01-10-2011 09:05 AM - edited 03-11-2019 12:33 PM
I have a new 5505 connected to a SF300 cisco switch and to my SBS 2008 internal server. My server and my PC are configured Statically and they were both able to access the internet without issue. When I tried to connect other PC's (same config, W7pro) the would sometimes connect but mostly not connect. Worked with Dell to review server config and all looks okay now but the issue was still occurring. It was recommended that we pull the ASA and install another router for testing.
This was done (cheap router) and all is working fine now. I need to troubleshoot the problem and get it back into place. I suspect the config (ACL or lack thereof) but don't understand why it mattters since DHCP is from SBS and turned off on the ASA.
Thanks
Solved! Go to Solution.
01-11-2011 07:37 PM
01-10-2011 09:16 AM
Hi Jim,
It's hard to say what the problem is without seeing the ASA config, but in general you'll need a few basic items:
1. Interface config:
interface Ethernet0/0
switchport access vlan 10no shut
interface Ethernet0/1
switchport access vlan 20no shut
!
interface Vlan10
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
2. NAT config:
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
There are 2 other general requirements that you would need: permissions (i.e. access lists) and routes. However, the above config will allow all outbound access by default, and a default gateway should be set by your ISP's DHCP server.
With this basic config, you should be able to get out to the Internet through the ASA. For other issues, we would need to see a sanitized copy of the config and know what the source and destination hosts are.
Hope that helps.
-Mike
01-10-2011 09:35 AM
01-10-2011 09:37 AM
Hi,
Would you please add the following line ?
global (outside) 1 interface
Let us know.
Mike
01-10-2011 09:57 AM
Should I replace "global (outside) 1 x.x.x.x-y.y.y.y netmask 255.255.255.248" with that command or in addition to?
01-10-2011 10:03 AM
Hello Jim
Yes, but the problem is that the ASA does not do gratuitous arp for the NAT addresses, I just want to rule out that this may be a layer 2 problem. Please remove that global command that you have and put that line and check if you have internet from the rest of the machines on the inside.
Cheers
Mike
01-10-2011 10:39 AM
Thanks, will do when able to take net down. just noticed that my config has http enabled. I'm only doing SBS with email and no web serving. Should I turn off or is it harmless? Do I need ACL's?
Thanks
01-10-2011 10:41 AM
Hi Jim,
Http server is for traffic to the box (to open ASDM) it should not affect any services going across the FW.
Cheers
Mike
01-11-2011 10:23 AM
So just to reiterrate, the config looks okay to you and just the one change you recommended should be needed to get it connecting to the desktops?
I will be testing in awhile and just want to verify.
Thanks
01-11-2011 07:37 PM
Ok, let me know the results !!
Cheers
Mike
01-12-2011 08:58 AM
Swapped the ASA 5505 back in and the issue is resolved. All PC's connect to the internet. Thanks for your help!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide