10-29-2013 09:18 PM - edited 03-11-2019 07:57 PM
Hi All,
Hope some one can help me.
I have spent the last two days trying to resolve this problem but had no luck.
When I configure the ASA5520 from scratch every thin works fine, I can access the internet and surf with out a problem. The problem is when I save the config and reload the ASA then i'm not able to access the internet.
the ASA is connected directly to a Business Grade Wireless broadband via PPOE, I have a outside network and an inside network.
I have pasted the fonfig below, have I done somthing wrong....?
ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password Jv79779910k1fr encrypted
passwd 2K86079IdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
description CIS_Internet
nameif outside
security-level 0
pppoe client vpdn group Cis
ip address pppoe
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description Internal_Local
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.252
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 210.55.XX.XX 1
route inside 10.1.1.0 255.255.255.0 10.10.10.1 1
route inside 172.16.20.0 255.255.255.0 10.10.10.1 1
route inside 172.16.30.0 255.255.255.0 10.10.10.1 1
route inside 192.168.1.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.10.0 255.255.255.252 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Cis request dialout pppoe
vpdn group Cis localname system@cixxxxx.com.au
vpdn group Cis ppp authentication chap
vpdn username system@cixxxxx.com.au password *****
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
anyconnect-essentials
username SystemUser password Khkx/sd/vu encrypted privilege 15
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:992c963510d5f2724a1a2d
: end
ciscoasa#
Solved! Go to Solution.
10-30-2013 12:39 AM
Hi,
The configuration seems minimal and seems correct to me
I am not really familiar with PPPoE since I have never even configured on an ASA firewall.
One thing you could check when your reboot the firewall is if the "outside" interface gets an IP address? I am also wondering if you actually have to remove the staticly configured Default Route from your ASA and actually have this configuration under the "outside" interface
ip address pppoe setroute
The "setroute" which you are missing should let your ASA get the default route automatically from the remote end.
So I guess you could try to remove the configured static default route and changing the "outside" interface configuration in the above way. Naturally do this at the site to avoid cutting off the management connection to the ASA.
- Jouni
10-31-2013 01:19 AM
Hi,
If your ASA is aquiring its public IP address dynamically its better to let the ASA handle installing the default route for itself instead of configuring one statically.
With regards to your Static PAT (Port Forward) problem
You are trying to configure the NAT with the format that is used in 8.3 (or above) software levels. Your software is 8.2 so you would need to use the old format.
To do Static PAT for SMTP and RDP you can do
static (inside,outside) tcp interface 3389 192.168.50.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.50.1 25 netmask 255.255.255.255
Can you check if the local/real IP address is correct? I can't see a route on the ASA for any network that would hold the IP address 192.168.50.1
Naturally in addition to the above Static PAT configuration you will need interface ACL rules to allow the traffic from external networks
Hope this helps
- Jouni
10-30-2013 12:39 AM
Hi,
The configuration seems minimal and seems correct to me
I am not really familiar with PPPoE since I have never even configured on an ASA firewall.
One thing you could check when your reboot the firewall is if the "outside" interface gets an IP address? I am also wondering if you actually have to remove the staticly configured Default Route from your ASA and actually have this configuration under the "outside" interface
ip address pppoe setroute
The "setroute" which you are missing should let your ASA get the default route automatically from the remote end.
So I guess you could try to remove the configured static default route and changing the "outside" interface configuration in the above way. Naturally do this at the site to avoid cutting off the management connection to the ASA.
- Jouni
10-31-2013 12:04 AM
Hi Jouni,
Thanks mate your a life saver, the command ip address ppoe setroute did the job and all is okay, thank you so much for your help.
I had set a default route to the outside interface, I dont understand why that would not have worked since the setroute command and the default route do the same job.
Can I troube you with one more problem,
I want to open smtp ports for exchange server and remote desktop, the problem I am having is when I set the command
object network Exchange_Server
host 192.168.50.1
I end up getting the following error
INFO: a host name must start and end with a letter or digit.
I dont know if this is the right command.
can you direct me to the right way to open up port 25 to the exchange server.
Thanks,
10-31-2013 01:19 AM
Hi,
If your ASA is aquiring its public IP address dynamically its better to let the ASA handle installing the default route for itself instead of configuring one statically.
With regards to your Static PAT (Port Forward) problem
You are trying to configure the NAT with the format that is used in 8.3 (or above) software levels. Your software is 8.2 so you would need to use the old format.
To do Static PAT for SMTP and RDP you can do
static (inside,outside) tcp interface 3389 192.168.50.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 25 192.168.50.1 25 netmask 255.255.255.255
Can you check if the local/real IP address is correct? I can't see a route on the ASA for any network that would hold the IP address 192.168.50.1
Naturally in addition to the above Static PAT configuration you will need interface ACL rules to allow the traffic from external networks
Hope this helps
- Jouni
10-31-2013 01:25 AM
Jouni,
I just added the route recently after I posted the above. thats why you cant see it.
do I apply the acl to the outside interface or the inside interface.
Thanks,
10-31-2013 01:29 AM
Hi,
If you are want to connect to the internal servers from the public network then you would have to add rules to the "outside" interface ACL to allow the traffic.
access-list OUTSIDE-IN remark Allow SMTP
access-list OUTSIDE-IN permit tcp any interface outside eq smtp
access-list OUTSIDE-IN remark Allow RDP
access-list OUTSIDE-IN permit tcp
access-group OUTSIDE-IN in interface outside
I am not sure where you want to allow RDP connections from. I am not sure if its a good idea to allow connections from any source address to it. If you dont know from which public IP addresses connections can be allowed from then you could consider configuring VPN Client connections on the ASA and using the RDP through the VPN so you dont need to allow those connections straight from the public network.
- Jouni
10-31-2013 01:59 AM
Jouni
not able to receive email i am able to send but not receive.
can you please look at the config below and see if I have missed anything
ASA Version 8.2(5)
!
hostname ciscoasa
enable password Jv1hg0k1fr encrypted
passwd 2KFQnbNYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group Cirrus_Internet
ip address pppoe setroute
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-k8.bin
ftp mode passive
object-group network Exchange_Server
access-list OUTSIDE-IN remark Allow SMTP
access-list OUTSIDE-IN extended permit tcp any interface outside eq smtp
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.205 smtp netmask 255.255.255.255
access-group OUTSIDE-IN in interface outside
route inside 10.1.1.0 255.255.255.0 10.10.10.1 1
route inside 172.16.20.0 255.255.255.0 10.10.10.1 1
route inside 172.16.30.0 255.255.255.0 10.10.10.1 1
route inside 192.168.1.0 255.255.255.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.10.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group Telstra_Internet request dialout pppoe
vpdn group Telstra_Internet localname systemXXXX@telstra.com.au
vpdn group Cirrus_Internet ppp authentication chap
vpdn username systemXXXX@telstra.com.au password *****
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXXX password Khkx/sd/vu encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c68da9839bcbaa7205a4d7babdcc6eae
: end
ciscoasa(config)#
10-31-2013 02:04 AM
Hi,
Does the ACL have any hitcounts of your attempts?
You can confirm the configurations with the "packet-tracer" command
packet-tracer input outside tcp 1.1.1.1 12345
This output should tell you if SMTP goes through
You could also monitor the ASA logs through ASDM and see if anything gets blocked
If you cant see anything then sometimes it might help removing the "inspect esmtp" from the configuration
policy-map global_policy
class inspection_default
no inspect esmtp
- Jouni
10-31-2013 02:32 AM
Hi
It says
translate_hits = 0, untranslate_hits = 9
does that seem right or not?
10-31-2013 02:42 AM
Hi,
That seems to be the NAT counters. It seems that either you have generated those hitcounts with "packet-tracer" or there are actual connections coming to your server.
I would monitor the logs through ASDM next.
If some connections are coming to the firewall that are blocked then those should be easy to spot.
You should also look for the log messages with "Teardown" and copy/paste them here (replace any public IP)
- Jouni
10-31-2013 03:18 AM
Hi Jouni,
You are an absloute legend, I am receiving emails.
I might be pushing it but need help on two more things,
I want to be able to manage the asa from a remote location, do I just add the remote ip address in the managment access, do I have to also create an acl for it as well.
can you let m eknow what command to input to allow managment by ASDM from a remote ip address, it will be a static ip address.
thanks for you help you been the best to deal with
10-31-2013 03:50 AM
Hi,
The below configurations you have have enabled ASDM management through the "inside" interface and its mentioned networks
http server enable
http 10.10.10.0 255.255.255.252 inside
http 192.168.1.0 255.255.255.0 inside
If you wanted to allow a single source IP address to manage the ASA through "outside" you would simply add
http
You wont need to configure any ACLs. The above command is all thats needed.
Seems you have not allowed any connections to the CLI interface of the ASA (other than Console connection locally)
If you wanted to allow SSH for example you could add
ssh version 2
ssh
Hope this helps
Please do remember to mark a reply as a correct answer if it has answered your question and/or rate helpfull answers.
Feel free to ask more if needed though
- Jouni
10-31-2013 04:30 AM
Actually,
For the SSH you might need to generate keys unless already present
crypto key generate rsa modulus 1024
You can view the current keys (if present) with
show crypto key mypubkey rsa
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide