- Cisco Community
- Technology and Support
- Security
- Network Security
- Configure ASA 5505 with TimeWarner Business Class service
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Configure ASA 5505 with TimeWarner Business Class service
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2013 04:37 PM - edited 03-11-2019 06:37 PM
Hi folks,
I'm NOT a network guy but I'm trying to support a friend. They just switched to TWC Business Class from Megapath. They have a Cisco 5505 ASA and are trying to configure it to work with the new TimeWarner cable modem. But we can't get PCs behind the firewall out to the Internet.
We think it should be a pretty simple config. They have the ASA connected directly to the modem. The modem is running DHCP, and we''ve configured the ASA to get its address via DHCP. We have a Windows server behind the firewall; it can't get out the Internet either. It's set up to be a DHCP server and is giving IP addresses to the PCs on the network.
Laptops connected via wifi to a wireless router attached to the modem are able to connect to the internet, thus we know the modem is up and running fine.
Can anyone help us out? Here's our running config:
ASA Version 8.4(1)
!
hostname ciscoasa
domain-name opanslab.com
enable password yYME2neTGgA0S1./ encrypted
passwd yYME2neTGgA0S1./ encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.236.137.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name opanslab.com
object network obj-10.236.137.0
subnet 10.236.137.0 255.255.255.0
object network obj-10.236.137.192
subnet 10.236.137.192 255.255.255.224
object network obj-10.236.137.2
host 10.236.137.2
object network obj-10.236.137.2-01
host 10.236.137.2
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.236.136.0
subnet 10.236.136.0 255.255.255.0
object network NETWORK_OBJ_10.236.136.48_28
subnet 10.236.136.48 255.255.255.240
access-list outside_access_in_1 extended permit tcp any object obj-10.236.137.2
eq 3389
access-list outside_access_in_1 extended permit tcp any object obj-10.236.137.2
eq ssh
access-list Opans_splitTunnelAcl standard permit 10.236.137.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.236.137.0 255.255.255.0 1
0.236.137.192 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.236.137.192 255.255.2
55.224
access-list AnyConnect_Client_Local_Print extended deny ip any any inactive
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.2
51 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam
e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.2
52 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios
-ns
pager lines 24
logging enable
logging asdm warnings
logging host inside 10.236.137.2
mtu inside 1500
mtu outside 1500
ip local pool OpansIPPool 10.236.137.200-10.236.137.215 mask 255.255.255.0
ip local pool OpansIPNew 10.236.137.216-10.236.137.230 mask 255.255.255.0
ip local pool OpansIpad 10.236.136.50-10.236.136.60 mask 255.255.255.0
ip audit name Test info action
ip audit interface inside Test
ip audit interface outside Test
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
nat (inside,any) source static obj-10.236.137.0 obj-10.236.137.0 destination sta
tic obj-10.236.137.192 obj-10.236.137.192 unidirectional
nat (inside,any) source static any any destination static obj-10.236.137.192 obj
-10.236.137.192 unidirectional
nat (inside,outside) source static obj-10.236.136.0 obj-10.236.136.0 destination
static obj-10.236.137.0 obj-10.236.137.0
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.236
.136.48_28 NETWORK_OBJ_10.236.136.48_28
!
object network obj-10.236.137.2
nat (inside,outside) static interface service tcp ssh ssh
object network obj-10.236.137.2-01
nat (inside,outside) static interface service tcp 3389 3389
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 2:00:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 1:00:00 absolute uauth 1:00:00 inact
ivity
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.236.137.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev2 ipsec-proposal AES256 AES192 AES
3DES DES
crypto dynamic-map outside_dyn_map 40 set pfs
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ssl.opanslab.com
keypair opanslab
no client-types
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820241 308201aa a0030201 02020131 300d0609 2a864886 f70d0101 04050030
34311930 17060355 04031310 73736c2e 6f70616e 736c6162 2e636f6d 31173015
06092a86 4886f70d 01090216 08636973 636f6173 61301e17 0d313130 35323330
30313732 375a170d 32313035 32303030 31373237 5a303431 19301706 03550403
13107373 6c2e6f70 616e736c 61622e63 6f6d3117 30150609 2a864886 f70d0109
02160863 6973636f 61736130 819f300d 06092a86 4886f70d 01010105 0003818d
00308189 02818100 bcf1d826 ffd16fd7 a85a9f46 aa02ee23 8e98a041 11f389e7
91658e37 fac18484 995c2ebc a7d0fb89 2f3c8e8b f670ebc5 c6af967a 65f1847d
6f26954f 39d7b837 254bc34f 27e1f27b 30e2a5a3 df70866f ea0f9aea 3c9ee340
99dae024 d93fa881 e98f0039 06770d60 4125310f 0d96b5d4 53307f0b 5075fc31
f3e36ad3 de56fc69 02030100 01a36330 61300f06 03551d13 0101ff04 05300301
01ff300e 0603551d 0f0101ff 04040302 0186301f 0603551d 23041830 168014d7
2382a884 d4a1ea73 7e59053e d798fb0c a678a630 1d060355 1d0e0416 0414d723
82a884d4 a1ea737e 59053ed7 98fb0ca6 78a6300d 06092a86 4886f70d 01010405
00038181 004edd78 11c95f0b 5bf3e89b 4d99cb99 f9654cb0 545a71ea 7b72c61f
315c3960 862e63d7 fd7df615 e7edde18 447b6487 4541347c e38e33cf a21bf809
b10b0ec7 1aff398e de97bcee 5524c0c5 90518d8e 4dde77fc fb155141 f45e6483
40f7fef9 11551409 a0a1d83f 6208d850 273b8ab1 f5682ae0 df99aee8 34037184
44c728b3 f5
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.236.137.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 10.236.137.110-10.236.137.141 inside
dhcpd dns 10.236.137.2 interface inside
dhcpd wins 10.236.137.2 interface inside
dhcpd domain opanslab.local interface inside
dhcpd update dns both interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/sslclient-win-1.1.0.154.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2006-k9.pkg 2
anyconnect profiles Ipad_client_profile disk0:/Ipad_client_profile.xml
anyconnect profiles MAC disk0:/mac.xml
anyconnect profiles Win disk0:/win.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy GroupPolicy_Ipad internal
group-policy GroupPolicy_Ipad attributes
wins-server value 10.236.137.2
dns-server value 10.236.137.2
vpn-tunnel-protocol ikev2 ssl-client
default-domain value opanslab.com
webvpn
anyconnect profiles value Ipad_client_profile type user
group-policy Opans internal
group-policy Opans attributes
dns-server value 10.236.137.2
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Opans_splitTunnelAcl
default-domain value opanslab.local
webvpn
anyconnect profiles value MAC type user
group-policy OpAnsLab internal
group-policy OpAnsLab attributes
dns-server value 10.236.137.2
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
default-domain value opanslab.local
address-pools value OpansIpad
webvpn
anyconnect profiles value Win type user
username admin password c/I.r7cjBnQ65yWL encrypted privilege 15
username tbeaudreau password DUoNIbAhsEayVoJc encrypted privilege 0
username dbronson password Gzc9SohPM6gYmFRA encrypted privilege 0
username dbronson attributes
vpn-group-policy Opans
vpn-idle-timeout none
username klewis password cvUbGbbdJPQxo5mN encrypted privilege 0
username klewis attributes
vpn-group-policy Opans
username ipaduser password baU8Nyvo.DFWvKXq encrypted
username ipaduser attributes
vpn-group-policy GroupPolicy_Ipad
tunnel-group Opans type remote-access
tunnel-group Opans general-attributes
address-pool OpansIPNew
default-group-policy Opans
tunnel-group Opans ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group OpAnsLab type remote-access
tunnel-group OpAnsLab general-attributes
address-pool OpansIPNew
default-group-policy OpAnsLab
tunnel-group OpAnsLab ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group Ipad type remote-access
tunnel-group Ipad general-attributes
address-pool OpansIpad
default-group-policy GroupPolicy_Ipad
tunnel-group Ipad webvpn-attributes
group-alias Ipad enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8be0c6f446165c092ee220b6d5d3f9df
: end
Thanks in advance...
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2013 04:50 PM
Hi,
Was there any difference in the old and new ISP?
Is the ASA now getting a private IP address from the modem? And the actual modem holds the public IP address?
If I would have to guess, the old ISP connection setup used static "outside" interface configuration instead of DHCP?
Or have you configured the below Default Route just now for the new setup?
interface Vlan2
nameif outside
security-level 0
ip address dhcp
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
You can actually change the "outside" interface configuration to this
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
The "setroute" parameter allows the ASA to automatically get the default route from the DHCP server.
Can you ping some public IP addresses directly from the ASA command line?
For user ICMP traffic I would suggest adding the following command
fixup protocol icmp
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2013 07:05 AM
Jouni,
Thanks for the response.
The old ISP gave us a static address, while the new one (TWC) is doing DHCP. We also lost the configuration we had with the old ISP due to a server room crash that took down the ASA. They hadn't saved the old configuration so we're essentially starting from scratch.
I think the ASA is getting a public address from the cable modem. The address displayed in the ASDM interface was the one the ISP saw on their end as having been given to us.
We're generally using the ASDM interface to configure the ASA and I'm pretty sure I know how to change that parameter from there.If I needed to change the "setroute" parameter from the command line, how would I do that?
I tried pinging a couple of public IP addresses from the command line last night and couldn't.
I'll try adding that ICMP traffic change.
Thanks again for all your assistance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2013 09:21 AM
Hi,
Before you change anything I would like if you could take the output of the command "show ip address" from the ASA CLI and share it with us here so we can see what IP address the ISP is giving. I am just wondering if its giving a publicly routable IP address or a private IP address.
If you wanted to add the "setroute" paremeter then you could simply go to the interface configuration mode and add the command like this
interface Vlan2
ip address dhcp setroute
It will replace the old configuration there. Though after this we have to possibly disconnected the Vlan2 cable so that the ASA request the IP address with DHCP again.
Even if it receives another default route now directly from the modem, you still might have to remove the statictly configured default route.
But as I said, first it would be good to see what the current IP address of the ASA is with the command "show ip address" and share the ouput with us here.
- Jouni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2013 09:42 AM
Now it's saying that the outside address is unassigned:
System IP Addresses:
Interface Name IP address Subnet mask
Method
Vlan1 inside 10.236.137.1 255.255.255.0
CONFIG
Vlan2 outside unassigned unassigned
DHCP
Current IP Addresses:
Interface Name IP address Subnet mask
Method
Vlan1 inside 10.236.137.1 255.255.255.0
CONFIG
Vlan2 outside unassigned unassigned
DHCP
I think my friend changed a setting on the ASA since last night, as I KNOW we had an IP address then.
System IP Addresses:
Interface Name IP address Subnet mask
Method
Vlan1 inside 10.236.137.1 255.255.255.0
CONFIG
Vlan2 outside unassigned unassigned
DHCP
Current IP Addresses:
Interface Name IP address Subnet mask
Method
Vlan1 inside 10.236.137.1 255.255.255.0
CONFIG
Vlan2 outside unassigned unassigned
DHCP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2013 10:13 AM
Hi,
It seems it still configured for DHCP though, it just doesnt have an IP addresses from the DHCP server (modem I guess?)
You can naturally check the output of command "show interface Vlan2" and check if its "up" or "down" state. Wondering if a cable is disconnected or something.
Naturally we would first need to get the "outside" inteface IP address with DHCP or know what IP address to configure to the interface staticly to have a chance to get this working.
Personally I fear that the actual modem might hold the public IP address of your leased line which would naturally make it hard to host any services behind the ASA. (As NAT would have to be done on the modem also)
But first things first, we would need to get the IP address to the "outside" interface first.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
