08-10-2012 10:57 AM - edited 03-11-2019 04:40 PM
Hi Guys
I recently bought an ASA on eBay the plan was to try and learn how to configure them and get more familar with Cisco's ASA hardware etc.
I want it to do the routing for my home network. The way things are setup at the moment is pretty standard. I have an ADSL modem which is also a router which was provided by my ISP (Orange).
The first thing I did was change the router to be in "modem only" mode which seems to have worked. I then got the ASA to use PPPOE by following this guide http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html I assume that worked as it is authenticating with the ISP and I'm getting a puplic IP address assigned to the outside interface. The default gateway is being set by the "ip address pppoe set route" command which I have verified with the "show route" command. The problem I'm having is that even though I'm getting a public IP I can't ping any thing from the ASA I've pinged 8.8.8.8 and 4.4.4.2 using the outside interface as the source but I'm not getting any responce. I have tried changing the MTU a few times to different amounts on the outside interface with no luck.
Any help would be greatly appriciated.
Eli
08-10-2012 12:16 PM
By default ICMP is not statefully inspected. But it's only one command to change that. You should have the following config and the marked line has to be added:
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp ! <---- here you tell the ASA to inspect ICMP pings
!
service-policy global_policy global
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-11-2012 03:27 PM
Hi Karsten thanks so much for taking the time to reply. Unfortunately that didn't fix the problem.
I probably wasn't clear enough in my first post, what I meant was even though I am getting an public IP address I'm not getting any kind of Internet connectivity at all. I made the changes you suggested but my pings are still getting four question marks. I think this might be a bit deeper than adding the inspect icmp to my config but I can't quite figure out what is wrong. I'll post up my config which will hopefully shed some light on the situation. I haven't added any NAT statements yet but that shouldn't make a difference if I'm pinging from the ASA.
: Saved
:
ASA Version 8.4(4)1
!
no command-alias exec s
command-alias exec s show int ip brief
hostname ASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description OUTSIDE INTERFACE
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
description INSIDE INTERFACE
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address pppoe setroute
!
ftp mode passive
dns server-group DefaultDNS
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 60
vpdn group ISP request dialout pppoe
vpdn group ISP localname ******.******.co.uk@fs
vpdn group ISP ppp authentication chap
vpdn username ******.*******.co.uk@fs password ***** store-local
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
username ***** password xojiSuOUYof076h9 encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c2131948f160376e4e4a83bcbde23d9f
: end
08-13-2012 02:26 AM
what is the output of the following commands:
show int ip brief
show route
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-11-2012 07:27 PM
Hi Bro
In your Cisco ASA FW, just key in "icmp permit any outside" under the global mode (config t), and let me know if you can ping public IP addresses from the Cisco ASA FW console? If this doesn't work, replace your Cisco ASA with a workstation (configure PPPoE as well) and let me know if the workstation's dos prompt can ping public IP addresses?
By the way, can you also remoce the speed/duplex parameters for now stated under your "interface Ethernet0/0"
08-24-2012 08:09 AM
Hey guys sorry it has taken me so long to respond I've been really busy with work. I got round to trying what you requested.
Setting up my laptop with a PPPOE connection directly to the Modem did the same thing as with the ASA as in I got an Public IP but I couldn't access the internet or ping anything.
I tried the icmp permit any outside command and I still can't ping anything on the internet. Also I noticed I can ping my public IP from the ASA but not from my laptop when it is connected directly to the ASA not sure why that is.
I'm starting to think more and more that this is a problem with either my modem or my ISP.
The output of the commands are
ASA# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 213.1.112.4 to network 0.0.0.0
C 192.168.1.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 213.1.112.4, outside
ASA# show interface ip brief
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down
Ethernet0/4 unassigned YES unset administratively down down
Ethernet0/5 unassigned YES unset administratively down down
Ethernet0/6 unassigned YES unset administratively down down
Ethernet0/7 unassigned YES unset administratively down down
Internal-Data0/0 unassigned YES unset up up
Internal-Data0/1 unassigned YES unset up up
Vlan1 192.168.1.1 YES CONFIG up up
Vlan2 2*.2*.1*2.** YES CONFIG up up
Virtual0 127.0.0.1 YES unset up up
08-24-2012 09:46 AM
Hello,
1- You cannot ping a distant interface on an ASA ( That means that if you have a pc on the inside interface you CAN ping the inside interface but you CANNOT ping the outside interface , this is just a security meassure.)
2- From the ASA can you ping 2*.2*.1*2.**
3- If you do a show arp do you see an entry for the Modem?
4-Please reload the modem and let me know what happens after you try it one more time
Regards,
Remember to rate all the helpful posts
Julio
08-24-2012 10:44 AM
Hi Julio
Thanks for clearing up why I couldn't ping from my PC to the outside interface. I am able to ping my public IP from the ASA.
I can't do the show arp and reload the modem just now because people are using the internet and I'm going out, but I will be able to do it tomorrow and post back.
Thanks
Eli
08-24-2012 10:50 AM
Hello,
what do you mean by I can't do the show arp, why can't you do that on the asa?? It will let us know if the asa has an entry for the modem MAC address.
Also I dont understand this " I am able to ping my public IP from the ASA."
Do you mean you can ping the ip address assigned on your interface (asa) or you can ping your default gateway ( the modem) I need you to ping the modem's IP.
Please let me know the results that I will be more than glad to help
Julio
Rate all the helpful posts
08-24-2012 11:18 AM
Hi Julio
What I mean is that I'm going out soon and people are using the internet, if I have to put the Router into modem mode and connect the ASA the internet goes down for everyone. I can't do it until tomorrow evening hence not being able to run the show arp command right now...
When I say "I am able to ping my public IP from the ASA" I mean I can ping 2*.2*.1*2.** from the ASA succesfully. Also the Modems IP address is just a static LAN address for managing it, its passing the public IP address from my ISP onto my ASA if you mean can I ping my default gateway which is 213.1.112.4 (the DG from my ISP) then no I can't.
I hope that clears up what I'm saying.
Thanks
08-24-2012 11:26 AM
Hello,
Well that is the problem, there is no even layer 3 communication between your ASA and the modem. and the problem might go to layer 2 ( no arp entries on the asa)
So reload the modem and try to ping the default gateway (ISP)
I'll wait your answer tomorrow
Regards,
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide