09-09-2011 01:36 AM - edited 03-11-2019 02:22 PM
I just tried to configure my ASA but unable to ping. My setup is as follows:
Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->
Can you please look through my config and tell me what I did wrong?
Thanks,
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
domain-name lv.cox.net
enable password DQucN59Njn0OjpJL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
banner login ** W A R N I N G **
banner login Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login to the fullest extent of the law.
banner login ** W A R N I N G **
boot system disk0:/asa823-k8.bin
boot config disk0:/asa823.bin
ftp mode passive
dns server-group DefaultDNS
domain-name lv.cox.net
object-group icmp-type ICMP-INBOUND
description Permit necessary inbound ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND
access-list INBOUND extended permit tcp any any eq www
pager lines 24
logging console notifications
logging buffered warnings
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-633.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group INBOUND in interface outside
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 192.168.1.0 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect dns prsent_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:658d8baf4bb5df65563b0cc499a9f287
: end
09-09-2011 01:47 AM
Where are you trying to ping to and from?
Please also add the following:
policy-map global_policy
class inspection_default
inspect icmp
09-09-2011 01:48 AM
Trying to ping the router, I didn't have internet connection when I tried after loading the config.
09-09-2011 01:54 AM
Trying to ping the router from the ASA? or ping the router from your host inside? What ip address of the router are you trying to ping?
I don't see a 192.168.1.x ip address assign to the router, and the "route inside" command on the ASA should be pointing to the router interface in 192.168.1.x subnet.
How many routed interface does your router have? are they all routed port or some are switch ports on the router?
09-09-2011 02:00 AM
Trying to ping from the ASA to the router. The routers IP addess is 192.168.5.1, and 4 switches built in. I don't believe I can modify the router much. I have the router connected to port 1 on the ASA.
09-09-2011 02:05 AM
ok, didn't know that the router has switched ports.
In that case, you would need to configure the router with ip address of 192.168.1.x, instead of 192.168.5.1.
you can remove from the ASA:
no route inside 192.168.5.0 255.255.255.0 192.168.1.1
All other hosts internally should also be in 192.168.1.x subnet.
"clear arp" on the ASA after making the changes. You should be able to ping after that.
09-09-2011 02:24 AM
I can ping, but no internet access. My cable modem is plugged into port 0/0 and the router in plugged into 0/1.
Router !P: 192.168.5.1 ASA IP 192.168.5.99
Current running Config:
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
domain-name lv.cox.net
enable password DQucN59Njn0OjpJL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.99 255.255.255.0
!
interface Vlan2
nameif outside
security-level 100
ip address dhcp setroute
!
banner login ** W A R N I N G **
banner login Unauthorized access prohibited. All access is
banner login monitored, and trespassers shall be prosecuted
banner login to the fullest extent of the law.
banner login ** W A R N I N G **
banner login
ftp mode passive
dns server-group DefaultDNS
domain-name lv.cox.net
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.5.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:79d729f48498a703ba44115626b86882
: end
09-09-2011 02:33 AM
Are you getting an ip address on the ASA outside interface connected to the cable modem?
Can you ping the internet from the ASA? Try to ping 4.2.2.2 and see if you get any reply.
09-09-2011 02:35 AM
I get a no route to host error.
09-09-2011 02:38 AM
And also, the outside interface should have security-level of 0, not 100.
Can you check if the outside interface is getting an ip address?
"show int" will show you if the outside interface gets any ip address.
Also, "show route" on the ASA.
09-09-2011 02:45 AM
Ethernet Port 0/0 where the internet is plugged into says IP Address Unassinged, and the same for Port 0/1. This is what the vlan's are set as. 0/0 is Vlan2 and 0/0 is Vlan1
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.99 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
09-09-2011 02:55 AM
if there is no ip address assigned on ethernet0/0 which is your outside interface, you wont' have any internet connectivity.
Is your cable modem assigning ip address to the ASA eth0/0 interface?
Try the following re-enable the dhcp setroute command on ASA vlan 2:
interface Vlan2
no ip address dhcp setroute
ip address dhcp setroute
Try to reload the cable modem too and see if you are getting any ip address.
09-09-2011 03:07 AM
getting an ip address, but still says no route to host.
09-09-2011 03:43 AM
Hi,
which gear says that the ASA or router? have you got a default route on router pointing to ASA ?
how is the routing table on ASA? sh route will tell you if you've got a default route
Regards.
Alain.
09-09-2011 10:48 AM
I try to ping from the ASA to the internet, but nothing. I can ping the inside address just fine. I can't configure the router much since it is a belkin, and the "show route" on the ASA is:
192.168.1.0 255.255.255.0 is directly connected, inside
I just seems that the ASA doesn't see the internet when it is connected. Is there some config that I messed up or over looked?
Again here is the running config:
ASA Version 8.2(3)
!
hostname WoodHomeASA-1
domain-name lv.cox.net
enable password DQucN59Njn0OjpJL encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.99 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
ftp mode passive
dns server-group DefaultDNS
domain-name lv.cox.net
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:c7d6b178cee5317035ba8b6dc2af1c2d
: end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: