Solved: ASA 5510

prashantchandak7 · ‎11-12-2010

I have a ASA 5510 ASA version 7.0.8 and ASDM 5.2. I am not familiar with the CLI and am using the ASDM.

I have connected the ASA 5510 as folllows:

DSL Modem/Router(DHCP Server : 192.168.10.x)------->ASA 5510 Ethernet 0/0(DHCP configured, security level 0, subnet 255.255.255.0)

Ethernet 0/1 (Static IP 192.168.15.1,security level 100, subnet 255.255.255.0) and Management Port (DHCP Server : 192.168.1.x, security level 100, subnet 255.255.255.0)--------->Switch--------->PC

In the above scenario using the ASDM Ping I can ping 4.2.2.2, 192.168.15.1, 192.168.10.3 (Ethernet 0/0) but can not ping any using the command prompt. When connected using Ethernet 0/1 my computer shows limited connectivity and can not connect to the ASA. Please can you explain how should ethernet 0/1 be configured to establish connectivity with the ASA and then to have internet access. I tried to enable DHCP server to provide an IP to the computer on Ethernet 0/1 but the ASDM gives an error Ethernet 0/1 is a client and can not be a server.

After this I need to create a VPN between the ASA and a 3G router over IPSEC.

apothula · ‎11-15-2010

Hi Prashant,

My guess was right.

The NAT statement is wrong.

Please add the following commands and

no nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 0 0

Also, i guess the inside interface is shutdown because i dont see a connected route for the inside interface.

Please check that as well and let me know how it goes.

Cheers,

Avinash.

View solution in original post

Kureli Sankar · ‎11-13-2010

Prashant,

Oh boy ! lot on your plate - all with asdm?

Hmm...

inside hosts--(192.168.1.x)-inside-(E0/1)ASA(E0/0)-outside-192.168.10.x---DSL modem--Internet

5 steps to configuring a firewall to provide internet access - vpn is a completely diff. issue. Let us not combine that with this.

1. configure inside interface

2. configure outside interface

3. configure nat/global

4. configure default route on the ASA

5. configure dhcp on the ASA

Why don't you just copy and paste these via CLI on the ASA.

(1)

conf t

int E0/1

ip address 192.168.1.1 255.255.255.0

nameif inside

sec 100

no shut

exit

(2)

int E0/0

ip add dhcp setroute

nameif outside

sec 0

no shut

exit

(3)

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside) 1 int

(4)

route outside 0 0 192.168.10.x (replace x with the last octet of the router IP address)

(5)

dhcpd dns 4.2.2.2 (you can replace 4.2.2.2 with your ISP provide dns server ip address)

dhcpd add 192.168.1.10-192.168.1.250 inside

dhcpd enable inside

That should do it. You should get IP address from the ASA for the inside computers. They should be able to reach the internet.

Now, if you need asdm help you should refer this link: http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/user.html

-KS

prashantchandak7 · ‎11-14-2010

Hello

Thank you for your response.

But I continue to have the same problem.

(1)

conf t

int E0/1

ip address 192.168.1.1 255.255.255.0

After this it reports an error that the E0/1 can not overlap with IP address and subnet of Management Port so I configured E0/1 to 192.168.12.1, subnet 255.255.255.0.

After this I completed the commands as you mentioned.

However when I connect my computer to the ASA (E0/1) via switch I can only ping 192.168.12.1 but can not ping 192.168.10.3 (E0/0) and 192.168.10.1 (DSL modem/router).

Any suggestions please.

apothula · ‎11-15-2010

Hi Prashant,

Where is the 192.168.12.1 IP address configured ? Is that the inside interface IP address.

You wouldn't be able to ping thw 192.168.10.3 IP address considering, it is the outside interface IP address and you are pinging from the inside.

Please provide us the NAT configuration on the ASA and also paste the output of show xlate command on the ASA here for us to understand the issue better.

Also provide us the output of show route.

Cheers.

Avinash.

prashantchandak7 · ‎11-15-2010

Hi Avinash

Yes 192.168.12.1 is the inside IP address.

The NAT configuration is as per the commands below:

nat (inside) 1 192.168.10.0 255.255.255.0

global (outside) 1 int

route outside 0 0 192.168.10.1

Result of the command in ASDM CLI: "show xlate"

0 in use, 0 most used

Result of the command in ASDM CLI: "show route"

S 0.0.0.0 0.0.0.0 [1/0] via 192.168.10.1, outside

C 192.168.1.0 255.255.255.0 is directly connected, management

C 192.168.10.0 255.255.255.0 is directly connected, outside

Regards

Prashant

apothula · ‎11-15-2010

Hi Prashant,

My guess was right.

The NAT statement is wrong.

Please add the following commands and

no nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 0 0

Also, i guess the inside interface is shutdown because i dont see a connected route for the inside interface.

Please check that as well and let me know how it goes.

Cheers,

Avinash.

prashantchandak7 · ‎11-15-2010

Hi Avinash

Thanks a lot you got it working.

Now I am to my next step of configuring a VPN. I will keep you updated.

prashantchandak7 · ‎11-16-2010

Hello

I was next trying to configure IPSEC VPN between ASA 5510 and a 3G router using the VPN wizard in ASDM.

However, I am not able to configure it.

1. Is it possible to put a DDNS address in Peer IP address because the 3G router has dynamic IP.

2. Please can you assist in configuration.

Regards

Prashant

apothula · ‎11-17-2010

Hi Prashant,

I think you opened a discussion in VPN section.

Let us continue there.

Cheers,

Avinash.