LOGTECHSERV
asked on
New ASA 5510 Setup LAN's can not get to Internet
I have two ISP's and 2 LAN in to an ASA5510 and I can not get to the internet via my LAN's see config bellow.
Goal for now is to have Staff on one isp and Guest on the other isp
Please Help Thanks!
Result of the command: "show running-config"
: Saved
:
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(6)
!
X
!
interface Ethernet0/0
nameif Staff-ISP-Interface
security-level 50
ip address dhcp setroute
!
interface Ethernet0/1
nameif Staff-Network-Interface
security-level 50
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
nameif Guest-ISP-Interface
security-level 16
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.16
vlan 16
nameif Guest-Network-Interface
security-level 16
ip address x.x.x.x 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
!
boot system disk0:/asa916-k8.bin
ftp mode passive
dns domain-lookup Staff-ISP-Interface
dns domain-lookup Staff-Network-Interface
dns domain-lookup Guest-ISP-Interface
dns domain-lookup Guest-Network-Interface
dns server-group DefaultDNS
name-server x.x.x.x
name-server x.x.x.x
object network Guest_Network
subnet x.x.x.x 255.255.255.0
object network Guest-NAT
host x.x.x.x
object network Staff-Nat
host x.x.x.x
object network Staff_Network
subnet x.x.x.x 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Staff-ISP-Interface 1500
mtu Staff-Network-Interface 1500
mtu Guest-ISP-Interface 1500
mtu Guest-Network-Interface 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route Staff-ISP-Interface 0.0.0.0 0.0.0.0 x.x.x.x 1
route Guest-ISP-Interface 0.0.0.0 0.0.0.0 x.x.x.x 16
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http x.x.x.x 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface Staff-ISP-Interface
dhcpd address x.x.x.x-x.x.x.x management
dhcpd enable management
!
dhcpd address x.x.x.x-x.x.x.x Staff-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Staff-Network-Interface
dhcpd option 3 ip x.x.x.x interface Staff-Network-Interface
dhcpd enable Staff-Network-Interface
!
dhcpd address x.x.x.x-x.x.x.x Guest-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Guest-Network-Interface
dhcpd lease 1800 interface Guest-Network-Interface
dhcpd option 3 ip x.x.x.x interface Guest-Network-Interface
dhcpd enable Guest-Network-Interface
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
Goal for now is to have Staff on one isp and Guest on the other isp
Please Help Thanks!
Result of the command: "show running-config"
: Saved
:
: Serial Number: XXXXXXXXXXXX
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(6)
!
X
!
interface Ethernet0/0
nameif Staff-ISP-Interface
security-level 50
ip address dhcp setroute
!
interface Ethernet0/1
nameif Staff-Network-Interface
security-level 50
ip address x.x.x.x 255.255.255.0
!
interface Ethernet0/2
nameif Guest-ISP-Interface
security-level 16
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/3
no nameif
no security-level
no ip address
!
interface Ethernet0/3.16
vlan 16
nameif Guest-Network-Interface
security-level 16
ip address x.x.x.x 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address x.x.x.x 255.255.255.0
!
boot system disk0:/asa916-k8.bin
ftp mode passive
dns domain-lookup Staff-ISP-Interface
dns domain-lookup Staff-Network-Interface
dns domain-lookup Guest-ISP-Interface
dns domain-lookup Guest-Network-Interface
dns server-group DefaultDNS
name-server x.x.x.x
name-server x.x.x.x
object network Guest_Network
subnet x.x.x.x 255.255.255.0
object network Guest-NAT
host x.x.x.x
object network Staff-Nat
host x.x.x.x
object network Staff_Network
subnet x.x.x.x 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Staff-ISP-Interface 1500
mtu Staff-Network-Interface 1500
mtu Guest-ISP-Interface 1500
mtu Guest-Network-Interface 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-742.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route Staff-ISP-Interface 0.0.0.0 0.0.0.0 x.x.x.x 1
route Guest-ISP-Interface 0.0.0.0 0.0.0.0 x.x.x.x 16
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
http server enable
http x.x.x.x 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface Staff-ISP-Interface
dhcpd address x.x.x.x-x.x.x.x management
dhcpd enable management
!
dhcpd address x.x.x.x-x.x.x.x Staff-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Staff-Network-Interface
dhcpd option 3 ip x.x.x.x interface Staff-Network-Interface
dhcpd enable Staff-Network-Interface
!
dhcpd address x.x.x.x-x.x.x.x Guest-Network-Interface
dhcpd dns x.x.x.x x.x.x.x interface Guest-Network-Interface
dhcpd lease 1800 interface Guest-Network-Interface
dhcpd option 3 ip x.x.x.x interface Guest-Network-Interface
dhcpd enable Guest-Network-Interface
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end
ASKER
Added that still not working... Maybe an Access rule?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
What about for the guest network?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still no internet on the LAN's... Could it be access rules?
ASKER
Let me know if you want an updated Running Config
Thanksfor your help!!!!!!!!
Thanksfor your help!!!!!!!!
>>Could it be access rules?
I don't see any access-group commands so no.
show run access-group
will tell you if it returns nothing then you have no applied ACLs
Im assuming the ASA can ping each of the ISP router IP addresses, and can also ping 8.8.8.8. Until you sort that noting will get internet access.
Assuming all that works show me the result of a
show nat
and
show run nat
Pete
I don't see any access-group commands so no.
show run access-group
will tell you if it returns nothing then you have no applied ACLs
Im assuming the ASA can ping each of the ISP router IP addresses, and can also ping 8.8.8.8. Until you sort that noting will get internet access.
Assuming all that works show me the result of a
show nat
and
show run nat
Pete
ASKER
It did work!!!!! I had unplugged the ISP patch cable yesterday after i left for the day and forgot to plug it back in.
THANK YOU!!!! I had added tried the NAT before but never changed the Security level....
THANK YOU!!!! I had added tried the NAT before but never changed the Security level....
:)
(config)# object network my-inside-net
(config-network-object)# subnet x.x.x.x 255.255.255.0
(config-network-object)# nat (inside,outside) dynamic interface
The same as on other asked question :)