Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2798
Views
0
Helpful
7
Replies

Help with configuration needed! Cisco 3825 + ASA5505 pipe broken.

ZaktheMan
Level 1
Level 1

‎01-02-2012 01:22 AM - edited ‎03-11-2019 03:09 PM

Hi,

I bought Cisco ASA 5505 firewall for my new home / office. I have practically no profound expertese with firewalls and specially no with ASA programming. I know basic terms and mechanics, but more sophisticated solutions are out of my knowledge. My goal is to create a network with following topology:

Topology.gif

When I first opened the ADSM screen I was freaked out about the amount of selections to be made. I tried programming with telnet and that was even more mystical experience. I cannot even figure out where I shoud start from! I am afraid that even thou I am very good with computers, it will take very long time to understand all this not to mention of configuring the device.

At the moment the situation is as follows:

- Cisco 3825 and Cisco ASA5505 does not work together. I cannot get into internet. They both work separately but not together as a pipe to internet.

- With only 3825 connected internet is working OK. Connecting with 5505 the pipe is broken. I can't figure out what is blocking the traffic.

- At the moment 5505 is set as factory default and it still cannot not get to internet.

- 3825 has DHCP, NAT and SPI firewall ON. It does not matter on which 3825/5505 NAT/DHCP on/off.

- 5505 has Outside line/link up and IP is DHCP configured, but still no internet traffic.

- No VPN tunnels built (never built one and don't know how to do it). Need some help with that.

- 5505 has no extra routes / rules / profiles / policies etc. activated. All is at default/auto status.

So, included is a drawing of my problem and desired topology with explanations. Anyone willing to help me to configure my firewall well and get the network working ? I would really appreciate it. I think that this should not be a difficult task if one knows what to do. I am kinda lost with this.

Labels:
0 Helpful
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

‎01-02-2012 01:41 AM

Hi,

first let's configure ASA for Green group to have internet access.

-is your Cisco 3825 the DHCP server for these clients ?

if so you must configure DHCP relay on the ASA for the clients to receive the their ip addresses and parameters from the router: 

dhcprelay server 
dhcprelay enable inside
dhcprelay setroute inside

-you must also change your nat settings on the 3825 to nat the inside ip addresses

-you must set a default static route on the ASA: route outside 0.0.0.0 0.0.0.0

-you must enable icmp inspection on ASA:

policy-map global_policy

class inspection_default

inspect icmp

Tell us if it solves this first part

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

ZaktheMan
Level 1
Level 1
In response to cadet alain

‎01-02-2012 04:07 AM

Hi Alain,

Thank you for your advices but the problem still remain. Here are ASDM pictures of screens related to your commands:

Everything seems as expected. I had to switch off 5505 DHCP server to get to the job done without errors. But still no traffic through the pipe. Any other ideas?

EDIT: OK, it seems that I did not do the phase "-you must also change your nat settings on the 3825 to nat the inside ip addresses". How am I going to do that when there is no tab to change NAT behaviour. Only tab even close is port filtering/forwarding/triggering. There is a pic of main screen at

http://screenshots.portforward.com/Cisco/DPC3825/LAN_Setup.htm.

-Zak

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to ZaktheMan

‎01-02-2012 04:34 AM

Hi,

in the dhcp relay config you configured an address on the inside subnet as dhcp server BUT you must specify the address of your router which is on the outside so in another subnet.

can you provide output from:

-show run dhcp

-show route

-show int ip brief

I also saw your outside interface is a dhcp client so have you configured, you should configure this IP statically and then also have a route on the router for the inside subnet so it can offer a dhcp config to the relay.

Verify also your machines are getting the correct dhcp config(  ipconfig/all) and then ping 8.8.8.8 from a client and post output.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

ZaktheMan
Level 1
Level 1
In response to cadet alain

‎01-02-2012 05:35 AM

Hi,

No changes done from my previous message. Here are the outputs you requested:

Show route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C    192.168.0.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside

Show int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Internal-Data0/0           unassigned      YES unset  up                    up

Internal-Data0/1           unassigned      YES unset  up                    up

Vlan1                      192.168.0.2     YES CONFIG up                    up

Vlan2                      unassigned      YES DHCP   up                    up

Virtual0                   127.0.0.1       YES unset  up                    up

Ethernet0/0                unassigned      YES unset  up                    up

Ethernet0/1                unassigned      YES unset  up                    up

Ethernet0/2                unassigned      YES unset  down                  down

Ethernet0/3                unassigned      YES unset  down                  down

Ethernet0/4                unassigned      YES unset  down                  down

Ethernet0/5                unassigned      YES unset  down                  down

Ethernet0/6                unassigned      YES unset  down                  down

Ethernet0/7                unassigned      YES unset  down                  down

Show Run -> dhcp part

dhcpd address 192.168.0.30-192.168.0.50 inside

dhcprelay server 192.168.0.1 outside

dhcprelay enable inside

dhcprelay setroute inside

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

Because of the changes so far (5505 DCHP off / 3825 DHCP blocked) I have to put network address manually to computers. Tried to ping from 3 computers. Everyone ping was fine to 5505 (192.168.0.2) and to eachothers but no ping to 3825 (192.168.0.1). Firewall blocks the pings.

The whole "green group" is working fine and internet working fine if I take 5505 out from the pipe.

I really appreciate your efforts helping me Alain.

-Zak

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to ZaktheMan

‎01-02-2012 06:40 AM

Hi Zak,

Show route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C    192.168.0.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside                  It must be the address of the router

the 192.168.0.0/24 network is directly connected on the inside so the static route must be via another subnet( the subnet of the router link connected to ASA outside).

Show Run -> dhcp part

dhcpd address 192.168.0.30-192.168.0.50 inside

dhcprelay server 192.168.0.1 outside          It must be the address of the router

You still got the dhcp server on the ASA and a relay which can't work at the same time. Why not use the cisco router  as dhcp server for the inside machines and let the relay part on the ASA ?

Show int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Internal-Data0/0           unassigned      YES unset  up                    up

Internal-Data0/1           unassigned      YES unset  up                    up

Vlan1                      192.168.0.2     YES CONFIG up                    up

Vlan2                      unassigned      YES DHCP   up                    up

configure the outside address as static on same subnet as the router

Can you post config of 3825 too.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

ZaktheMan
Level 1
Level 1
In response to cadet alain

‎01-02-2012 01:08 PM

Hi,

I managed to mess up with ADSM and jam the 5505. Had to use CLI to reset to factory and - the block was blown out from the pipe and it started to draw without any configuration or setup. Just like that. But, still 5505 cannot relay 3825s' DCHP and the system works only when 5505 DHCP is on or when client computer network settings are done manually.

I went through the procedures above and the system is not working automatically. Here are the previous data within not working state. What is missing here now when the system cannot relay data from router 3825?

Show route

Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C    192.168.0.0 255.255.255.0 is directly connected, outside

C    192.168.1.0 255.255.255.0 is directly connected, inside

d*   0.0.0.0 0.0.0.0 [1/0] via 192.168.0.1, outside

Show run (DHCP part)

dhcp-client client-id interface outside

dhcpd address 192.168.1.30-192.168.1.51 inside

dhcprelay server 192.168.0.1 outside

dhcprelay enable inside

dhcprelay timeout 60

Show int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Internal-Data0/0           unassigned      YES unset  up                    up

Internal-Data0/1           unassigned      YES unset  up                    up

Vlan1                      192.168.1.1     YES CONFIG up                    up

Vlan2                      192.168.0.10    YES DHCP   up                    up

Virtual0                   127.0.0.1       YES unset  up                    up

Ethernet0/0                unassigned      YES unset  up                    up

Ethernet0/1                unassigned      YES unset  up                    up

Ethernet0/2                unassigned      YES unset  down                  down

Ethernet0/3                unassigned      YES unset  down                  down

Ethernet0/4                unassigned      YES unset  down                  down

Ethernet0/5                unassigned      YES unset  down                  down

Ethernet0/6                unassigned      YES unset  down                  down

Ethernet0/7                unassigned      YES unset  down                  down

But the main issue is that it is working now. Excellent. Now, do you dare to help me with original topology?

-Zak

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to ZaktheMan

‎01-03-2012 02:33 AM

Hi,

what do you want to do now ?

post the config of all devices and tell us what you want to achieve.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card