10-07-2010 08:45 PM - edited 03-11-2019 11:52 AM
Any help would be great......I have made several changes but can't seem to connect to the internet......
I am very new to the cisco and asa world....
Thanks for the help.
Here is my config file...
: Saved
:
ASA Version 8.0(5)
!
hostname asa
enable password m encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (inside) 101 interface
global (outside) 1 111.111.111.11
nat (inside) 1 192.168.10.0 255.255.255.0
nat (inside) 101 0.0.0.0 0.0.0.0
nat (outside) 101 0.0.0.0 0.0.0.0 outside
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.254 management
!
dhcpd address 192.168.10.2-192.168.10.30 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username asa password v encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6f11e3619456492d465bbbec26ff930d
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
Solved! Go to Solution.
10-12-2010 04:50 PM
Great to hear you are enjoying your weekend
The default gateway for the ASA is incorrect.
It seems incorrect that your outside interface ip addres is 111.111.111.11 (with a /30 mask, 111.111.111.11 would be a broadcast address). Can you please double check with your ISP the actual ip address? Unless you are masking the ip address for privacy.
The following default gateway configured is incorrect:
route outside 0.0.0.0 0.0.0.0 192.168.10.1 1
192.168.10.1 is your ASA inside interface. By configuring default gateway towards the ASA inside interface, the traffic will not go out to the Internet.
You would need to remove the above, and configure the next hop ip address towards your ISP (would be in the same subnet as your ASA outside interface given by your ISP). Please check with your ISP what should be the ASA default gateway, then configure the following:
route outside 0.0.0.0 0.0.0.0
10-12-2010 08:29 PM
Yes I did mask my ISP given static ip for privacy reason.....so the 111.111.111.11 is fake ip......
They have given me 2 static ip addresses.....for privacy purposes I will use
111.111.111.11 and 222.222.222.22.....
So are you saying my outsider interface should read
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
Then my route will read the following.....
route outside 0.0.0.0 0.0.0.0 111.111.111.11 1
According to my ISP my default gateway is my First Static IP so using the a fake static ip's from above my default gateway would be 111.111.111.11.....
10-13-2010 07:41 AM
.
10-13-2010 07:43 AM
Hi ,
Consider the below:
111.111.111.12 ------> ip address of the Gateway (i.e ISP router ip address,) and
111.111.111.11 --------> ip address that needs to be assigned to the ASA,
Internal network-------(inside)ASA(outside)-------------------------(111.111.111.12 )ISP Router----------INTERNET
(111.111.111.11)
If the above is the setup, you need the following configuration:
interface Ethernet0/0
nameif outside
security-level 0
ip address 111.111.111.11 255.255.255.252
route outside 0.0.0.0 0.0.0.0 111.111.111.12 1
Let me know if this works,
Cheers,
Rudresh V
10-13-2010 08:01 AM
do I need to configure my outside interface to accept or handle a ppoe connection.....since that is what my current isp provided modem/router does?
If so I would assume I need to bridge my ISP provided router.....then add the static ip and my ppoe configurations to my outside interface....
I believe I do have those configurations.......I changed it to that way last night.......
However I still can't connected.....
Here is my config file...... I obviously have hidden my static ips.....but I have 2 one is xxx.xxx.xxx.13 and the other is xxx.xxx.xxx.14
: Saved
:
ASA Version 8.0(5)
!
hostname x
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.14 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging enable
logging buffered alerts
logging asdm informational
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.30 inside
dhcpd enable inside
!
dhcpd address 192.168.1.6-192.168.1.47 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:411b6627479dcd14b847fdf03cf5b90f
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
10-13-2010 11:38 AM
Hey,
Well, if your ISP modem is set to the bridged mode and PPPoE is being employed, then you need to configure the ASA as a PPPoE client. you can refer to the following for that:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml
I also understand that you've been assigned a set of static ip's from the ISP. You will need to get in touch with the ISP and they should be able to direct you on how to configure the modem to always assign a static ip and gateway (from the static ip set you've been assigned) to your ASA using the PPPoE itself (it usually has something to do with the username assigned by your ISP to you).
Hope this helps!
10-13-2010 08:01 PM
I think I (we) are getting closer!
I have bridged my modem.......set my asa to a ppoe configuration.
However my laptop shows it has an Internet connection but I can't load any page.....Google.com, our company website or anything else??
I simple get this page cannot be displayed. Almost as if all internet surfing is blocked.....
Thanks!
just for clarification.....xxx.xxx.xxx.1 is my first static ip and xxx.xxx.xxx.2 is my second static ip.... But I question if the second should be used there......since ultimately I will want to use it for my server when I do vpn connections....
Here is my current config......
: Saved
:
ASA Version 8.0(5)
!
hostname g
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group cl
ip address xxx.xxx.xxx.1 255.255.255.255 pppoe
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
pager lines 24
logging enable
logging buffered alerts
logging asdm informational
logging debug-trace
mtu outside 1492
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
global (inside) 1 192.168.10.2-192.168.10.30 netmask 255.0.0.0
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group cl request dialout pppoe
vpdn group cl localname learning361
vpdn group cl ppp authentication pap
vpdn username xxxxxxxxx password ********* store-local
dhcpd address 192.168.10.2-192.168.10.30 inside
dhcpd enable inside
!
dhcpd address 192.168.1.6-192.168.1.47 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password vx8BkOWfWwvYuBKw encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:56d7d6089af44b50dd585452a16c5e11
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
10-14-2010 01:40 PM
Hello,
Can you clarify what xxx.xxx.xxx.2 is? You mentioned that xxx.xxx.xxx.2 is a static IP assigned to your by your ISP. However, I see this line in the config:
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.2 1
The route command should contain the IP address of your default gateway (i.e. the next hop you'll hit when you browse out to the Internet), not an IP address assigned to you. If you're not sure what this should be, check with your ISP and they should be able to tell you. Once you have that, remove that route command and re-enter it using the correct IP.
Hope that helps.
-Mike
10-14-2010 06:21 PM
Could you post the output of
sh ip
sh route
ping x.x.x.2
ping 4.2.2.2
where x.x.x.2 is the GW that you have configured.
enable logging and post the logs if the pings fail.
conf t
logging on
logging buffered 7
exit
sh logg | i 4.2.2.2
-KS
10-17-2010 09:48 PM
kusankar wrote:
Could you post the output of
sh ip
sh route
ping x.x.x.2
ping 4.2.2.2
where x.x.x.2 is the GW that you have configured.
enable logging and post the logs if the pings fail.
conf t
logging on
logging buffered 7
exit
sh logg | i 4.2.2.2
-KS
xxx.xxx.xxx.1 is my static IP....
Here is the results from
sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside xxx.xxx.xxx.1 255.255.255.255 manual
Ethernet0/1 inside 192.168.10.1 255.255.255.0 manual
Management0/0 management 192.168.1.5 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside xxx.xxxxxx.1 255.255.255.255 manual
Ethernet0/1 inside 192.168.10.1 255.255.255.0 manual
Management0/0 management 192.168.1.5 255.255.255.0 CONFIG
show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is xxx.xxx.xxx.1 to network 0.0.0.0
C 192.168.10.0 255.255.255.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.1, outside
ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
10-18-2010 07:51 PM
So I am getting a Unidentified network from the computers I am not connecting to my asa......so between that and not being able to connect to the Internet I am very confused......any help is greatly appreciated.
THANK YOU ALL!!
10-18-2010 08:00 PM
Hey Toddy,
Mike here, in the show route, you can see a default route on which you see 0.0.0.0 0.0.0.0 via x.x.x.x, can you please try to ping that x.x.x.x IP and see if you get replies?
Cheers
Mike
10-18-2010 08:26 PM
Hello Mike -
The xxx.xxx.xxx.1 is my static ip. According to my ISP the first static ip given to me is my default gateway.
That siad I have my ASA to establish a PPOE connect and obtain IP address using PPOE. And the asa does all this....If I go my ASDM and monitor my PPOE Client my outside interface shows my first static ip.
You asked to ping that x.x.x. IP. IF you are suggesting I do so from another pc that is connected to my inside network I cannot do that. For whatever reason I any pc I connect to my inside network I receive an unidentified network and an IP address conflict....
Thanks for you help
10-18-2010 08:33 PM
Hello Toddy,
I see, but you cannot have your outside interface IP address as a default gateway, your ISP should assign you a default gateway. Do me a favor, I think I know how we can check this..... Go ahead and connect the PC to the modem, get the IP address and stuff and check with the ipconfig on the command prompt (if windows) if linux ifconfig and check what is the default gateway that you get, also check if you are able to ping 4.2.2.2.
Will be waiting for the reply.
Cheers.
Mike
10-18-2010 09:02 PM
Interesting stuff Mike.......I only input the Static IP as my default Gateway since 2 different ISP support staff told me that the First Static IP they gave me was also my default gateway........
I took my modem out of bridge mode......hooked my pc up to my modem was able to connect to the internet.....but this completely removes my asa from the equation.....SO
cmd give me....
ipv4 address........192.168.1.47
subnet mask........255.255.255.0
default gateway.....192.168.1.1
ping 4.2.2.2 give me.....
reply from 4.2.2.2: bytes=32 time=33ms TTL=56
reply from 4.2.2.2: bytes=32 time=33ms TTL=56
reply from 4.2.2.2: bytes=32 time=33ms TTL=56
reply from 4.2.2.2: bytes=32 time=33ms TTL=56
Ping statistics for 4.2.2.2:
Packets: sent = 4 Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-sconds:
Minimum = 32ms, Maximum = 33ms, Average = 32ms
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: