topic Hi , You need to request in Network Security

internet access issue asa5505 security plus

informaticien9 — Tue, 12 Mar 2019 04:40:26 GMT

Hi All,

I'm new in configuration Cisco firewall.and I can't get internet access on the inside LAN.

Architecture :

Router ISP (local IP : 192.168.1.1 / IP fixe : 81.xx.xx.xx)--->ASA5505 Security plus--->VLAN1 (inside : 10.10.10.1 / VLAN 2 Outside : I puted IP fixe of ISP router :81.xx.xx.xx)

so I have created two VLAN : VLAN 1--->inside and VLAN 2 (outside)

when I use DHCP on the outside interface , I can get internet on the computer connected to ETH0/1 but when I use IP fixe : 81.xx.xx.xx , I can't get the internet .

PS : I put ISP DNS on the ASA ( 62.251.229.237 62.251.229.223 )

my client computer has automatically : IP Address : 10.10.10.10 netmask : 255.255.255.0 Gateway : 10.10.10.1 (ASA) ,DNS1:62.251.229.237 DNS2 :62).251.229.223

I can't ping from the computer connected to ETH 0/1 : IP fixe (81.xx.xx.xx) ,8.8.8.8 (google) and I can't browse the internet

hereafter my configuration if you can please take a look at this and help me to solve this issue , thanks in advance:

: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 81.xx.xx.xx 255.0.0.0
!
ftp mode passive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 62.251.229.237 62.251.229.223
dhcpd auto_config outside
!
dhcpd address 10.10.10.10-10.10.10.20 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username mysuername password mypassword encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:76bb15d8918d0e91f499c0ae2754eea8
: end
no asdm history enable

Hi ,Check your sub-net mask

SANTHOSHKUMAR SARAVANAN — Mon, 25 Aug 2014 13:44:27 GMT

Hi ,

Check your sub-net mask for outside VLAN/outside sub-net , it cant be 255.0.0.0

ip address 81.xx.xx.xx 255.0.0.0

HTH

Sandy

Hi Sandy,First of all ,

informaticien9 — Mon, 25 Aug 2014 13:52:37 GMT

Hi Sandy,

First of all , thanks for your hepl appreciated,

For information , I got automatically this sub-net from the my ISP router , please see the attached file and let me know please what can i edit

thanks again

Best Regards,

Hi , Where you are

SANTHOSHKUMAR SARAVANAN — Mon, 25 Aug 2014 14:13:34 GMT

Hi ,

Where you are configuring PPOE on router ?? or your ASA . How is your internet router is connected to service provider ??

Can you share me your internet router config .when you connect laptop directly to your internet router what is the ip address getting assigned to the laptop/ you assign IP address statically to your laptop ??

HTH

Sandy

Hi Sandy, PPPOE is configured

informaticien9 — Mon, 25 Aug 2014 14:24:42 GMT

Hi Sandy,

PPPOE is configured automatically on the internet router when I purshased a fixed IP address (81.xxx.xxx.17) as shown on my last file sent.when I connect my laptop directly to my internet router , the IP address is assigned automatically by DHCP of the internet router : Address ip :192.168.1.10 netmask : 255.255.255.0 ,Gatway : 192.168.1.1 (IP of my internet router) , DNS: 192.168.1.1 WINS : 192.168.1.1

thanks

Hi , You cant Purchase single

SANTHOSHKUMAR SARAVANAN — Mon, 25 Aug 2014 14:51:32 GMT

Hi ,

You cant Purchase single public IP address from your Internet service provider , it must be block IP address like x.x.x.x/30 or x.x.x.x/29

Once you gain block of IP address , you need to assign one IP address on your router LAN interface and another IP address for your connected host ( in our scenario its ASA ) . Both should be on same LAN segment , Default route for your connected host must be IP address assigned on to router LAN interface.

On your topology , router LAN interface IP address is assigned with 192.168.1.1 subnet and it release IP address for connected host from same subnet , But you have connected your ASA to same interface and have you configured Public IP address (81.xx.xx.xx 255.0.0.0) where there wont be any network connectivity . Presently from your connectvity from your ASA you cant ping to router LAN interface .

Let me if you need any support

HTH

Sandy

Hi Sandy,Thanks for your

informaticien9 — Mon, 25 Aug 2014 15:05:12 GMT

Hi Sandy,

Thanks for your explanation , I appreciate it very much.

However I don't know unfortunatly how to solve my issue if you can help more please

For information when I use dhcp on ETH 0/0 , I can access well to internet on my inside hosts :

ciscoasa(configif)#interface vlan 2
ciscoasa(configif)#nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(configif)#ip address dhcp

Why I want to use the single public IP address ? because I'll need it to setup up VPN remote access .

so I should find the solution to use a single public IP Address on outside interface (eth0/0) on ASA5505.

I think my router is configured with bridge mode

LAN bridge: 192.168.1.1 - 255.255.255.0

WAN Bridge : 81.xx.xx.17 255.0.0.0 - Gatway 41.140.0.1( I see it"s dynamic gatway,and it change)

can you please tell me what can i do to access internet on inside LAN using IP public on outside interface ?

Thanks again for your time and support

Hi , You need to request

SANTHOSHKUMAR SARAVANAN — Mon, 25 Aug 2014 15:54:04 GMT

Hi ,

You need to request additional IP address from your service provider , or if your WAN IP address of your router is going to constant /permanent for your connection . You can do static NAT for ASA outside IP address on port 443 (SSL VPN ) / ISAKMP (IPSEC VPN)and you can configure for Remote access VPN on your ASA

HTH

Sandy

Kindly rate for helpful post