09-05-2012 12:58 PM - edited 03-11-2019 04:50 PM
I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. Could someone look at my config and shed some light on where I'm going wrong? Note The Cisco 1841 is running sub-interfaces for my VLAN's
Below is a sample of how my network connects up
192.168.1.1(Billion router)===192.168.1.2(ASA)192.168.2.1===(Cisco 1841)192.168.2.2 192.168.10.1 192.168.20.1 192.168.30.1
ASA 5505 Config
Bayswater# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname Bayswater
domain-name drury.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 192.168.1.1
domain-name drury.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit 192.168.2.0 255.255.255.0 echo inside
icmp permit 192.168.10.0 255.255.255.0 echo inside
icmp permit 192.168.20.0 255.255.255.0 echo inside
icmp permit 192.168.1.0 255.255.255.0 echo inside
icmp permit 192.168.1.0 255.255.255.0 echo outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router rip
network 192.168.1.0
network 192.168.2.0
version 1
no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.129 inside
!
username douglas password dFakwzrndCTRqh2t encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:7a015caed88c20798d3e2b610454a019
: end
Bayswater#
ASA 5505 RIP Routes
Bayswater# sh route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0
R 192.168.30.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside
R 212.69.47.0 255.255.255.0 [120/1] via 192.168.1.1, 0:00:25, outside
R 192.168.10.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside
C 127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
R 192.168.20.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside
Bayswater#
Cisco 1841 config
Piccadilly_Circus#sh run
Building configuration...
Current configuration : 4754 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Piccadilly_Circus
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.20.2
ip dhcp excluded-address 192.168.10.4
!
ip dhcp pool vlan-10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.2.1
!
ip dhcp pool vlan-20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.2.1
!
!
ip domain name vlan.gatway
ip host LG-NAS 192.168.10.4
ip name-server 192.168.2.1
ip name-server 8.8.8.8
ip name-server 212.69.36.3
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-979462596
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-979462596
revocation-check none
rsakeypair TP-self-signed-979462596
!
!
Piccadilly_Circus#sh run
Building configuration...
Current configuration : 4754 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Piccadilly_Circus
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.20.2
ip dhcp excluded-address 192.168.10.4
!
ip dhcp pool vlan-10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.2.1
!
ip dhcp pool vlan-20
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
dns-server 192.168.2.1
!
!
ip domain name vlan.gatway
ip host LG-NAS 192.168.10.4
ip name-server 192.168.2.1
ip name-server 8.8.8.8
ip name-server 212.69.36.3
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-979462596
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-979462596
revocation-check none
rsakeypair TP-self-signed-979462596
!
!
crypto pki certificate chain TP-self-signed-979462596
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373934 36323539 36301E17 0D313230 33323831 38323435
375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 39343632
35393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B68963BD 5C5501C6 1EFAC417 DB24E95D 07D62B6B A1C816B1 4D7EC354 E2211DBF
1D60AFCD 34CC6CAB C3C410D0 6DC72C4E C6B5CB74 BE58E060 211E3441 778A2D31
7A718B4E B04F9B75 C237A515 B7B8874F 258935E4 22176DE3 5FF67512 264125AF
DECBD5F2 820E23F5 8365699D DEC24A63 DAE5A80A 499DD36C 391B4942 32E0C4A1
02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
11042130 1F821D50 69636361 64696C6C 795F4369 72637573 2E766C61 6E2E6761
74776179 301F0603 551D2304 18301680 145DE525 D00567A0 AC8E6F36 C3FC953C
7016B25A DD301D06 03551D0E 04160414 5DE525D0 0567A0AC 8E6F36C3 FC953C70
16B25ADD 300D0609 2A864886 F70D0101 04050003 8181008E D77EC1CB 7A65602A
01E6FBEA 6E41A771 2656EA8A D4B0F105 545C0256 8B052B7B FA3BEAAB 1C6C44B6
C58A9467 61F2891C 599DEC43 1784BC1C D729FC07 B7233166 E2178772 927B8A3F
8C6F3739 BB057BBE 46879F6B 403056AC FE17FCD9 A83C38AC 5647A666 01A5B71D
1528083F 0027C33F 87B350B7 7A845253 F8EB361F 8A8AEA
quit
!
!
username douglas privilege 15 secret 5 $1$j8nS$kQ8Bvdlpg8naq8zCS.tCp/
archive
log config
hidekeys
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-sip-inspect
match protocol sip
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
speed 100
full-duplex
!
interface FastEthernet0/1.1
description vlan 1$FW_OUTSIDE$
encapsulation dot1Q 1 native
ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/1.10
description vlan 10$FW_INSIDE$
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1.20
description vlan 20$FW_INSIDE$
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/1.30
description vlan 30$ETH-LAN$
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
router rip
network 192.168.2.0
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip http server
ip http secure-server
!
snmp-server community PacketTrap RW
!
!
!
!
control-plane
!
line con 0
logging synchronous
line aux 0
line vty 0
password cisco
login
line vty 1 4
login
line vty 5 9
login
!
scheduler allocate 20000 1000
end
09-05-2012 03:16 PM
Douglas,
From your PC can you ping the ASA 192.168.2.1 ?
from the ASA can you ping the gateway 192.168.1.1 ?
from the ASA can you ping 4.2.2.2
We need to know if the problem is between the PCs and the ASA or the ASA and the internet.
Regards,
Felipe.
09-05-2012 11:59 PM
Hi Felipe
My PC is on subnet 192.168.10.0 and can not ping 192.168.2.1.
On the ASA I can not ping 192.168.2.1 and pings to 4.2.2.2 also fail
However I connected my laptop to subnet 192.168.2.0 and pings to 192.168.2.1 where successful but pings to 4.2.2.2 or 8.8.8.8 fail
Thanks
Douglas
09-06-2012 07:29 AM
Douglas,
In that case seems like there are many issues.
One thing I notized on the router is :
interface FastEthernet0/1.1
description vlan 1$FW_OUTSIDE$
interface FastEthernet0/1.10
description vlan 10$FW_INSIDE$
You can't have the same physical port for inside and outside.
Meaning this port can't be connected to the ASA and the PC or switch at the same time.
Try to find how far can the PC go; if it can ping the router and if the router can ping the ASA
Then on the ASA you have:
nat (inside) 1 0.0.0.0 0.0.0.0
But there is no global command, you need to add:
global (outside) 1 interface
You should be able to ping 192.168.1.1 from the ASA,
make sure Ethernet0/0 is up
Regards,
Felipe.
09-06-2012 11:25 AM
I can see the confusion. The Router (1841) was originaly the fierwall but that feature was later disabled by me and i guess the tags or descriptions of the ports are still there. Just to confirme the router is no longer a firewall and it's only function is to route between the VLANs.
Thanks for the suggestions, I'll add the global commands for nat as soon as i get some free time.
Thanks
Douglas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide