ASA 5505 unable to Ping

woodjl1650 · ‎09-09-2011

I just tried to configure my ASA but unable to ping. My setup is as follows:

Cable Modem (DHCP from IPS)---> ASA (192.168.1.1)--->Belking Router (192.168.5.1)--->Switch (192.168.5.14)--->

Can you please look through my config and tell me what I did wrong?

Thanks,

ASA Version 8.2(3)

!

hostname WoodHomeASA-1

domain-name lv.cox.net

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

banner login ** W A R N I N G **

banner login Unauthorized access prohibited. All access is

banner login monitored, and trespassers shall be prosecuted

banner login to the fullest extent of the law.

banner login ** W A R N I N G **

boot system disk0:/asa823-k8.bin

boot config disk0:/asa823.bin

ftp mode passive

dns server-group DefaultDNS

domain-name lv.cox.net

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND extended permit tcp any any eq www

pager lines 24

logging console notifications

logging buffered warnings

logging asdm notifications

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-633.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group INBOUND in interface outside

route inside 192.168.5.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:00:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 192.168.1.0 255.255.255.255 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

enable outside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect dns prsent_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:658d8baf4bb5df65563b0cc499a9f287

: end

Jennifer Halim · ‎09-09-2011

Where are you trying to ping to and from?

Please also add the following:

policy-map global_policy

class inspection_default

inspect icmp

woodjl1650 · ‎09-09-2011

Trying to ping the router, I didn't have internet connection when I tried after loading the config.

Jennifer Halim · ‎09-09-2011

Trying to ping the router from the ASA? or ping the router from your host inside? What ip address of the router are you trying to ping?

I don't see a 192.168.1.x ip address assign to the router, and the "route inside" command on the ASA should be pointing to the router interface in 192.168.1.x subnet.

How many routed interface does your router have? are they all routed port or some are switch ports on the router?

woodjl1650 · ‎09-09-2011

Trying to ping from the ASA to the router. The routers IP addess is 192.168.5.1, and 4 switches built in. I don't believe I can modify the router much. I have the router connected to port 1 on the ASA.

Jennifer Halim · ‎09-09-2011

ok, didn't know that the router has switched ports.

In that case, you would need to configure the router with ip address of 192.168.1.x, instead of 192.168.5.1.

you can remove from the ASA:

no route inside 192.168.5.0 255.255.255.0 192.168.1.1

All other hosts internally should also be in 192.168.1.x subnet.

"clear arp" on the ASA after making the changes. You should be able to ping after that.

woodjl1650 · ‎09-09-2011

I can ping, but no internet access. My cable modem is plugged into port 0/0 and the router in plugged into 0/1.

Router !P: 192.168.5.1 ASA IP 192.168.5.99

Current running Config:

ASA Version 8.2(3)

!

hostname WoodHomeASA-1

domain-name lv.cox.net

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.99 255.255.255.0

!

interface Vlan2

nameif outside

security-level 100

ip address dhcp setroute

!

banner login ** W A R N I N G **

banner login Unauthorized access prohibited. All access is

banner login monitored, and trespassers shall be prosecuted

banner login to the fullest extent of the law.

banner login ** W A R N I N G **

banner login

ftp mode passive

dns server-group DefaultDNS

domain-name lv.cox.net

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.5.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.5.0 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:79d729f48498a703ba44115626b86882

: end

Jennifer Halim · ‎09-09-2011

Are you getting an ip address on the ASA outside interface connected to the cable modem?

Can you ping the internet from the ASA? Try to ping 4.2.2.2 and see if you get any reply.

woodjl1650 · ‎09-09-2011

I get a no route to host error.

Jennifer Halim · ‎09-09-2011

And also, the outside interface should have security-level of 0, not 100.

Can you check if the outside interface is getting an ip address?

"show int" will show you if the outside interface gets any ip address.

Also, "show route" on the ASA.

woodjl1650 · ‎09-09-2011

Ethernet Port 0/0 where the internet is plugged into says IP Address Unassinged, and the same for Port 0/1. This is what the vlan's are set as. 0/0 is Vlan2 and 0/0 is Vlan1

interface Vlan1

nameif inside

security-level 100

ip address 192.168.5.99 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

Jennifer Halim · ‎09-09-2011

if there is no ip address assigned on ethernet0/0 which is your outside interface, you wont' have any internet connectivity.

Is your cable modem assigning ip address to the ASA eth0/0 interface?

Try the following re-enable the dhcp setroute command on ASA vlan 2:

interface Vlan2

no ip address dhcp setroute

ip address dhcp setroute

Try to reload the cable modem too and see if you are getting any ip address.

woodjl1650 · ‎09-09-2011

getting an ip address, but still says no route to host.

cadet alain · ‎09-09-2011

Hi,

which gear says that the ASA or router? have you got a default route on router pointing to ASA ?

how is the routing table on ASA? sh route will tell you if you've got a default route

Regards.

Alain.

Don't forget to rate helpful posts.

woodjl1650 · ‎09-09-2011

I try to ping from the ASA to the internet, but nothing. I can ping the inside address just fine. I can't configure the router much since it is a belkin, and the "show route" on the ASA is:

192.168.1.0 255.255.255.0 is directly connected, inside

I just seems that the ASA doesn't see the internet when it is connected. Is there some config that I messed up or over looked?

Again here is the running config:

ASA Version 8.2(3)

!

hostname WoodHomeASA-1

domain-name lv.cox.net

enable password DQucN59Njn0OjpJL encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.99 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name lv.cox.net

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.1.0 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c7d6b178cee5317035ba8b6dc2af1c2d

: end