Re: ASA5520 config assistance - Page 2

saidfrh18 · ‎06-02-2018

Hi, 1) The following config on an ASA5520 doesn't work-unable to provide Internet access for inside hosts. 2) how to upgrade the version to 7.2, see sh flash. Kindly advise.

Topology: Comcast/Xfinity>cable modem>0 int Asa5520>1 int> dumb switch.

Thanks in advance.

ciscoasa> en
Password: *******
ciscoasa# sh flash
Initializing disk0: cache, please wait....Done.
-#- --length-- -----date/time------ path
6 5474304    Jan 01 2003 00:04:50 asa706-k8.bin
7 5823980    Jul 07 2007 00:16:32 asdm506.bin
10 8312832    Jul 20 2007 06:53:16 asa722-k8.bin
11 5623108    Jul 20 2007 06:59:44 asdm-522.bin

230121472 bytes available (25305088 bytes used)

ciscoasa# sh run
: Saved
:
ASA Version 7.0(6)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password zN4MekdmaxjRpJL9 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd zN4MekdmaxjRpJL9 encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
route inside 0.0.0.0 0.0.0.0 192.168.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
username said password XYjSJ3a.RNYXN3xw encrypted
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.20.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.20.3-192.168.20.18 inside
dhcpd dns 1.1.1.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd auto_config outside
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:fd2906823d92bc8cb385c3ecff36a641
: end
ciscoasa#

Marvin Rhoads · ‎06-04-2018

You’re not getting an address or route via DHCP. Until you resolve that, traffic will not flow.

saidfrh18 · ‎06-04-2018

A wireless router connected to the Motorola cable modem. This Asa5505 was connected to a port in one of the four switch ports of the wireless router. A static IP address was assigned to g0/0 of the asa. G0/1 was assigned to a different subnet. A host connected to the g0/1 network could only access Yahoo.com, Gmail and hotmail. very slowly and could get to any other Internet site. The IP phone would provide a dial tone, yet phone numbers couldn't dial out-silent.

Florin Barhala · ‎06-05-2018

Let's see once again:

- show route

- show run nat

- show run access-group

saidfrh18 · ‎06-05-2018

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is 192.168.20.1 to network 0.0.0.0

C 192.168.20.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.20.1, inside
ciscoasa# sh run nat
ciscoasa# sh run access-?

access-group access-list
ciscoasa# sh run access-group
ciscoasa#

Marvin Rhoads · ‎06-05-2018

As I already noted, you are not getting an address or route assigned via DHCP. That's one problem that must be resolved and is not on the ASA.

Furthermore, the output you provided shows you did not enter the NAT commands I suggested earlier.

saidfrh18 · ‎06-07-2018

Marvin, the Surfboard cable modem that connects to the ISP is a bridge. The Ethernet port receives IP [non static] from ISP. The Linksys WiFi router is connected to the Surfboard modem's Ethernet port and is configured to receive an IP address. I wonder why the 5520, nor a laptop connected to the Surfboard's Ethernet port don't receive a dynamic IP address. The laptop receives a 169.x.x.x IP.

Regards.

Florin Barhala · ‎06-08-2018

Then we are good here; ask your ISP for some dHCP tshoot so on either laptop or ASA you receive "the right IP".