCat

ASKER

Thanks for that, I did not proceed to changing the ASA version then, it remains at 8.2(5).  Here's the current running config.

I've played with the packet tracer, this tool is new to me (I grew up using Pix 6.x, with it's very old "PDM").
Source: 192.168.1.5 (my PC's current dhcp address), destination: 8.8.8.8, ICMP, echo, code 8, ID 0: Failed with "flow denied by a rule".
Same source and destination, UDP, Source port "domain, destination port "domain" and "53": both pass
Same again, UDP, S: echo, D: echo: pass.
I think I'm using the tool incorrectly, as I also get "pass" for destination addresses 8.8.10.5, 10.0.0.1, 96.27.nnn.72 (which isn't a valid ip address in my outside subnet).

I still do not have any internet access from my PC, nslookup, ping to known good hosts (i.e. 8.8.8.8), web browsing of course.
Sorry to be such a burden!  This should be the simplest of configurations (apart from a DHCP derived outside address).  I just don't see what's missing!

: Saved
:
ASA Version 8.2(5)
!
hostname gsibsi-fw01
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.27.nnn.74 255.255.255.248
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list acl_inside_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list acl_outside_in extended permit icmp any host 96.27.nnn.74 echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.27.nnn.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 8.8.8.8
dhcpd domain bsi.lan.gsiinc.com
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
no asdm history enable
You're missing the "access-group acl_inside_in  in interface outside" statement.
Avatar of JoesCat

ASKER

I found an example of using the packet tracer, here is the result.
I'm certainly no expert (as you can see), but it appears that everything is in place to work correctly?  I'm mystified why it isn't then, since the same ISP connection works using another simple router.

Result of the command: "packet-tracer input inside icmp 192.168.1.10 8 0 208.67.222.222"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (96.27.nnn.74 [Interface PAT])
    translate_hits = 543, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.1.10/0 to 96.27.nnn.74/19485 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 192.168.1.0 255.255.255.0
  match ip inside 192.168.1.0 255.255.255.0 outside any
    dynamic translation to pool 1 (96.27.nnn.74 [Interface PAT])
    translate_hits = 543, untranslate_hits = 0
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1630, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Avatar of JoesCat

ASKER

Thank you so much for your persistence.  I added the overlooked statement:

: Saved
:
ASA Version 8.2(5)
!
hostname gsibsi-fw01
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.27.nnn.74 255.255.255.248
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list acl_inside_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list acl_outside_in extended permit icmp any host 96.27.nnn.74 echo-reply
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_inside_in in interface outside
route outside 0.0.0.0 0.0.0.0 96.27.nnn.73 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 8.8.8.8
dhcpd domain bsi.lan.gsiinc.com
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxx
: end
no asdm history enable
and does it work?
Avatar of JoesCat

ASKER

Nope, sorry.  I sure would have been much more celebratory if it did!  It's just a dead as ever.

Is it time to start blaming the ISP (Wide Open West).  I've not used them before, so have no experience with them.  It's just strange that a fairly low end wifi router can be connected easily and work w/o issue.

Or am I still missing something fundamental in my 5505 configuration?
I think you still go the ACL config a bit off, here is what you posted.
access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list acl_inside_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list acl_outside_in extended permit icmp any host 96.27.nnn.74 echo-reply
!
access-group acl_inside_in in interface outside

Open in new window

line 5 should be "access-group acl_outside_in in interface outside"
and then you should add another "access-group" for the inside interface "access-group acl_inside_in in interface inside"

At the very least you should be able to ping the next-hop (96.27.nnn.73) from the ASA itself. If not, even though cables were changed, you might want to check the "show interface". You should see this as up/up and check the duplex and speed if it is negotiated properly (full-duplex, 100Mbps).
ciscoasa# show int eth0/1
Interface Ethernet0/1 "outside", is up, line protocol is up
  Hardware is linaeth, BW 100 Mbps, DLY 100 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Open in new window

If you see if at up/up with correct speed and duplex yet still you can ping the next-hop (96.27.nnn.73) from the ASA itself, use other ports on the ASA for your outside.
If all the above is done, and still a no go, try connecting a PC directly to the ASA outside interface and see if you can ping that.
That's all for now I could suggest to test, hopefully you'll find success eventually.
I can say with almost 100% certainty that this is not your ISP. Like I said before, I've got half a dozen of these at various customer sites working fine.

I think part of the problem is there's some things in your config that aren't needed and that's making it hard to find the problem.  I always like to start with the bare minimum, verify functionality, then add things testing after each change. The more lines in the config, the harder it is to find a problem.

access-list acl_inside_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list acl_inside_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list acl_outside_in extended permit icmp any host 96.27.nnn.74 echo-reply

Open in new window


The first two lines are completely unnecessary. They shouldn't be causing a problem, but if they aren't doing anything, let's get rid of them.

Your ACL should only have one line (in this case, the last one). Personally, I would use:

access-list acl_outside_in extended permit icmp any interface outside echo-reply

Open in new window


So make that change, test it.  If it doesn't work, run it through the packet tracer and see what it says.  Then let us know what happens.

And when you post the config, please use the "Code" feature (at the top of the post window). That makes it a lot easier to see.
Avatar of JoesCat

ASKER

Thanks guys, I'll try your suggestions and post back (tomorrow).  

ffleisma I recall you suggesting early on, I tried then and recently tried to ping the outside gateway address (from a connected PC and from the ASA itself), no go. It's another example that no traffic ever seems to make it to the outside interface.  
Yesterday after thinking things through overnight. one of the first things I tried was adding physical port two to the outside vlan and plugged into that - made no difference.
If all the above is done, and still a no go, try connecting a PC directly to the ASA outside interface and see if you can ping that.
For brevity, you mean the pc connected to the outside interface is set to the ISP's gateway address and subnet mask, and pinging it from the ASA?  I'll try that also.
I'm using the ASDM for configuration (and using the CLI from there for most things), it shows the appropriate interfaces as up/up in the GUI (and not when the cable is disconnected).

Don, after trying the config wizard (which sets up as a DHCP client on the outside interface), and doesn't set up a default route I believe, and that didn't work, I reset to factory and tried a manual config, setting only the what I hoped were needed settings:  the outside ip address and subnet mask, the gateway address, and the network objects for the inside and outside network (inside is already there in that situation I think), and the outside network as 96.27.nnn.72 with mask 255.255.255.248.  What I've read is there would already be implied access control that allows all traffic from a higher security to lower, and denied traffic from lower to higher security.  So I though that would work.  Nothing.  I concluded I do not know what I'm doing without help then!
My code sample to begin this thread was one I copied from another thread which appeared similar to my problem, and was the resulting successful setup (I of course changed the outside interface to match my provider's), everything else I thought would match up to what I'm looking to do for a basic, initial setup.  I hope that helps portray my history with this device.
Any extra fluff in my config is just a carry-over. I'm still working from the standpoint that this device has never successfully accessed the internet in any fashion,
I agree, I need to load the simplest setup that will work at all to start.  There's nothing in my config I'm dedicated to, I would throw it all away for a simple setup - a static outside ip, dhcp on the inside, no dmz, no ACL's needed really.  I'm not very experienced at setting these up from scratch, a working start would allow continuing change by change to a working setup, rather than the other way around.

Anyone know of a good, simple initial setup I can change slightly and load in? I thought I'd done that several times, but was quickly dismayed when it wouldn't work at all accessing the internet.

Again, thanks!  I realize this (should be!) a simple setup hence may be tedious and boring, but I've yet to understand why my initial goes at this haven't gotten me anywhere.
This isolates if it is a bad port on the device.
Use other ports on the ASA as the outside.
Connect a PC to the ASA outside interface and pretend that is the next-hop router.
If you like to start from a clean slate, just do a "write erase" then a reboot.

What is odd though, when you connect a PC directly at the ISP, were you able to ping the ISP router?

When you connect the "WD MyNet N750 in router mode", does it have a static IP or gets IP via DHCP?
Avatar of JoesCat

ASKER

Yes, I've tried using another port to the outside.  A couple of days ago, I reassigned port 2 to the outside vlan, plugged in there, with the same failed results.  I also received a 2nd new 5505, loaded the configuration(s) I've been testing, and same results (plugged into the default port 0, assigned to the outside vlan.  That should have ruled out a bad port.

"write erase" in the CLI produced an error . . . I've been using the File.... Reset to factory.  It does clear my configuration as far as I can tell.

The N750 was set to the static ip from our ISP.  There is not DHCP provided by them.  

It finally dawned on me overnight . . . the N750 works perfectly, the 5505 never does.  Soooo, I placed the N750 in between the ISP and the 5505.  It's in router mode, set to static ip of the ISP's ip, gateway and subnet mask connected to the same port 0 outside interface.  It's running DHCP for the inside.  This is the exact configuration that worked for several PC's to successfully access the internet already.
The 5505 reset to factory defaults operates exactly this way also, providing DHCP from the outside, and to the inside.

Presto!  It works, just like the PC's have worked.  What a huge discovery.  So now I can prove the ports on the ASA work, it can route and pass traffic and all that fun stuff.  But why would I possible need to use an alternative router between the 5505 and my ISP?  Using the same cables (all straight-thru ethernet).  Even moreso, the N750 is a gigabyte switch, and links as such.  I'm pushing the cables harder than the 5505 would with it's 100mb/s cabability.

I really like to solve that!  I don't prefer to need an intermediate low-end router in between, especially going forward trying to setup a site-to-site VPN with another 5505.  Having this other router in the mix might needlessly complicate the setup.

Currently running code (unmodified from the factory reset).  What perplexes me is there is no "default route" statement, only the "setroute" option in the outside DHCP configuration:

: Saved
:
ASA Version 8.2(5) 
!
hostname ciscoasa
enable password xxxxxxxxxxxxxx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
no asdm history enable

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Nico Eisma
Nico Eisma
Flag of Philippines image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just another thinking out of the box, might I suggest to use VLAN1 as the outside. Sometimes other device has some issues working with Cisco devices. The native VLAN (commonly default VLAN1) is untagged when using 802.1q, I'm thinking that the ISP router is sending untagged packets while on the ASA receiving interface it is expecting VLAN2, hence there is a VLAN mismatched between the device and it cannot communicate with one another.
interface Ethernet0/0
 switchport access vlan 1
!
no interface Vlan1
no interface Vlan2
!
interface Vlan1
 nameif outside
 security-level 0
 ip address 96.27.nnn.74 255.255.255.248
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

Open in new window

Just make sure that you adjust the security-level to 0 for the outside and 100 for the inside.

I'm not sure if the ASA will accept the "no interface Vlan" command since I don't have a 5505 to test. In the case that you could not, just go to the interface vlan configuration and do changes there. Here's what I did on packet-tracer.
ciscoasa#confi t
ciscoasa(config)#interface vlan2
ciscoasa(config-if)#no nameif
WARNING: DHCPD bindings cleared on interface 'outside', address pool removed
ciscoasa(config-if)#no security-level
ciscoasa(config-if)#no ip address
WARNING: DHCPD bindings cleared on interface '', address pool removed
ciscoasa(config-if)#
ciscoasa(config-if)#interface vlan1
ciscoasa(config-if)#nameif outside
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#no ip address
WARNING: DHCPD bindings cleared on interface 'outside', address pool removed
ciscoasa(config-if)#ip address 1.1.1.1 255.255.255.248
ciscoasa(config-if)#
ciscoasa(config-if)#interface vlan2
ciscoasa(config-if)#nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)#ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)#

Open in new window


This might be a long-shot, but it is worth trying to explore if you are running out of options.
Avatar of JoesCat

ASKER

I did some testing over the weekend . . . I took a 5505 home and connected to my Comcast internet.  Set for factory defaults, the most important of which is DHCP on the ISP's side, it connected right up and getting to the internet was no problem.
Then I tried to manually configure the outside interface, instead of using DHCP.  I never got it to talk to the internet.  Pack Tracer got almost all the way though, then was denied by a rule.  I don't know which rule.

I surmise I don't know what I'm doing!  Using two different ISP's, I've only gotten internet access when using DHCP.  

So what are the exact differences between DHCP and a static IP address I should focus on configuring?  I suspect it's a route statement.  DHCP uses the parameter "setroute", which creates the needed route entry .

I think I've ruled out the physical ports . . . it works with either a router in between the 5505 and the ISP's router, and at home works immediately connected to the ISP's router (aka cable modem).  I hear what you're saying ffleisma about swapping around vlans.  I'll try that if I simply cannot get a basic configuration installed that uses a static ip address.

Does anyone have a simple, minimal configuration that works with a static ip address for the outside that I can load to test?  The only thing I'd need to change is the outside ip address in a couple of places for my testing.

Thanks in advance!
The difference on a home DSL internet is that, these are usually via DHCP. Service provider will just not hand out public IP addresses to every household since public IP addresses are conserved. Hence you won't be able to use static IP address at home since your provider did not provide you with a public IP in the first place.

The "setroute" is used on DHCP configuration since you don't know which public IP will be assigned by the ISP. What this does is that, when you acquire a public IP, the firewall then installs a static default route pointing out to that ISP router/modem.

Stripping it down to the very minimum configuration, you'll just have to focus on a few things:
Interface configuration
static default route
at this point, you should be able to reach the internet from the ASA.
NAT configuration
at this point, you should be able to reach the internet.
ACL configuration, you can leave this at the minimum, but will require addition of access-group and outside_access_in ACL for the outside interface if you wish to test ICMP.
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.27.nnn.74 255.255.255.248
!
route outside 0.0.0.0 0.0.0.0 96.27.nnn.73 1
!
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
!

Open in new window

This is already a bare minimum configuration you'll need
Avatar of JoesCat

ASKER

Yeah, you would think!  But no, I loaded that config (the only two changes was the third octet to my actual outside ip address) in the two places that matter . . . the outside ip address, and the default gateway address, plus I added DNS servers to the inside DHCP so clients had somewhere to lookup websites.  That's all.  Back to the familiar no internet access.  I stopped there this time, instead of pulling what little hair I have left for another few hours.

I'm in the process of opening a case with Cisco TAC. . . This is just getting silly.
Avatar of JoesCat

ASKER

Here's the final result:
ISP is Wide Open West (aka Wow!), 30mbps fiber into the building, they present a fsp ethernet port as our interface.  There IS an incompatibility with the ASA 5505.  Other devices I've tried (specifically, 1gbps devices such as my WS N750 WiFi router / switch, a Dell branded gigabit switch).  If used between the 5505, things are great.  

With the 5505 connected directly, it show link and data is up, nothing is reported wrong, it simply will not run any traffic on the outside interface.  
I had WoW! engineers on the phone, had them manually set to 100mbps / full duplex, I manually set the 5505 in kind . . . and it sorta worked, but was horrible - ping times were long and speed was horrible testing at www.speedtest.net.  The ISP could not explain why the anomaly is there.  They offered trying to replace their premise equipment with a different model, I declined as I've got to move forward instead of continuing to try things.  So we won't know that result.