11-14-2019 11:46 AM - edited 02-21-2020 09:41 AM
Hello there,
the nat (inside) 1 10.1.1.0 255.255.255.0 and global (outside) 1 interface are deprecated and I don't know what to do after the IOS upgrade.I don't have access to the the internet.My show run is the following.Please help.
ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1225L1LS
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
boot config disk0:/startup-1.cfg
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd ping_timeout 750
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:29045e32ddc109ac154653d1337ec445
: end
Solved! Go to Solution.
11-14-2019 12:14 PM
try this.
object network INSIDE
subnete 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
11-14-2019 12:44 PM
you ASA is also acting as DHCP server you config are like this
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
just add this command
dhcpd 8.8.8.8
11-14-2019 12:49 PM
interface ethx/x
nameif outside
ip address dhcp setroute
no shut.
11-14-2019 02:10 PM
ASA 5510 is end of life end of support link is https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html
even the security module is end of life and end of support. cisco refresh the ASA series and called them ASA-X. instead of using the legacy IPS and gone for firepower.
here is the link https://www.cisco.com/c/en_uk/products/security/asa-firepower-services/index.html
if you setting up for lab environment that fair. but for production network i would not recommand this. as this is old series.
11-14-2019 12:14 PM
try this.
object network INSIDE
subnete 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
11-14-2019 12:38 PM
Nope, private network w/o internet access.it shows I am connected on the private LAN.Also I do have ASDM now.
show run follows
ciscoasa(config)# show run
: Saved
:
: Serial Number: JMX1225L1LS
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
:
ASA Version 9.1(7)32
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-32-k8.bin
boot config disk0:/startup-1.cfg
ftp mode passive
object network inside
subnet 10.1.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-781-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd ping_timeout 750
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username whiterabbit password Q./RmFu77Ejvfvpg encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a299bc453b2b0013ecd1f29df5bc2c54
: end
ciscoasa(config)#
11-14-2019 12:41 PM
Do you think it's a dns issue?i had dns issues in the past also.maybe it doesn't resolve names.
11-14-2019 12:44 PM
you ASA is also acting as DHCP server you config are like this
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
just add this command
dhcpd 8.8.8.8
11-14-2019 12:44 PM
Follows more info, btw the outside is down because I connected directly to my router now.
ciscoasa(config)# show int
Interface Ethernet0/0 "outside", is down, line protocol is down
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex, 100 Mbps
Input flow control is unsupported, output flow control is off
MAC address 0021.554f.35bc, MTU 1500
IP address 192.168.1.5, subnet mask 255.255.255.0
44 packets input, 7708 bytes, 0 no buffer
Received 19 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
7 packets output, 1508 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
2 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Traffic Statistics for "outside":
42 packets input, 6578 bytes
7 packets output, 1292 bytes
35 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 1 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/1 "inside", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 0021.554f.35bd, MTU 1500
IP address 10.1.1.2, subnet mask 255.255.255.0
764 packets input, 77561 bytes, 0 no buffer
Received 19 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
701 packets output, 142566 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
16 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/250)
output queue (blocks free curr/low): hardware (255/240)
Traffic Statistics for "inside":
748 packets input, 61663 bytes
701 packets output, 128036 bytes
284 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 18 bytes/sec
5 minute output rate 0 pkts/sec, 78 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/2 "", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 0021.554f.35be, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Interface Ethernet0/3 "", is administratively down, line protocol is down
Hardware is i82546GB rev03, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 0021.554f.35bf, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Interface Management0/0 "", is administratively down, line protocol is down
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
Input flow control is unsupported, output flow control is unsupported
Available but not configured via nameif
MAC address 0021.554f.35c0, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (1/0) software (0/0)
ciscoasa(config)# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
C 10.1.1.0 255.255.255.0 is directly connected, inside
ciscoasa(config)# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside 192.168.1.5 255.255.255.0 DHCP
Ethernet0/1 inside 10.1.1.2 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside 192.168.1.5 255.255.255.0 DHCP
Ethernet0/1 inside 10.1.1.2 255.255.255.0 CONFIG
11-14-2019 12:49 PM
interface ethx/x
nameif outside
ip address dhcp setroute
no shut.
11-14-2019 01:21 PM
That's already setted up.It doesn't have internet access.
11-14-2019 01:50 PM
Hi,
You are missing the default route. Will you please configure "route outside 0.0.0.0 0.0.0.0 your_router_ip_address" and check if there is any progress.
Best regards,
Antonin
11-14-2019 02:02 PM
ok!i will try that, thank you very much, that you all!really appreciate it.i also have an SSM-10 module i managed to reset it's password but i don't know how to configure it even it's basics.Also i noticed it says has no LICENSE.Is that a problem in it's function?My asa 5510 has a security plus license but the module hasn't at all.But it says up up when i show module 1.
11-14-2019 02:10 PM
ASA 5510 is end of life end of support link is https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eol_C51-727283.html
even the security module is end of life and end of support. cisco refresh the ASA series and called them ASA-X. instead of using the legacy IPS and gone for firepower.
here is the link https://www.cisco.com/c/en_uk/products/security/asa-firepower-services/index.html
if you setting up for lab environment that fair. but for production network i would not recommand this. as this is old series.
11-14-2019 01:33 PM
Since, I got rid of the catalysts switches I have had problems, I use some fake switches.i switched cables and powered off the switches and POOF!I have internet access.Thanks a lot.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: