[Config] ASA5505 setup

Author	All Replies
kubaff join:2007-06-14 kenya	[Config] ASA5505 setup The ASA's are a real pain when it comes to setup. It seems quite easy but in as far as getting the traffic out,it really acts up !! I'm connecting a ASA5505-SEC-BUN-K9 to a 2801 router (straight cable from port 0 on ASA to 2801 FE0/0). I can connect to the ASA from my laptop but can't get the traffic out. Am i missing something ? I can get traffic to the internet when i plug the router directly to a switch configs below ASA5505 ciscoasa# sh run : Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 41.X.X.173 255.255.255.248 ! interface Vlan3 nameif dmz security-level 50 no ip address ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 switchport access vlan 3 ! interface Ethernet0/4 switchport access vlan 3 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 switchport access vlan 3 ! interface Ethernet0/7 switchport access vlan 3 ! ftp mode passive dns server-group DefaultDNS domain-name default.domain.invalid access-list ACCESS-INTERNET extended permit ip 192.168.0.0 255.255.0.0 any log pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 access-list ACCESS-INTERNET route outside 0.0.0.0 0.0.0.0 41.X.X.169 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.254 inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:90911587d02812bd3c51658f4a133116 : end cisco2801 2801-out-of-box#sh run Building configuration... Current configuration : 7255 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 2801-out-of-box ! boot-start-marker boot system flash c2801-advipservicesk9-mz.124-11.T.bin boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ip cef ! ! ! ! ip domain name mfios.com ip name-server 196.x.x.x ip name-server 196.x.x.x ! multilink bundle-name authenticated ! ! interface FastEthernet0/0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$ ip address 41.x.x.169 255.255.255.248 secondary ip address 192.168.0.1 255.255.255.0 ip access-group netbios in ip access-group netbios out ip nat inside ip virtual-reassembly speed 100 full-duplex no cdp enable ! interface FastEthernet0/1 ip address 41.x.x.42 255.255.255.252 ip nat outside ip virtual-reassembly speed 100 full-duplex no cdp enable ! interface FastEthernet0/1/0 ! interface FastEthernet0/1/1 ! interface FastEthernet0/1/2 ! interface FastEthernet0/1/3 ! interface FastEthernet0/1/4 ! interface FastEthernet0/1/5 ! interface FastEthernet0/1/6 ! interface FastEthernet0/1/7 ! interface FastEthernet0/1/8 ! interface Serial0/2/0 no ip address shutdown clock rate 2000000 ! interface Serial0/2/1 no ip address shutdown clock rate 2000000 ! interface Vlan1 no ip address ! ip default-gateway 192.168.4.245 ip route 0.0.0.0 0.0.0.0 41.x.x.41 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 102 interface FastEthernet0/1 overload ! ip access-list extended netbios deny tcp any any eq 135 deny tcp any any eq 137 deny udp any any eq netbios-ss deny tcp any any eq 139 deny tcp any any eq 445 deny udp any any eq 445 deny udp any any eq 135 deny tcp any any eq 136 deny udp any any eq 136 deny udp any any eq netbios-ns deny tcp any any eq 138 deny udp any any eq netbios-dgm permit ip any any ! access-list 23 permit 10.10.10.0 0.0.0.7 access-list 102 permit ip 192.168.0.0 0.0.0.255 any snmp-server community public RO ! ! ! ! ! ! control-plane ! ! ! ! ! ! line con 0 login local line aux 0 line vty 0 4 access-class 102 in privilege level 15 password cisco login transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh ! scheduler allocate 20000 1000 end
	to forum · permalink · 2010-02-01 04:42:45 ·
kubaff join:2007-06-14 kenya	I've permitted ICMP and TCP traffic and still no success. access-list INBOUND extended permit icmp any any access-list INBOUND extended permit tcp any any global (outside) 1 interface nat (inside) 1 access-list ACCESS-INTERNET access-group INBOUND in interface outside
	to forum · permalink · 2010-02-01 08:08:36 ·
kubaff join:2007-06-14 kenya	i can now ping from ASA to internet but not from the laptop ! Any thoughts ? I feel like i'm almost there
	to forum · permalink · 2010-02-01 09:12:45 ·
elnino join:2006-08-27 Akron, OH	First, change your ASA nat line to this instead: nat (inside) 1 192.168.1.0 255.255.255.0 It will make things less confusing. Second, set your DHCP scope on the ASA to include DNS servers. dhcpd dns x.x.x.x y.y.y.y interface inside (replace with your DNS server, like 4.2.2.2 or others) Release and renew your IP and see if that helps
	to forum · permalink · 2010-02-01 10:49:43 ·
kubaff join:2007-06-14 kenya	reply to kubaff i can ping out to the internet but can't load pages on the browser. I've double checked my ACL but i don't see any missing line configs current config : ASA Version 7.2(4) ! hostname ciscoasa domain-name default.domain.invalid enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! interface Vlan3 nameif dmz security-level 50 no ip address ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 switchport access vlan 3 ! interface Ethernet0/4 switchport access vlan 3 ! interface Ethernet0/5 switchport access vlan 3 ! interface Ethernet0/6 switchport access vlan 3 ! interface Ethernet0/7 switchport access vlan 3 ! ftp mode passive dns domain-lookup inside dns domain-lookup outside dns server-group DefaultDNS name-server 196.x.x.x name-server 196.x.x.x domain-name default.domain.invalid access-list ACCESS-INTERNET extended permit ip 192.168.0.0 255.255.0.0 any access-list INBOUND extended permit icmp any any access-list INBOUND extended permit tcp any any access-list INBOUND extended permit 23 any any pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 access-list ACCESS-INTERNET access-group INBOUND in interface outside route outside 0.0.0.0 0.0.0.0 192.168.100.100 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.2-192.168.1.254 inside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:8bb42d7031bfedec2c15b88483a607c0 : end ciscoasa#
	to forum · permalink · 2010-02-01 10:50:58 ·
elnino join:2006-08-27 Akron, OH 1 edit	said by kubaff: i can ping out to the internet but can't load pages on the browser. I've double checked my ACL but i don't see any missing line configs Looks like we posted at about the same time. Try adding the couple lines I posted before to see if that works. Also, you don't need the INBOUND access-list
	to forum · permalink · 2010-02-01 10:59:38 ·
kubaff join:2007-06-14 kenya	Thanks Elnino. I'm offsite but i shall try and advice
	to forum · permalink · 2010-02-02 08:14:59 ·
kubaff join:2007-06-14 kenya	We have lift off Thanks Elnino. I'm going to toss out the ASA startup guide !!
	to forum · permalink · 2010-02-03 05:26:24 ·

Equipment Support > Hardware By Brand > Cisco > [Config] ASA5505 setup