06-02-2018 04:11 PM - edited 02-21-2020 07:50 AM
Hi, 1) The following config on an ASA5520 doesn't work-unable to provide Internet access for inside hosts. 2) how to upgrade the version to 7.2, see sh flash. Kindly advise.
Topology: Comcast/Xfinity>cable modem>0 int Asa5520>1 int> dumb switch.
Thanks in advance.
ciscoasa> en
Password: *******
ciscoasa# sh flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 5474304 Jan 01 2003 00:04:50 asa706-k8.bin
7 5823980 Jul 07 2007 00:16:32 asdm506.bin
10 8312832 Jul 20 2007 06:53:16 asa722-k8.bin
11 5623108 Jul 20 2007 06:59:44 asdm-522.bin
230121472 bytes available (25305088 bytes used)
ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zN4MekdmaxjRpJL9 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd zN4MekdmaxjRpJL9 encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username said password XYjSJ3a.RNYXN3xw encrypted
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.3-192.168.20.18 inside
dhcpd dns 1.1.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:fd2906823d92bc8cb385c3ecff36a641
: end
ciscoasa#
06-02-2018 07:17 PM
There's no NAT configuration. You need that to change the 192.168.20.0/24 hosts' addresses to a public IP (e.g. the outside interface address you get via DHCP).
nat (inside) 1 0 0 global (outside) 1 interface
To change the image to boot 7.2(2) instead of 7.0(6) you would add a boot variable line.
boot system disk0:/asa722-k8.bin
06-02-2018 09:13 PM
06-02-2018 09:24 PM
06-02-2018 09:40 PM
Are the inside hosts all in the 192.168.20.0/24 subnet?
Try running packet-tracer on the ASA to check the logic. Something like:
packet-tracer input inside tcp 192.168.20.100 1025 8.8.8.8 80
That will simulate a client PC trying to access an external web site.
06-02-2018 10:03 PM
06-02-2018 10:16 PM
06-03-2018 06:45 AM - edited 06-04-2018 07:32 AM
The packet-tracer highlight at least one issue that will cause it to fail. You've set the default route to point to the inside:
route inside 0.0.0.0 0.0.0.0 192.168.20.1
You should remove that line and this allow the gi0/0 configuration to install the default route as it will with the following command you already have:
ip address dhcp setroute
(corrected reply - 06-04-2018)
06-03-2018 06:46 AM - edited 06-04-2018 07:31 AM
<duplicate reply>
06-03-2018 09:40 AM
06-03-2018 10:19 AM
06-04-2018 07:29 AM - edited 06-04-2018 07:33 AM
Note I corrected my earlier reply. Please try that updated guidance.
If it still doesn't work, please re-run the packet-tracer and share the output.
06-04-2018 06:20 PM
06-04-2018 06:49 PM
Is your outside interface up and has it received an address (along with a default gateway) via DHCP?
06-04-2018 08:15 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide