dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3226
kubaff
join:2007-06-14
kenya

kubaff

Member

[Config] ASA5505 setup

The ASA's are a real pain when it comes to setup. It seems quite easy but in as far as getting the traffic out,it really acts up !!

I'm connecting a ASA5505-SEC-BUN-K9 to a 2801 router (straight cable from port 0 on ASA to 2801 FE0/0). I can connect to the ASA from my laptop but can't get the traffic out. Am i missing something ? I can get traffic to the internet when i plug the router directly to a switch

configs below

ASA5505

ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 41.X.X.173 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list ACCESS-INTERNET extended permit ip 192.168.0.0 255.255.0.0 any log
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list ACCESS-INTERNET
route outside 0.0.0.0 0.0.0.0 41.X.X.169 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:90911587d02812bd3c51658f4a133116
: end

cisco2801

2801-out-of-box#sh run
Building configuration...

Current configuration : 7255 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2801-out-of-box
!
boot-start-marker
boot system flash c2801-advipservicesk9-mz.124-11.T.bin
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip domain name mfios.com
ip name-server 196.x.x.x
ip name-server 196.x.x.x
!
multilink bundle-name authenticated
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 41.x.x.169 255.255.255.248 secondary
ip address 192.168.0.1 255.255.255.0
ip access-group netbios in
ip access-group netbios out
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
ip address 41.x.x.42 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface FastEthernet0/1/4
!
interface FastEthernet0/1/5
!
interface FastEthernet0/1/6
!
interface FastEthernet0/1/7
!
interface FastEthernet0/1/8
!
interface Serial0/2/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/2/1
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
no ip address
!
ip default-gateway 192.168.4.245
ip route 0.0.0.0 0.0.0.0 41.x.x.41
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 102 interface FastEthernet0/1 overload
!
ip access-list extended netbios
deny tcp any any eq 135
deny tcp any any eq 137
deny udp any any eq netbios-ss
deny tcp any any eq 139
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 135
deny tcp any any eq 136
deny udp any any eq 136
deny udp any any eq netbios-ns
deny tcp any any eq 138
deny udp any any eq netbios-dgm
permit ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
snmp-server community public RO
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 102 in
privilege level 15
password cisco
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
kubaff

kubaff

Member

I've permitted ICMP and TCP traffic and still no success.

access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any

global (outside) 1 interface
nat (inside) 1 access-list ACCESS-INTERNET
access-group INBOUND in interface outside
kubaff

kubaff

Member

i can now ping from ASA to internet but not from the laptop ! Any thoughts ? I feel like i'm almost there
elnino
join:2006-08-27
Akron, OH

elnino

Member

First, change your ASA nat line to this instead:

nat (inside) 1 192.168.1.0 255.255.255.0

It will make things less confusing. Second, set your DHCP scope on the ASA to include DNS servers.

dhcpd dns x.x.x.x y.y.y.y interface inside (replace with your DNS server, like 4.2.2.2 or others)

Release and renew your IP and see if that helps
kubaff
join:2007-06-14
kenya

kubaff

Member

i can ping out to the internet but can't load pages on the browser. I've double checked my ACL but i don't see any missing line configs

current config

:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 196.x.x.x
name-server 196.x.x.x
domain-name default.domain.invalid
access-list ACCESS-INTERNET extended permit ip 192.168.0.0 255.255.0.0 any
access-list INBOUND extended permit icmp any any
access-list INBOUND extended permit tcp any any
access-list INBOUND extended permit 23 any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list ACCESS-INTERNET
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.100.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.254 inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:8bb42d7031bfedec2c15b88483a607c0
: end
ciscoasa#
elnino
join:2006-08-27
Akron, OH

1 edit

elnino

Member

said by kubaff:

i can ping out to the internet but can't load pages on the browser. I've double checked my ACL but i don't see any missing line configs
Looks like we posted at about the same time. Try adding the couple lines I posted before to see if that works. Also, you don't need the INBOUND access-list
kubaff
join:2007-06-14
kenya

kubaff

Member

Thanks Elnino. I'm offsite but i shall try and advice
kubaff

kubaff

Member

We have lift off

Thanks Elnino. I'm going to toss out the ASA startup guide !!