Help with my Cisco ASA 5505 config

DOUGLAS DRURY · ‎09-05-2012

I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. Could someone look at my config and shed some light on where I'm going wrong? Note The Cisco 1841 is running sub-interfaces for my VLAN's

Below is a sample of how my network connects up

192.168.1.1(Billion router)===192.168.1.2(ASA)192.168.2.1===(Cisco 1841)192.168.2.2 192.168.10.1 192.168.20.1 192.168.30.1

ASA 5505 Config

Bayswater# sh run

: Saved

:

ASA Version 7.2(4)

!

hostname Bayswater

domain-name drury.local

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 192.168.1.1

domain-name drury.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.2.0 255.255.255.0 echo inside

icmp permit 192.168.10.0 255.255.255.0 echo inside

icmp permit 192.168.20.0 255.255.255.0 echo inside

icmp permit 192.168.1.0 255.255.255.0 echo inside

icmp permit 192.168.1.0 255.255.255.0 echo outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

!

router rip

network 192.168.1.0

network 192.168.2.0

version 1

no auto-summary

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.2-192.168.2.129 inside

!

username douglas password dFakwzrndCTRqh2t encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7a015caed88c20798d3e2b610454a019

: end

Bayswater#

ASA 5505 RIP Routes

Bayswater# sh route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

R 192.168.30.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

R 212.69.47.0 255.255.255.0 [120/1] via 192.168.1.1, 0:00:25, outside

R 192.168.10.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

R 192.168.20.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

C 192.168.1.0 255.255.255.0 is directly connected, outside

C 192.168.2.0 255.255.255.0 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside

Bayswater#

Cisco 1841 config

Piccadilly_Circus#sh run

Building configuration...

Current configuration : 4754 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Piccadilly_Circus

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

dot11 syslog

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.2.2

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.20.2

ip dhcp excluded-address 192.168.10.4

!

ip dhcp pool vlan-10

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 192.168.2.1

!

ip dhcp pool vlan-20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 192.168.2.1

!

ip domain name vlan.gatway

ip host LG-NAS 192.168.10.4

ip name-server 192.168.2.1

ip name-server 8.8.8.8

ip name-server 212.69.36.3

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-979462596

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-979462596

revocation-check none

rsakeypair TP-self-signed-979462596

!

Piccadilly_Circus#sh run

Building configuration...

Current configuration : 4754 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Piccadilly_Circus

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

dot11 syslog

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.10.1

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.2.2

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.20.2

ip dhcp excluded-address 192.168.10.4

!

ip dhcp pool vlan-10

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 192.168.2.1

!

ip dhcp pool vlan-20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 192.168.2.1

!

ip domain name vlan.gatway

ip host LG-NAS 192.168.10.4

ip name-server 192.168.2.1

ip name-server 8.8.8.8

ip name-server 212.69.36.3

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-979462596

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-979462596

revocation-check none

rsakeypair TP-self-signed-979462596

!

crypto pki certificate chain TP-self-signed-979462596

certificate self-signed 01

30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39373934 36323539 36301E17 0D313230 33323831 38323435

375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 39343632

35393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

B68963BD 5C5501C6 1EFAC417 DB24E95D 07D62B6B A1C816B1 4D7EC354 E2211DBF

1D60AFCD 34CC6CAB C3C410D0 6DC72C4E C6B5CB74 BE58E060 211E3441 778A2D31

7A718B4E B04F9B75 C237A515 B7B8874F 258935E4 22176DE3 5FF67512 264125AF

DECBD5F2 820E23F5 8365699D DEC24A63 DAE5A80A 499DD36C 391B4942 32E0C4A1

02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D

11042130 1F821D50 69636361 64696C6C 795F4369 72637573 2E766C61 6E2E6761

74776179 301F0603 551D2304 18301680 145DE525 D00567A0 AC8E6F36 C3FC953C

7016B25A DD301D06 03551D0E 04160414 5DE525D0 0567A0AC 8E6F36C3 FC953C70

16B25ADD 300D0609 2A864886 F70D0101 04050003 8181008E D77EC1CB 7A65602A

01E6FBEA 6E41A771 2656EA8A D4B0F105 545C0256 8B052B7B FA3BEAAB 1C6C44B6

C58A9467 61F2891C 599DEC43 1784BC1C D729FC07 B7233166 E2178772 927B8A3F

8C6F3739 BB057BBE 46879F6B 403056AC FE17FCD9 A83C38AC 5647A666 01A5B71D

1528083F 0027C33F 87B350B7 7A845253 F8EB361F 8A8AEA

quit

!

username douglas privilege 15 secret 5 $1$j8nS$kQ8Bvdlpg8naq8zCS.tCp/

archive

log config

hidekeys

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-sip-inspect

match protocol sip

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

speed 100

full-duplex

!

interface FastEthernet0/1.1

description vlan 1$FW_OUTSIDE$

encapsulation dot1Q 1 native

ip address 192.168.2.2 255.255.255.0

!

interface FastEthernet0/1.10

description vlan 10$FW_INSIDE$

encapsulation dot1Q 10

ip address 192.168.10.1 255.255.255.0

!

interface FastEthernet0/1.20

description vlan 20$FW_INSIDE$

encapsulation dot1Q 20

ip address 192.168.20.1 255.255.255.0

!

interface FastEthernet0/1.30

description vlan 30$ETH-LAN$

encapsulation dot1Q 30

ip address 192.168.30.1 255.255.255.0

!

router rip

network 192.168.2.0

network 192.168.10.0

network 192.168.20.0

network 192.168.30.0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.2.1

!

ip http server

ip http secure-server

!

snmp-server community PacketTrap RW

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0

password cisco

login

line vty 1 4

login

line vty 5 9

login

!

scheduler allocate 20000 1000

end

lcambron · ‎09-05-2012

Douglas,

From your PC can you ping the ASA 192.168.2.1 ?

from the ASA can you ping the gateway 192.168.1.1 ?

from the ASA can you ping 4.2.2.2

We need to know if the problem is between the PCs and the ASA or the ASA and the internet.

Regards,

Felipe.

DOUGLAS DRURY · ‎09-05-2012

Hi Felipe

My PC is on subnet 192.168.10.0 and can not ping 192.168.2.1.

On the ASA I can not ping 192.168.2.1 and pings to 4.2.2.2 also fail

However I connected my laptop to subnet 192.168.2.0 and pings to 192.168.2.1 where successful but pings to 4.2.2.2 or 8.8.8.8 fail

Thanks

Douglas

lcambron · ‎09-06-2012

Douglas,

In that case seems like there are many issues.

One thing I notized on the router is :

interface FastEthernet0/1.1

description vlan 1$FW_OUTSIDE$

interface FastEthernet0/1.10

description vlan 10$FW_INSIDE$

You can't have the same physical port for inside and outside.

Meaning this port can't be connected to the ASA and the PC or switch at the same time.

Try to find how far can the PC go; if it can ping the router and if the router can ping the ASA

Then on the ASA you have:

nat (inside) 1 0.0.0.0 0.0.0.0

But there is no global command, you need to add:

global (outside) 1 interface

You should be able to ping 192.168.1.1 from the ASA,

make sure Ethernet0/0 is up

Regards,

Felipe.

DOUGLAS DRURY · ‎09-06-2012

I can see the confusion. The Router (1841) was originaly the fierwall but that feature was later disabled by me and i guess the tags or descriptions of the ports are still there. Just to confirme the router is no longer a firewall and it's only function is to route between the VLANs.

Thanks for the suggestions, I'll add the global commands for nat as soon as i get some free time.

Thanks

Douglas