10-18-2011 09:17 AM - edited 03-11-2019 02:39 PM
My ASA5510 is connected to a time capsule (Apple router). Its configuratin is as follow:
Ethernet0/0 interface Outside with security level 0. It is configured to get ip adr from dhcp. (It gets ip adr from Time Capsule)
Ethernet0/1 interface Inside with security level 100. IP adr is 192.168.10.1 255.255.255.0 . DHCP server is enabled on interface Inside (192.168.10.2-192.168.10.254). I did that so my computer could get ip adr from ASA instead of TimeCapsule. Also autoconfiguration is enabled on interface Outside.
PAT is enabled (Use the ip adr on the Outside interface.)
This is the basic info from setup wizard. There is no other additional configuration.
ASA is wired into TimeCapsule on Ethernet0/0 and my pc is connected to ethernet0/1 of ASA. My pc gets ip adr (192.168.10.2) from ASA but not able to connect to the internet. When run Windows TS wizard the msg I get is "Windows can not communicate with the device/resource (Primary DNS Server)"
Cany any body tell me what I am doing wrong? I believe I am missing some crucial config setting at ASA but can't figure it out.
Any kind of help will be highly appreciated.
Regards,
ImranN
10-18-2011 09:59 AM
In your DHCP config are you handing out a valid DNS server ?
If it is a DNS server problem then can you try connecting to a website using an IP address rather than a URL ?
Jon
10-18-2011 11:39 AM
Thanks for your help Jon.
I have enabled DHCP server on Inside interface with the pool (192.168.10.2-192.168.10.254) so my pc could get
ip adr from there and it does. Also I have enabled auto-configuration from interface Outside (This setting
is part of setup wizard). It means DHCP server should automatically configure DNS, WINS and domain name.
According to the ipv4 settings
My pc's ip adr is 192.168.10.2 (Getting from interface Inside which is configured as DHCP)
Default gateway is 192.168.10.1 (IP adr of interface Inside)
DHCP serveris 192.168.10.1 (IP adr of interface Inside where DHCP server is enabled)
DNS server is 192.168.1.1 (Internal IP adr of the router ie TimeCapsule)
I cant use IP adr to conenct to a web site because my pc is not connecting to internet. (In Network and Sharing Center I have a red X on internet.). In other words I dont have internet connectivity. It probably means packets are not allowed to leave ASA. That is why probably some misconfiguration. The error I get is (Your computer appears to be correctly configured but the device or resource (DNS Server) is not responding)
Btw, the ip subnet at interface Inside is 192.168.10.0 and the ip adr ASA gets from router is from the subnet of 192.168.1.0. On the other hand management interface has ip adr of 192.168.1.1. Does it make and difference?
Any other suggestion?
Regards,
ImraN
10-18-2011 02:35 PM
Can you post config of ASA ?
Jon
10-19-2011 07:12 AM
Here is the configuration detail of ASA5510. I have attached screen shots.
Moreover I have run ping test from my pc. My pc is connected to interface Inside and interface Outside is connected to TimeCapsule router.
I can ping to the interface I am connected to but can't ping the other interface (Outside). It means somehow both interfaces are not comunicating.
Regards,
ImraN
10-19-2011 08:29 AM
Hi,
I can ping to the interface I am connected to but can't ping the other interface (Outside).
That's normal you cant ping outside interface from inside on the ASA.
In your ACl screenshot you have implicit deny all inbound on outside but if you want to ping from inside to the router on outside then you must put an explicit rule stating you accept icmp echo-replies on this interface inbound or enable icmp inspection.
I can't only give you a CLI config but you can paste it in ASDM:
the most secure way for me is to inspect icmp so here it is
policy-map global_policy
class inspection_default
inspect icmp
This way you can ping your router IP address from a PC on inside.
what does a ping to router WAN address give?
if you connect a PC directly on the router, does it work and then have you got connectivity with internet? ping 8.8.8.8 is successful from PC?
Could you post a show run from the ASA.
Regards.
Alain.
10-20-2011 03:05 PM
Thanks you so much for helping me out Alain.
Here is show running-config command out put on my ASA5510
JASA> en
Password:
JASA# show run
: Saved
:
ASA Version 8.2(5)
!
hostname JASA
enable password y2YjIyt7RRXU24 encrypted
passwd 2KFQnbNI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif JOutside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif JInside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
<--- More --->
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list JOutside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu JOutside 1500
mtu JInside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
nat (JInside) 0 0.0.0.0 0.0.0.0 norandomseq
access-group JOutside_access_in in interface JOutside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config JOutside
dhcpd update dns
!
dhcpd address 192.168.10.2-192.168.10.254 JInside
dhcpd auto_config JOutside interface JInside
dhcpd enable JInside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0504ad33009162ea950248812eba1ffc
: end
JASA#
I changed the network on the router. Now its using 172.16.0.0 network instead of 192.168.1.0. After doing that now in ASDM interface Outside also shows the ip adr its getting from the router where it was not showing any ip adr before (see screenshot). Anyways, nothing eles has been changed
My pc is connected to interface outside with ethernet cable and interface Inside is connected to the router. LAN config of my nic is:
Ip adr: 192.168.10.2
Default gateway: 192.168.10.1
DHCP server: 192.168.10.1
DNS server : 172.16.1.1 (Internal ip adr of the router)
I cant ping Outside interface of ASA. Host is unreachable. The traffic from high security interface to low security interface is allowed by default. If this is correct then I must have internet connection. Even though two different networks are setup on inside and outside interfaces, should ASA by default not do NAT?
I have internet connected while directly connected to my router.
Regards,
ImraN
10-21-2011 02:08 AM
Hi,
My pc is connected to interface outside with ethernet cable and interface Inside is connected to the router. LAN config of my nic is:
Ip adr: 192.168.10.2
Default gateway: 192.168.10.1
DHCP server: 192.168.10.1
DNS server : 172.16.1.1 (Internal ip adr of the router)
1) PC should be connected to interface INSIDE and router to interface OUTSIDE and it is as you have received a DHCP address so point 1 is ok
2) so to ping your router interface on OUTSIDE or any address on OUTSIDE you must either:
- inspect ICMP as I explained above and that's the most secure way
-create an ACL permitting ICMP echo-replies from any to your PC an apply it inbound on interface OUTSIDE
this is ok but the way you do it is very insecure .
3) verify you have a default route on ASA for OUTSIDE pointing to 172.16.1.1 ---> show route
if it is not the case then create one: route outside 0 0 172.16.1.1
4) the router needs a route to 192.168.10.0/24 network no need to from 6 output
5) As as I said in previous post you can't ping ASA outside interface from inside so don't worry about this.
6) whether your ASA should be doing NAT or not depends if nat-control is enabled or not ---> show run nat-control
if it is enabled then it is mandatory to do NAT from inside to outside communication to work. If it is the case then point 4 is not mandatory anymore.
7) from 6 you must be doing NAT and this is where there is a problem in your config:
do this:
- no nat (JInside) 0 0.0.0.0 0.0.0.0
-nat(inside) 1 0 0
-global(outside) 1 interface JOutside
As I said above concerning the ACL when you've verified all is ok then remove it and inspect icmp instead
Let us know.
Regards.
Alain.
11-08-2011 06:38 AM
Thank you Alain for all your help.
I have tried the config you provided but for some reason it CLI does not accept
-global(outside) 1 interface JOutside
So after many fruitless tries, I set the firewall to factory default. Connected it directly to the internet connection and configured it. I did work. I will look into other configuration some other time just for my own knowledge. I still greatly
appreciate all your help.
11-08-2011 12:59 PM
Hi,
happy to know it is working now.
But I gave you a wrong command it should have been
-nat(Jinside) 1 0 0
-global(Joutside) 1 interface
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide