cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2668
Views
0
Helpful
9
Replies

ASA 5510 config help

Narmi2000
Level 1
Level 1

My ASA5510 is connected to a time capsule (Apple router). Its configuratin is as follow:

Ethernet0/0  interface Outside with security level 0. It is configured to get ip adr from dhcp. (It gets ip adr from Time Capsule)

Ethernet0/1  interface Inside with security level 100. IP adr is 192.168.10.1 255.255.255.0 . DHCP server is enabled on interface Inside (192.168.10.2-192.168.10.254). I did that so my computer could get ip adr from ASA instead of TimeCapsule. Also autoconfiguration is enabled on interface Outside.

PAT is enabled (Use the ip adr on the Outside interface.)

This is the basic info from setup wizard. There is no other additional configuration.

ASA is wired into TimeCapsule on Ethernet0/0 and my pc is connected to ethernet0/1 of ASA. My pc gets ip adr (192.168.10.2) from ASA but not able to connect to the internet. When run Windows TS wizard the msg I get is "Windows can not communicate with the device/resource (Primary DNS Server)"

Cany any body tell me what I am doing wrong? I believe I am missing some crucial config setting at ASA but can't figure it out.

Any kind of help will be highly appreciated.

Regards,

ImranN

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

In your DHCP config are you handing out a valid DNS server ?

If it is a DNS server problem then can you try connecting to a website using an IP address rather than a URL ?

Jon

Thanks for your help Jon.

I have enabled DHCP server on Inside interface with the pool (192.168.10.2-192.168.10.254) so my pc could get

ip adr from there and it does. Also I have enabled auto-configuration from interface Outside (This setting

is part of setup wizard). It means DHCP server should automatically configure DNS, WINS and domain name.

According to the ipv4 settings

My pc's ip adr is     192.168.10.2 (Getting from interface Inside which is configured as DHCP)

Default gateway is   192.168.10.1 (IP adr of interface Inside)

DHCP serveris         192.168.10.1 (IP adr of interface Inside where DHCP server is enabled)

DNS server is          192.168.1.1  (Internal IP adr of the router ie TimeCapsule)

I cant use IP adr to conenct to a web site because my pc is not connecting to internet. (In Network and Sharing Center I have a red X on internet.). In other words I dont have internet connectivity. It probably means packets are not allowed to leave ASA. That is why probably some misconfiguration. The error I get is (Your computer appears to be correctly configured but the device or resource (DNS Server) is not responding)

Btw, the ip subnet at interface Inside is 192.168.10.0 and the ip adr ASA gets from router is from the subnet of 192.168.1.0. On the other hand management interface has ip adr of 192.168.1.1. Does it make and difference?

Any other suggestion?

Regards,

ImraN

Can you post config of ASA ?

Jon

Here is the configuration detail of ASA5510. I have attached screen shots.

Moreover I have run ping test from my pc. My pc is connected to interface Inside and interface Outside is connected to TimeCapsule router.

I can ping to the interface I am connected to but can't ping the other interface (Outside). It means somehow both interfaces are not comunicating.

Regards,

ImraN

Hi,

I can ping to the interface I am connected to but can't ping the other interface (Outside).

That's normal you cant ping outside interface from inside on the ASA.

In your ACl screenshot you have implicit deny all inbound on outside but if you want to ping from inside to the router on outside then you must put an explicit rule stating you accept icmp echo-replies on this interface inbound or enable icmp inspection.

I can't only give you a CLI config but you can paste it in ASDM:

the most secure way for me is to inspect icmp so here it is

policy-map global_policy

class inspection_default

inspect icmp

This way you can ping your router IP address from a PC on inside.

what does a ping to router WAN address give?

if you connect a PC  directly on the router, does it work and then have you got connectivity with internet? ping 8.8.8.8 is successful from PC?

Could you post a show run from the ASA.

Regards.

Alain.

Don't forget to rate helpful posts.

Thanks you so much for helping me out Alain.

Here is show running-config command out put on my ASA5510

JASA> en

Password:

JASA# show run

: Saved

:

ASA Version 8.2(5)

!

hostname JASA

enable password y2YjIyt7RRXU24 encrypted

passwd 2KFQnbNI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif JOutside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/1

nameif JInside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

<--- More --->

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list JOutside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu JOutside 1500

mtu JInside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

nat (JInside) 0 0.0.0.0 0.0.0.0 norandomseq

access-group JOutside_access_in in interface JOutside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config JOutside

dhcpd update dns

!

dhcpd address 192.168.10.2-192.168.10.254 JInside

dhcpd auto_config JOutside interface JInside

dhcpd enable JInside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0504ad33009162ea950248812eba1ffc

: end

JASA#

I changed the network on the router. Now its using 172.16.0.0 network instead of 192.168.1.0. After doing that now in ASDM interface Outside also shows the ip adr its getting from the router where it was not showing any ip adr before (see screenshot).  Anyways, nothing eles has been changed

My pc is connected to interface outside with ethernet cable and interface Inside is connected to the router. LAN config of my nic is:

Ip adr:                192.168.10.2

Default gateway: 192.168.10.1

DHCP server:     192.168.10.1

DNS server :       172.16.1.1 (Internal ip adr of the router)

I cant ping Outside interface of ASA. Host is unreachable. The traffic from high security interface to low security interface is allowed by default. If this is correct then I must have internet connection. Even though two different networks are setup on inside and outside interfaces, should ASA by default not do NAT?

I have internet connected while directly connected to my router.

Regards,

ImraN

Hi,

My pc is connected to interface outside with ethernet cable and  interface Inside is connected to the router. LAN config of my nic is:

Ip adr:                192.168.10.2

Default gateway: 192.168.10.1

DHCP server:     192.168.10.1

DNS server :       172.16.1.1 (Internal ip adr of the router)

1)  PC should be connected to interface INSIDE and router to interface OUTSIDE and it is as you have received a DHCP address  so point 1 is ok

2) so to ping your router interface on OUTSIDE or any address on OUTSIDE you must either:

- inspect ICMP as I explained above and that's the most secure way

-create an ACL permitting ICMP echo-replies from any to your PC an apply it inbound on interface OUTSIDE

this is ok but the way you do it is very insecure .

3) verify you have a default route on ASA for OUTSIDE pointing to 172.16.1.1 ---> show route

   if it is not the case then create one: route outside 0 0 172.16.1.1

4) the router needs a route to 192.168.10.0/24 network  no need to from 6 output

5) As as I said in previous post you can't ping ASA outside interface from inside so don't worry about this.

6) whether your ASA should be doing NAT or not depends if nat-control is enabled or not ---> show run nat-control

    if it is enabled then it is mandatory to do NAT from inside to outside communication to work. If it is the case then point 4 is not mandatory anymore.

7) from 6 you must be doing NAT and this is where there is a problem in your config:

do this:

- no nat (JInside) 0 0.0.0.0 0.0.0.0

-nat(inside) 1 0 0

-global(outside) 1 interface JOutside

As I said above concerning the ACL  when you've verified all is ok then remove it and inspect icmp instead

Let us know.

Regards.

Alain.

Don't forget to rate helpful posts.

Thank you Alain for all your help.

I have tried the config you provided but for some reason it CLI does not accept

-global(outside) 1 interface JOutside

So after many fruitless tries, I set the firewall to factory default. Connected it directly to the internet connection and configured it. I did work. I will look into other configuration some other time just for my own knowledge. I still greatly

appreciate all your help.

Hi,

happy to know it is working now.

But I gave you a wrong command it should have been

-nat(Jinside) 1 0 0

-global(Joutside) 1 interface

Regards.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card