Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
538
Views
0
Helpful
4
Replies

ASA 5510 inside hosts cannot connect

Go to solution
AllianceITSupport
Level 1
Level 1

‎01-17-2017 12:25 PM - edited ‎03-12-2019 01:47 AM

I have an ASA 5510 behind a Comcast wireless router.  I have set the inside/outside interfaces and the ASA can ping public IPs.

However, hosts connected to the inside interfaces do not receive any network info.  On Windows 7 it just shows Unidentified Network with a 169 IP.  Here is the config:

:
: Serial Number: JMX1545X1MX
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)12
!
hostname asa02
enable password 4Y6ASR0TCCECSH9N encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 96.80.155.123 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.1.7.4 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.2.1.15 255.255.255.0
!
boot system disk0:/asa917-12-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any4
access-list outside_access_in extended deny ip any any4
access-list inside_access_in extended permit ip 10.1.7.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 96.80.155.126 1
route management 10.1.6.0 255.255.255.0 10.2.1.1 1
route inside 10.1.7.0 255.255.255.0 10.1.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.1.6.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.1.6.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username xuser1 password xM1bBQxnDa5n/peu encrypted
username xuser2 password Hk6boxoanQfAYCe0 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:864b9f92cb29fda1123161d7da3e5487
: end

Can anyone help?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to AllianceITSupport

‎01-18-2017 07:31 AM

The wireless router can usually only hand out ip addresses to devices connected to it (i.e, the ASA). For devices behind the ASA, you need the ASA or another internal DHCP server that responds back to DHCP discover requests. This requires the device to be in the same broadcast domain.

Alternatively, you can forward DHCP request received on the ASA inside interface to the Wireless router using DHCP relay functionality. You would have to make sure that the DHCP pool is 10.1.7.0. Steps on configuring DHCP relay can be sen below:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-17-2017 05:12 PM

Where are your hosts supposed to get to get their ip addresses from? Do you have a DHCP server on the inside network? I do not see a DHCP server config on the ASA, so the ASA is not configured to hand out ip addresses. Example of configuring DHCP server on the ASA is given here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/basic_dhcp.html#pgfId-1251531

Second, your ASA is not configured to NAT the traffic going to the internet. Configure this if you want them to be able to talk to hosts on the internet. An example is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/111842-asa-dynamic-pat-00.html

0 Helpful

Go to solution
AllianceITSupport
Level 1
Level 1
In response to Rahul Govindan

‎01-18-2017 07:02 AM

The wireless router is responsible for DHCP.

I've added a PAT rule for inside to outside, but it doesn't seem to help.  Hosts connected to the firewall don't receive network info from the wireless router.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to AllianceITSupport

‎01-18-2017 07:31 AM

The wireless router can usually only hand out ip addresses to devices connected to it (i.e, the ASA). For devices behind the ASA, you need the ASA or another internal DHCP server that responds back to DHCP discover requests. This requires the device to be in the same broadcast domain.

Alternatively, you can forward DHCP request received on the ASA inside interface to the Wireless router using DHCP relay functionality. You would have to make sure that the DHCP pool is 10.1.7.0. Steps on configuring DHCP relay can be sen below:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116265-configure-product-00.html

0 Helpful

Go to solution
AllianceITSupport
Level 1
Level 1
In response to Rahul Govindan

‎01-18-2017 07:44 AM

You're right, I set up the ASA to forward DHCP and it's working now.  Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card