Solved: Help with basic config for ASA 5505

Andy White · ‎11-29-2013

Hello,

I've tried so many config methods I'm not confused on the issue.

I have a DSL modem from Virgin Media and if I plug my laptop into it it gives me a public IP and I can get on the internet, it is doing some sort of DHCP. Now I have put the outside of the firewall into this port and configured the ASA as best as I can but I can't get on the internet from the inside, can you think of any reason why it isn't working?

ASA Version 9.1(3)

!

hostname ciscoasa

enable password RHohe4nol/SZU8wm encrypted

names

!

interface Ethernet0/0

switchport access vlan 99

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

switchport access vlan 10

!

interface Ethernet0/4

switchport access vlan 10

!

interface Ethernet0/5

switchport access vlan 10

!

interface Ethernet0/6

switchport access vlan 10

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan99

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network inside-network

subnet 0.0.0.0 0.0.0.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network inside-network

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.0.10-192.168.0.254 inside

dhcpd dns 4.2.2.2 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password /duR4QE encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Thanks

jumora · ‎11-30-2013

I checked the interim release notes and I did not see any bugs related to 9.1.3 DHCP, suggestions to follow:

http://www.cisco.com/web/software/280775065/107119/ASA-913-Interim-Release-Notes.html

On the interface VLAN 99 we will set a virtual MAC address:

Enable

Config t

interface Vlan99

mac-address 001C.2314.14DA

Some ISPs might filter vendors as they only wish for you to connect a PC not a router/firewall or whatever device that will provide access to more than one PC.

Then is this does not work, upgrade to the latest 9.1.3 interim release if you can.

Nothing works just get me debugs and captures:

debug dhcpc detail

debug dhcpc event

debug dhcpc error

I think that you could set the capture like this:

capture dhcp interface outside match udp any any eq 67 match udp any any 68

If it does not work then just add the command like this and it will combine it:

capture dhcp interface outside match udp any any eq 67

capture dhcp interface outside match udp any any eq 68

Download the captures:

https://192.168.0.1/capture/dhcp/pcap

Let me know how to goes

Value our effort and rate the assistance!

View solution in original post

Jouni Forss · ‎12-02-2013

Hi,

ASDM and the CLI command "show run route" doesnt show anything as you have not manually configured any routes.

The actual route shown in the actual routing table active now on the ASA shows the default route installed by the DHCP automatically/dynamically as it received the information from the DHCP server (ISP) as you defined the "setroute" parameter in the interface configuration.

When you are using DHCP you can't naturally set the default route staticly yourself as you wont know what public IP address and from what subnet you will receive from the ISP. So a staticly set/configured default route might be wrong and point to a gateway IP address that is not from the same subnet you received an IP address from.

- Jouni

View solution in original post

Jouni Forss · ‎11-29-2013

Hi,

Check the following command to see if you have gotten an IP address

show ip add

Atleast I think that should show it

Then check if you have gotten the default route

show route

Double check that you have actually connected the port Ethernet0/0 to the modem since its the only port attached to external VLAN 99

If you are testing with ICMP add these configurations

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

If you have not found any problem so far then check the actual host

Check that it has gotten the information needed with DHCP from the ASA

Check on its command prompt that it can resolve a name to an IP address with the DNS server used (4.2.2.2)

- Jouni

Andy White · ‎11-29-2013

Hi,

Here is what I have, not looking good:

show ip add

System IP Addresses:

Interface Name IP address Subnet mask Method

Vlan10 inside 192.168.0.1 255.255.255.0 manual

Vlan99 outside unassigned unassigned DHCP

Current IP Addresses:

Interface Name IP address Subnet mask Method

Vlan10 inside 192.168.0.1 255.255.255.0 manual

Vlan99 outside unassigned unassigned DHCP

Seems I don't have a route. I've used ASAs before on 8.2.x and I can set the route to the outside interface, what should I add on 9.1.3?

The host is getting DHCP and I can get on the ASDM and I have just configure SSH and that is ok, just seems it coudl be a route issue or the fact the Outside isn't getting an IP.

Thanks

jumora · ‎11-29-2013

OK, connect the PC and get an ¨ipconfig /all¨ from cmd to see the IP that you get.

After you get that output we can decide if we need to run a debug to see what is happening.

Value our effort and rate the assistance!

Andy White · ‎11-30-2013

Hi,

This is what I get:

Physical Address. . . . . . . . . : 00-1C-23-14-14-DA

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IPv4 Address. . . . . . . . . . . : 77.96.205.189(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . :30 November 2013 11:55:09

Lease Expires . . . . . . . . . . : 06 December 2013 19:41:27

Default Gateway . . . . . . . . . :77.96.205.1

DHCP Server . . . . . . . . . . . : 62.253.131.201

DNS Servers . . . . . . . . . . . : 194.168.4.100

194.168.8.100

I have to set the Virgin Media DSL router to modem mode and connect to the outside (Eth 0) of the ASA. On the Laptop if I type 192.168.100.1 I can get to the Virgin Media DSL router to manage it.

I didn't put any IP in, it is all DHCP.

Thanks

Andy White · ‎11-30-2013

The outside interface is set as DHCP as the ISP router should assign it an IP like it does when the laptop is plugged, but I don't think it does, also there is no route, but what should I set the default route to. On my old 515 Pix I used route 0.0.0.0 0.0.0.0 outside, but on this ASA (9.1.3) I can't set a default route to the outside interface or use the outside IP of the ASA as it is DHCP.

Packet trace

ciscoasa# packet-tracer input inside icmp 192.168.0.10 8 8 4.2.2.2

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Thanks

Jouni Forss · ‎11-30-2013

Hi,

I don't see why the ASA would not get an IP address from your ISP also.

In some recent 8.4 series softwares there were problems related to using the ASA as a DHCP Client.

So if you have a chance I would try and boot the ASA with a bit older software and see if that has any effect.

You wont have a route if your ASA has not even gotten an IP address from the ISP. It seems to me that the ISP Router is probably configured as bridged as you get a public IP address.

- Jouni

jumora · ‎11-30-2013

I checked the interim release notes and I did not see any bugs related to 9.1.3 DHCP, suggestions to follow:

http://www.cisco.com/web/software/280775065/107119/ASA-913-Interim-Release-Notes.html

On the interface VLAN 99 we will set a virtual MAC address:

Enable

Config t

interface Vlan99

mac-address 001C.2314.14DA

Some ISPs might filter vendors as they only wish for you to connect a PC not a router/firewall or whatever device that will provide access to more than one PC.

Then is this does not work, upgrade to the latest 9.1.3 interim release if you can.

Nothing works just get me debugs and captures:

debug dhcpc detail

debug dhcpc event

debug dhcpc error

I think that you could set the capture like this:

capture dhcp interface outside match udp any any eq 67 match udp any any 68

If it does not work then just add the command like this and it will combine it:

capture dhcp interface outside match udp any any eq 67

capture dhcp interface outside match udp any any eq 68

Download the captures:

https://192.168.0.1/capture/dhcp/pcap

Let me know how to goes

Value our effort and rate the assistance!

Andy White · ‎12-01-2013

Config t

interface Vlan99

mac-address 001C.2314.14DA

Wow, it seems that worked!

Why though, please explain?

Why do I not need a default route?

Thanks

jumora · ‎12-01-2013

I think I explained it on my previous post.

Without a default route you can not route to unknow networks, meaning nothing else other than your known networks that are you directly connected routes.

Value our effort and rate the assistance!

Andy White · ‎12-02-2013

Thing is I don't have a default route and it all works, is something dynamic happening?

Why did the mac address method work?

Thanks

Jouni Forss · ‎12-02-2013

Hi,

You have this configuration under the external interface

ip address dhcp setroute

This means that your external interface will get the IP address from the ISP through DHCP and the "setroute" parameter means that the ASA will get the default route automatically from the ISP. So you wont need to configure a default route nor should you configure one when you are getting it from the ISP.

It seems that you have configured your laptops MAC address to the external interface of the ASA also.

I guess there might have been a problem with the fact that you had switched your firewall and laptop in the ISP router/modem and since your laptop worked just fine your ASAs external interface was configured with the same MAC address so that it would work also.

Typically I would think this might be an ARP related issue if you have switched 2 different devices (with different MAC address naturally) in the ISP Router/Modem but I am not sure if this is the case when you are using DHCP on your device but I guess it might be possible.

I have not run into a situation myself where the ISP would control what manufacturer device (determined from the MAC address) a customer would be able to use.

- Jouni

jumora · ‎12-02-2013

Are you running a "show run route" or "show route" to view if you have a route or not??

Value our effort and rate the assistance!

Andy White · ‎12-02-2013

As you can see I didn't add a default route, but it has added one, I was looking on the ASDM and the routing section is empty.

ciscoasa# sh run route

ciscoasa#

ciscoasa# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 91.227.255.1 to network 0.0.0.0

C 91.227.255.0 255.255.255.0 is directly connected, outside

C 192.168.0.0 255.255.255.0 is directly connected, inside

d* 0.0.0.0 0.0.0.0 [1/0] via 92.237.255.1, outside

ciscoasa#

Jouni Forss · ‎12-02-2013

Hi,

ASDM and the CLI command "show run route" doesnt show anything as you have not manually configured any routes.

The actual route shown in the actual routing table active now on the ASA shows the default route installed by the DHCP automatically/dynamically as it received the information from the DHCP server (ISP) as you defined the "setroute" parameter in the interface configuration.

When you are using DHCP you can't naturally set the default route staticly yourself as you wont know what public IP address and from what subnet you will receive from the ISP. So a staticly set/configured default route might be wrong and point to a gateway IP address that is not from the same subnet you received an IP address from.

- Jouni