08-04-2011 02:36 AM - edited 03-11-2019 02:07 PM
Can anyone help me with setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
Attached is the config
08-04-2011 03:50 AM
Andrew
To connect a router to an ASA you will need to use a crossover cable or put a switch in between and use straight thru cables.
Jon
08-04-2011 04:03 AM
Thanks John. BT had the interface ge0/1 port in no shutdown mode. The connection actually works with or without a crossover cable.
08-04-2011 04:11 AM
Andrew
Thanks for letting me know. Actually i was being a bit stupid (not an uncommon occurence ), as the ASA5505 has a built in ethernet switch so you wouldn't have needed a crossover at all.
Jon
08-04-2011 06:08 AM
I still cannot get it to work though. i can ping the gateway of int vl235 10.123.106.254 but nothing else.
I have also removed the route
' route inside 0.0.0.0 0.0.0.0 10.123.111.78 1'
08-04-2011 06:15 AM
Andrew
How are you testing - with ping ?
Have you tried connecing to a website.
If you want to test with ping then temporarily add this to your config -
access-list out_in permit icmp any any
access-group out_in in interface outside
and retest.
Also be aware that you cannot ping the outside interface IP of the ASA from the inside, it is a security feature. But you should obviously be able to ping devices outside the ASA.
Jon
08-04-2011 06:22 AM
no i can't pick up an IP address from the switch connected to port e0/2 on vlan 325
I want the ASA to give out DHCP addresses also
08-04-2011 06:31 AM
Andrew
The DHCP config on your firewall is fine. Are you sure the switch port the client is connected to is in the same vlan and that the connection from the switch to the ASA is also in the right vlan.
Apologies for basic questions but your config looks fine to me.
Jon
08-04-2011 06:44 AM
Port e0/2 of the ASA is plugged into port fa0/1 and my laptop is plugged into Fa0/2.
interface FastEthernet0/1
switchport access vlan 325
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 325
switchport mode access
!
interface FastEthernet0/3
switchport access vlan 325
switchport mode access
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan325
ip address 10.123.106.251 255.255.255.128
ip helper address 10.123.106.254
no ip route-cache
!
!
08-04-2011 06:53 AM
Can you run these debug commands on the ASA and try again -
debug dhcpd event
debug dhcpd packet
Jon
08-04-2011 07:04 AM
Jon,
I dont get any output from these debug commands
08-04-2011 07:17 AM
Okay. You are sure vlan 325 exists on the switch in the vlan database ?
If so can you try this on the ASA -
access-list dhcp-acl permit udp any any range 67 68
capture dhcp-cap access-list dhcp-acl interface inside
and then see if you see any packets from the capture.
Jon
08-04-2011 07:33 AM
VLAN 325 is definitely in the vlan database. Still get no output.
i also got this
FSCOGLA5505-0001-1# sh dhcpd state
Context Not Configured for DHCP
Interface outside, Not Configured for DHCP
Interface inside, Not Configured for DHCP
Interface Management, Not Configured for DHCP
FSCOGLA5505-0001-1#
08-04-2011 07:36 AM
Okay, i very rarely suggest this but can you save the config on the ASA, reboot and retest. It may simply be the ASA5505 has got itself into a state.
Jon
08-04-2011 07:41 AM
i have just added the 'dhcpd enable inside command' and i have now picked up an IP address.
I will reboot and test and let you know.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide