Re: ASA5520 config assistance

saidfrh18 · ‎06-02-2018

Hi, 1) The following config on an ASA5520 doesn't work-unable to provide Internet access for inside hosts. 2) how to upgrade the version to 7.2, see sh flash. Kindly advise.

Topology: Comcast/Xfinity>cable modem>0 int Asa5520>1 int> dumb switch.

Thanks in advance.

ciscoasa> en
Password: *******
ciscoasa# sh flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 5474304    Jan 01 2003 00:04:50 asa706-k8.bin
7 5823980    Jul 07 2007 00:16:32 asdm506.bin
10 8312832    Jul 20 2007 06:53:16 asa722-k8.bin
11 5623108    Jul 20 2007 06:59:44 asdm-522.bin

230121472 bytes available (25305088 bytes used)

ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zN4MekdmaxjRpJL9 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd zN4MekdmaxjRpJL9 encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username said password XYjSJ3a.RNYXN3xw encrypted
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.3-192.168.20.18 inside
dhcpd dns 1.1.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:fd2906823d92bc8cb385c3ecff36a641
: end
ciscoasa#

Marvin Rhoads · ‎06-02-2018

There's no NAT configuration. You need that to change the 192.168.20.0/24 hosts' addresses to a public IP (e.g. the outside interface address you get via DHCP).

nat (inside) 1 0 0 
global (outside) 1 interface

To change the image to boot 7.2(2) instead of 7.0(6) you would add a boot variable line.

boot system disk0:/asa722-k8.bin

saidfrh18 · ‎06-02-2018

Marvin Rhoads, Thanks for the answer. Currently a Motorola Surfboard cable connects to the ISP and the Ethernet interface on the Surfboard generates a private IP address that connects to the home WiFi. I want to replace the home WiFi with the ASA5520. Regards. The home WiFi is configured to receive IP address from the Surfboard. Thanks for command to update the IOS.

saidfrh18 · ‎06-02-2018

Marvin, The current config is not working--hosts in the inside of the firewall can't access the Internet.. Any suggestions other than NAT? The IOS ver. was updated-thanks again.

Marvin Rhoads · ‎06-02-2018

Are the inside hosts all in the 192.168.20.0/24 subnet?

Try running packet-tracer on the ASA to check the logic. Something like:

packet-tracer input inside tcp 192.168.20.100 1025 8.8.8.8 80

That will simulate a client PC trying to access an external web site.

saidfrh18 · ‎06-02-2018

Marvin, The following is the output for the packet-tracer command.

ciscoasa> en
Password: *******
ciscoasa# packet-tracer input inside tcp 192.168.20.100 1025 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ciscoasa#

#- Please type your reply above this line -##

saidfrh18 · ‎06-02-2018

Marvin, The inside hosts are in the 192.168.20.0/24 subnet.

Regards.

Marvin Rhoads · ‎06-03-2018

The packet-tracer highlight at least one issue that will cause it to fail. You've set the default route to point to the inside:

route inside 0.0.0.0 0.0.0.0 192.168.20.1

You should remove that line and this allow the gi0/0 configuration to install the default route as it will with the following command you already have:

ip address dhcp setroute

(corrected reply - 06-04-2018)

Marvin Rhoads · ‎06-03-2018

saidfrh18 · ‎06-03-2018

on g0/0, no ip address dhcp setroute. Hosts on 0/1 can't access the Internet.

ciscoasa(config)# int g0/0
ciscoasa(config-if)# no ip address dhcp setroute

Kindly advise.

saidfrh18 · ‎06-03-2018

Hosts unable to access the Internet.

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0

Marvin Rhoads · ‎06-04-2018

Note I corrected my earlier reply. Please try that updated guidance.

If it still doesn't work, please re-run the packet-tracer and share the output.

saidfrh18 · ‎06-04-2018

Removed: route inside 0 0 192.168.20.1

ciscoasa# packet-tracer input inside tcp 192.168.20.100 1025 8.8.8.8 80

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Marvin Rhoads · ‎06-04-2018

Is your outside interface up and has it received an address (along with a default gateway) via DHCP?

saidfrh18 · ‎06-04-2018

ciscoasa> en
Password: *******
ciscoasa# sh int g0/0
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
MAC address 001b.d46e.33aa, MTU 1500
IP address unassigned
8 packets input, 512 bytes, 0 no buffer
Received 8 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
32 packets output, 19008 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (2/0) software (0/0)
output queue (curr/max blocks): hardware (0/1) software (0/0)
Traffic Statistics for "outside":
8 packets input, 368 bytes
32 packets output, 18432 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 1 bytes/sec
1 minute output rate 0 pkts/sec, 96 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# sh int g1/0
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa# sh int g0/1
Interface GigabitEthernet0/1 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
MAC address 001b.d46e.33ab, MTU 1500
IP address 192.168.20.1, subnet mask 255.255.255.0
299 packets input, 19700 bytes, 0 no buffer
Received 299 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
0 late collisions, 0 deferred
input queue (curr/max blocks): hardware (8/0) software (0/0)
output queue (curr/max blocks): hardware (0/0) software (0/0)
Traffic Statistics for "inside":
290 packets input, 13904 bytes
0 packets output, 0 bytes
2 packets dropped
1 minute input rate 1 pkts/sec, 55 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa#