ASA 5505 to Internet (Part 2)

Joffroi85 · ‎05-14-2012

I've been trying to get an ASA 5505 configured correctly to let a laptop on one of the ports successfully browse the web. Afterwards, I'll set up AnyConnect but thats another story. I previously had a thread where I had lots of help, but unfortunately the end results were still not successful. I decided to redo my config from sctrach and have all my information compiled in hopes of getting more help with a simpler post.

Hopefully I this is not an overwhelming amount of information. I'm just trying to figure out what I have set wrong. Thanks in advance for any help. Its greatly appreciated.

Background:

IT has provided me with a port with the following information

Static IP address: 99.66.167.69

Default Gateway: 99.66.167.70

Subnet Mask: 255.255.255.248

Primary DNS: A.A.A.A

Secondary DNS: B.B.B.B

I have ethernet going from the above port to the eth0/0 port of the ASA and then another ethernet going from eth0/1 to the laptop. I have the console connection going to a desktop server that is connected to a completely different network (only available machine with console port).

Configuration of ASA:

ciscoasa# show run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 99.66.167.69 255.255.255.248
!ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 99.66.167.70 1timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Current Interface Settings

ciscoasa# show int ip br
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  down                  down
Ethernet0/3                unassigned      YES unset  down                  down
Ethernet0/4                unassigned      YES unset  down                  down
Ethernet0/5                unassigned      YES unset  down                  down
Ethernet0/6                unassigned      YES unset  administratively down down
Ethernet0/7                unassigned      YES unset  administratively down down
Internal-Data0/0           unassigned      YES unset  up                    up
Internal-Data0/1           unassigned      YES unset  up                    up
Vlan1                      192.168.1.1     YES manual up                    up
Vlan2                      99.66.167.69    YES manual up                    up
Virtual0                   127.0.0.1       YES unset  up                    up

Laptop Settings:

C:\Users\user>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 12:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Ethernet adapter Local Area Connection* 28:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Ethernet adapter Local Area Connection* 17:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::41ae:ea9e:1bab:71e7%19

Default Gateway . . . . . . . . . :

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::5095:d5d4:ce1d:8514%11

IPv4 Address. . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . :

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Tunnel adapter isatap.{D6E5C2D0-8D75-4795-A613-944AF2C74691}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Tunnel adapter isatap.{4FF04642-E278-4F02-AA4C-20FF49FF3400}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Ping Results

C:\Users\user>ping 4.2.2.2

Pinging 4.2.2.2 with 32 bytes of data:

PING: transmit failed. General failure.

Ping statistics for 4.2.2.2:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\user>ping 99.67.167.70

Pinging 99.67.167.70 with 32 bytes of data:

PING: transmit failed. General failure.

Ping statistics for 99.67.167.70:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\user>ping 99.67.167.69

Pinging 99.67.167.69 with 32 bytes of data:

PING: transmit failed. General failure.

Ping statistics for 99.67.167.69:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\user>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Reply from 192.168.1.1: bytes=32 time=9ms TTL=255

Reply from 192.168.1.1: bytes=32 time<1ms TTL=255

Ping statistics for 192.168.1.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 9ms, Average = 2ms

Julio Carvajal · ‎05-14-2012

Hello Joffroi,

Please add the following:

interface Ethernet0/1

switchport access vlan 1

Also get into vlan 1 and change the mac address

Interface vlan 1

mac- address x.x.x.x ( Just change the last number)

Then try to ping from the host 4.2.2.2.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joffroi85 · ‎05-14-2012

jcarvaja,

I tried typed switchport access vlan 1 to E0/1 and it doesn't seem to show results after I show run:

ciscoasa# config t

ciscoasa(config)# interface eth0/1

ciscoasa(config-if)# switchport access vlan 1

ciscoasa(config-if)# end

ciscoasa# show run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

Also, what mac address value am i suppose to assign to vlan 1?

Julio Carvajal · ‎05-14-2012

Hello,

Just assign a different one, it does not matter.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joffroi85 · ‎05-14-2012

I changed it to just aaaa.aaaa.aaaa. and then tried to ping 4.2.2.2 from my laptop (192.168.1.3) and still got PING: transmit failed. General failure.

iscoasa# show inter vlan1

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec

MAC address aaaa.aaaa.aaaa, MTU 1500

IP address 192.168.1.1, subnet mask 255.255.255.0

Traffic Statistics for "inside":

3396 packets input, 284027 bytes

21 packets output, 1100 bytes

2892 packets dropped

1 minute input rate 1 pkts/sec, 128 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 1 pkts/sec

5 minute input rate 1 pkts/sec, 121 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 1 pkts/sec

Thanks

Julio Carvajal · ‎05-14-2012

Hello,

Can you check on the switch arp table if he is able to recognize that MAC address.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Joffroi85 · ‎05-14-2012

I'm not seeing the changed aaaa.aaaa.aaaa....

ciscoasa(config)# inter vlan 1

ciscoasa(config-if)# mac-ad

ciscoasa(config-if)# mac-address aaaa.aaaa.aaaa

ciscoasa(config-if)# end

ciscoasa# show arp

inside 192.168.1.3 f0de.f157.7e00 2565

outside 99.66.167.66 3ce5.a614.e06b 1671

outside 99.66.167.70 0024.c9cf.2c50 11818

Kevin P Sheahan · ‎05-14-2012

Your laptop is configured with a 16-bit subnet mask. This needs to be changed to match the 24 bit subnet mask on that is on the ASA in order for the two to communicate properly. Everything is set up correctly. If you need to just set a static ip on your laptop using any address in the 192.168.1.3-254 range, specify the subnet mask as 255.255.255.0 and the default gateway as 192.168.1.1. If you need to specify the DNS servers that your IT dept gave you then go ahead, if you can ping but cannot pull pages try using 8.8.8.8 or 8.8.4.4 as DNS servers to see if this resolves your issue.

Kind Regards,

Kevin

**Please rate helpful posts and remember to mark the question as answered once your issue is resolved.

Kind Regards, Kevin Sheahan, CCIE # 41349

Joffroi85 · ‎05-14-2012

I followed the instructions you applied and was able to connect to the internet using the DNS address IT provided me! But, I have noticed that the connection is not steady (I was able to load about 2 pages). I was typing how everything was working when I glanced over at my laptop and saw it lost connection again with no changes made.

Any idea?

Edit

It seems that my computer now sees having internet (but nothing functions) for about 10 seconds when I have the vlan1 interface mac-address set at aaaa.aaaa.aaaa and I plug in the ethernet.

If I have vlan 1 with no mac-address... it never gives me the any sign that it was working. Do I need to have a "dummy" address associated with the vlan?

Kevin P Sheahan · ‎05-14-2012

By 'lost connection' what do you mean?

-Do you mean that the network adapter simply says "disconnected" like there is nothing plugged in?

-Do you mean that you have a "!" next to the adapter that says "limitied connectivity" underneath it?

-Do you mean that you can no longer ping the outside world?

-Or you CAN ping but you just cannot pull pages anymore?

Thanks,

Kevin

Kind Regards, Kevin Sheahan, CCIE # 41349

Joffroi85 · ‎05-14-2012

Its still connected, but I"m getting the "No Network access" in the General properties now. All my pings respond with a Request Timed Out.

Thanks

Kevin P Sheahan · ‎05-14-2012

Hmmm "no network access" usually means that you have no default gateway configured.

do 'ipconfig /all' again and paste the results please.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Joffroi85 · ‎05-14-2012

Default gateway appears to be correct. I went ahead and just put the DNS's you suggested for the print out

C:\Users\user>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : user

Primary Dns Suffix . . . . . . . : removed

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : huawei.com

Ethernet adapter Local Area Connection* 28:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Nortel VPN Adapter

Physical Address. . . . . . . . . : 00-FF-D6-E5-C2-D0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection* 17:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Nortel IPSECSHM Adapter

Physical Address. . . . . . . . . : 44-45-53-54-42-00

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::41ae:ea9e:1bab:71e7%19(Preferred)

Default Gateway . . . . . . . . . :

DHCPv6 IAID . . . . . . . . . . . : 574899539

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-10-63-AE-F0-DE-F1-48-06-EC

DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

fec0:0:0:ffff::2%1

fec0:0:0:ffff::3%1

NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6200 AGN

Physical Address. . . . . . . . . : 18-3D-A2-3E-81-84

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82577LM Gigabit Network Connecti

on

Physical Address. . . . . . . . . : F0-DE-F1-57-7E-00

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::5095:d5d4:ce1d:8514%11(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCPv6 IAID . . . . . . . . . . . : 250666737

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-10-63-AE-F0-DE-F1-48-06-EC

DNS Servers . . . . . . . . . . . : 8.8.8.8

8.8.4.4

NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 9:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft 6to4 Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{D6E5C2D0-8D75-4795-A613-944AF2C74691}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{14DF9E78-3A5B-4384-BCE7-F47362E18C14}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter #8

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{4FF04642-E278-4F02-AA4C-20FF49FF3400}:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Microsoft ISATAP Adapter #9

Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

DHCP Enabled. . . . . . . . . . . : No

Autoconfiguration Enabled . . . . : Yes

C:\Users\user>

Kevin P Sheahan · ‎05-14-2012

Even a ping to 192.168.1.1 fails? Try resetting the adapter... from control panel right-click on the "Local Area Connection" adapter. Choose "disable". Choose "enable". Try pinging the gateway again.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Joffroi85 · ‎05-14-2012

I reset everything and still same results. I can ping 192.168.1.1 successfully, but that seems to be about it.

Side questions, does having my vlan1 mac-address changed to anything generic (aaaa.aaaa.aaaa) matter?