cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3562
Views
20
Helpful
12
Replies

Cisco ASA 8.2, cant access internet,

systemaxtech
Level 1
Level 1

Hi All,

Hope some one can help me.

I have spent the last two days trying to resolve this problem but had no luck.

When I configure the ASA5520 from scratch every thin works fine, I can access the internet and surf with out a problem. The problem is when I save the config and reload the ASA then i'm not able to access the internet.

the ASA is connected directly to a Business Grade Wireless broadband via PPOE, I have a outside network and an inside network.

I have pasted the fonfig below, have I done somthing wrong....?

ciscoasa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password Jv79779910k1fr encrypted

passwd 2K86079IdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

description CIS_Internet

nameif outside

security-level 0

pppoe client vpdn group Cis

ip address pppoe

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description Internal_Local

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.252

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 210.55.XX.XX 1

route inside 10.1.1.0 255.255.255.0 10.10.10.1 1

route inside 172.16.20.0 255.255.255.0 10.10.10.1 1

route inside 172.16.30.0 255.255.255.0 10.10.10.1 1

route inside 192.168.1.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.10.0 255.255.255.252 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Cis request dialout pppoe

vpdn group Cis localname system@cixxxxx.com.au

vpdn group Cis ppp authentication chap

vpdn username system@cixxxxx.com.au password *****

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

anyconnect-essentials

username SystemUser password Khkx/sd/vu encrypted privilege 15

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:992c963510d5f2724a1a2d

: end

ciscoasa#

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The configuration seems minimal and seems correct to me

I am not really familiar with PPPoE since I have never even configured on an ASA firewall.

One thing you could check when your reboot the firewall is if the "outside" interface gets an IP address? I am also wondering if you actually have to remove the staticly configured Default Route from your ASA and actually have this configuration under the "outside" interface

ip address pppoe setroute

The "setroute" which you are missing should let your ASA get the default route automatically from the remote end.

So I guess you could try to remove the configured static default route and changing the "outside" interface configuration in the above way. Naturally do this at the site to avoid cutting off the management connection to the ASA.

- Jouni

View solution in original post

Hi,

If your ASA is aquiring its public IP address dynamically its better to let the ASA handle installing the default route for itself instead of configuring one statically.

With regards to your Static PAT (Port Forward) problem

You are trying to configure the NAT with the format that is used in 8.3 (or above) software levels. Your software is 8.2 so you would need to use the old format.

To do Static PAT for SMTP and RDP you can do

static (inside,outside) tcp interface 3389 192.168.50.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 25 192.168.50.1 25 netmask 255.255.255.255

Can you check if the local/real IP address is correct? I can't see a route on the ASA for any network that would hold the IP address 192.168.50.1

Naturally in addition to the above Static PAT configuration you will need interface ACL rules to allow the traffic from external networks

Hope this helps

- Jouni

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The configuration seems minimal and seems correct to me

I am not really familiar with PPPoE since I have never even configured on an ASA firewall.

One thing you could check when your reboot the firewall is if the "outside" interface gets an IP address? I am also wondering if you actually have to remove the staticly configured Default Route from your ASA and actually have this configuration under the "outside" interface

ip address pppoe setroute

The "setroute" which you are missing should let your ASA get the default route automatically from the remote end.

So I guess you could try to remove the configured static default route and changing the "outside" interface configuration in the above way. Naturally do this at the site to avoid cutting off the management connection to the ASA.

- Jouni

Hi Jouni,

Thanks mate your a life saver, the command ip address ppoe setroute did the job and all is okay, thank you so much for your help.

I had set a default route to the outside interface, I dont understand why that would not have worked since the setroute command and the default route do the same job.

Can I troube you with one more problem,

I want to open smtp ports for exchange server and remote desktop, the problem I am having is when I set the command

object network Exchange_Server

host 192.168.50.1

I end up getting the following error

INFO: a host name must start and end with a letter or digit.

I dont know if this is the right command.

can you direct me to the right way to open up port 25 to the exchange server.

Thanks,

Hi,

If your ASA is aquiring its public IP address dynamically its better to let the ASA handle installing the default route for itself instead of configuring one statically.

With regards to your Static PAT (Port Forward) problem

You are trying to configure the NAT with the format that is used in 8.3 (or above) software levels. Your software is 8.2 so you would need to use the old format.

To do Static PAT for SMTP and RDP you can do

static (inside,outside) tcp interface 3389 192.168.50.1 3389 netmask 255.255.255.255

static (inside,outside) tcp interface 25 192.168.50.1 25 netmask 255.255.255.255

Can you check if the local/real IP address is correct? I can't see a route on the ASA for any network that would hold the IP address 192.168.50.1

Naturally in addition to the above Static PAT configuration you will need interface ACL rules to allow the traffic from external networks

Hope this helps

- Jouni

Jouni,

I just added the route recently after I posted the above. thats why you cant see it.

do I apply the acl to the outside interface or the inside interface.

Thanks,

Hi,

If you are want to connect to the internal servers from the public network then you would have to add rules to the "outside" interface ACL to allow the traffic.

access-list OUTSIDE-IN remark Allow SMTP

access-list OUTSIDE-IN permit tcp any interface outside eq smtp

access-list OUTSIDE-IN remark Allow RDP

access-list OUTSIDE-IN permit tcp interface outside eq 3389

access-group OUTSIDE-IN in interface outside

I am not sure where you want to allow RDP connections from. I am not sure if its a good idea to allow connections from any source address to it. If you dont know from which public IP addresses connections can be allowed from then you could consider configuring VPN Client connections on the ASA and using the RDP through the VPN so you dont need to allow those connections straight from the public network.

- Jouni

Jouni

not able to receive email i am able to send but not receive.

can you please look at the config below and see if I have missed anything

ASA Version 8.2(5)

!

hostname ciscoasa

enable password Jv1hg0k1fr encrypted

passwd 2KFQnbNYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

pppoe client vpdn group Cirrus_Internet

ip address pppoe setroute

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa825-k8.bin

ftp mode passive

object-group network Exchange_Server

access-list OUTSIDE-IN remark Allow SMTP

access-list OUTSIDE-IN extended permit tcp any interface outside eq smtp

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 192.168.1.205 smtp netmask 255.255.255.255

access-group OUTSIDE-IN in interface outside

route inside 10.1.1.0 255.255.255.0 10.10.10.1 1

route inside 172.16.20.0 255.255.255.0 10.10.10.1 1

route inside 172.16.30.0 255.255.255.0 10.10.10.1 1

route inside 192.168.1.0 255.255.255.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.10.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group Telstra_Internet request dialout pppoe

vpdn group Telstra_Internet localname systemXXXX@telstra.com.au

vpdn group Cirrus_Internet ppp authentication chap

vpdn username systemXXXX@telstra.com.au password *****

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username XXXXXX password Khkx/sd/vu encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c68da9839bcbaa7205a4d7babdcc6eae

: end

ciscoasa(config)#

Hi,

Does the ACL have any hitcounts of your attempts?

You can confirm the configurations with the "packet-tracer" command

packet-tracer input outside tcp 1.1.1.1 12345 25

This output should tell you if SMTP goes through

You could also monitor the ASA logs through ASDM and see if anything gets blocked

If you cant see anything then sometimes it might help removing the "inspect esmtp" from the configuration

policy-map global_policy

class inspection_default

no inspect esmtp

- Jouni

Hi

It says

translate_hits = 0, untranslate_hits = 9

does that seem right or not?

Hi,

That seems to be the NAT counters. It seems that either you have generated those hitcounts with "packet-tracer" or there are actual connections coming to your server.

I would monitor the logs through ASDM next.

If some connections are coming to the firewall that are blocked then those should be easy to spot.

You should also look for the log messages with "Teardown" and copy/paste them here (replace any public IP)

- Jouni

Hi Jouni,

You are an absloute legend, I am receiving emails. 

I might be pushing it but need help on two more things,

I want to be able to manage the asa from a remote location, do I just add the remote ip address in the managment access, do I have to also create an acl for it as well.

can you let m eknow what command to input to allow managment by ASDM from a remote ip address, it will be a static ip address.

thanks for you help you been the best to deal with

Hi,

The below configurations you have have enabled ASDM management through the "inside" interface and its mentioned networks

http server enable

http 10.10.10.0 255.255.255.252 inside

http 192.168.1.0 255.255.255.0 inside

If you wanted to allow a single source IP address to manage the ASA through "outside" you would simply add

http 255.255.255.255 outside

You wont need to configure any ACLs. The above command is all thats needed.

Seems you have not allowed any connections to the CLI interface of the ASA (other than Console connection locally)

If you wanted to allow SSH for example you could add

ssh version 2

ssh 255.255.255.255 outside

Hope this helps

Please do remember to mark a reply as a correct answer if it has answered your question and/or rate helpfull answers.

Feel free to ask more if needed though

- Jouni

Actually,

For the SSH you might need to generate keys unless already present

crypto key generate rsa modulus 1024

You can view the current keys (if present) with

show crypto key mypubkey rsa

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: