ASA Version 8.2(5)

ionutiordachescu · ‎01-21-2014

Hello guys,

I can't get internet working with my actual configuration. Could you please help?

Below you can see the actual config and created routes.

show running-config

: Saved

:

ASA Version 8.2(5)

!

hostname

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 193.xxx.xxx.122 255.255.255.252

!

ftp mode passive

same-security-traffic permit intra-interface

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 193.xxx.xxx.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0d8c9f4ffdcadbd6f39a772ba201d7ff

: end

show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 193.xxx.xxx.121 to network 0.0.0.0

C 193.xxx.xxx.120 255.255.255.252 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 193.xxx.xxx.121, outside

Any ideas?

Jouni Forss · ‎01-21-2014

Hi,

Issue the following command to determine if the ASA can use ARP to determine the MAC address of the next hop (default gateway)

show arp

If there is information in the ARP table related to the gateway IP address then that should be fine.

Route seems fine and NAT configurations seem fine.

What are you testing with? ICMP/PING? If so then please add the following

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Seems to me that you have not configured DNS either on your DHCP configurations

Either add your ISP DNS servers or some public DNS servers

dhcpd dns 8.8.8.8

Hope this helps

- Jouni

ionutiordachescu · ‎01-22-2014

Hello, thank you for your reply.

Please see enclosed the updated config with the updated dns settings, and the show arp result.

There is no information regarding ISP gateway in arp.

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 193.xxx.xxx.121 ISPGateway

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 193.xxx.xxx.122 255.255.255.252

!

ftp mode passive

access-list inside_access_in extended permit ip any interface outside

access-list outside_access_in extended permit ip interface inside interface outs

ide

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ISPGateway 1

route outside 193.xxx.xxx.120 255.255.255.252 ISPGateway 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd dns 193.226.128.1 193.226.128.129 interface inside

dhcpd lease 86400 interface inside

dhcpd ping_timeout 60 interface inside

dhcpd enable inside

!

dhcpd dns 193.226.128.1 193.226.128.129 interface outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:03054d0cdf53a469fc15cea47e2131ee

: end

ciscoasa# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is ISPGateway to network 0.0.0.0

C 193.xxx.xxx120 255.255.255.252 is directly connected, outside

C 192.168.1.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via ISPGateway, outside

ciscoasa# show arp

inside 192.168.1.5 001e.ec22.dbb2 27

ciscoasa#

Jouni Forss · ‎01-22-2014

Hi,

If there is no ARP shown on the external interface then there is clearly something wrong with the connection towards the ISP.

First you should naturally check that your end is fine. That the physical port to which you connect the ISP device is up.

You should probably contact the ISP to both have them check the connection and also to confirm that your configurations for your ASAs external interface are correct.

- Jouni

ionutiordachescu · ‎01-22-2014

ISP configs are definitly good because they work fine on a linksys router

interfaces are up and switchport access is assigned to respective vlans as you can see below:

show int ip br

Interface IP-Address OK? Method Status Prot

ocol

Ethernet0/0 unassigned YES unset up up

Ethernet0/1 unassigned YES unset up up

Ethernet0/2 unassigned YES unset down down

Ethernet0/3 unassigned YES unset down down

Ethernet0/4 unassigned YES unset down down

Ethernet0/5 unassigned YES unset down down

Ethernet0/6 unassigned YES unset down down

Ethernet0/7 unassigned YES unset down down

Internal-Data0/0 unassigned YES unset up up

Internal-Data0/1 unassigned YES unset up up

Vlan1 192.168.1.1 YES CONFIG up up

Vlan2 193.xxx.xxx.122 YES CONFIG up up

Virtual0 127.0.0.1 YES unset up up

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 193.xxx.xxx.122 255.255.255.252

Jouni Forss · ‎01-22-2014

Hi,

Are you sure there is no error in the public IP address of the ASA external interface?

If not then I guess we should consider the possibility that there is problem with ARP?

I guess you could always try checking the MAC address that the Linksys device has on its external inteface and configure this MAC address on the external Vlan interface of the ASA.

I guess if you cant get it through the actual GUI / CLI of the Linksys device then you could simply add a host to the external port with the link network configuration and check the ARP on your host to determine the MAC address visible from the Linksys device.

interface Vlan2

mac-address aaaa.bbbb.cccc

This would mean that there would be no change towards the ISP with regards to the ARP.

ARP is sometimes a problem when you replace a device with another while the IP addresses used are the same and the other routers in the network dont get the IP/MAC pair in their ARP table.

I am not sure what else could be the problem since there are not many things required in your configuration for the ASA to see the gateway in ARP.

Vlan interface configured with nameif/ip address
Physical port assigned to the correct Vlan
Physical port connected to the external connection
Generate traffic to the gateway address in the connected network of the external interface

- Jouni

ionutiordachescu · ‎01-23-2014

I conected the ASA behind a router and configured it with dhcp outside -> works perfectly. Changed the configuration to fixed IP and connect it directly to ISP cable -> not working. The ISP says it's not storring mac addresses (which I actualy checked by configuring and connecting 2 different routers -> works fine). I even changed the firmware on the ASA (upgraded and downgraded it)... no connection.

Thank you anyway for your help, I'll update the thread incase I come up with a solution.

Best regards,

Ionut

Jouni Forss · ‎01-23-2014

Ok,

I really can't see problems with the interface and NAT configurations on the ASA that you posted earlier.

What I am not wondering is what is the purpose of this "route" command

route outside 193.xxx.xxx.120 255.255.255.252 ISPGateway 1

Is it a route for the same network as the connected network on your external interface?

Even though your routing table naturally shows the connected network this "route" command still doesnt make sense.

So you are saying that you have connected 2 different devices with the same static public subnet configured on the external interface and it has worked without a problem? If so I can't really say whats happening with the ASA.

- Jouni