cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1699
Views
16
Helpful
10
Replies

Internet connectivity via ASA 5505

devinshire
Level 1
Level 1

Hi Guys

I recently bought an ASA on eBay the plan was to try and learn how to configure them and get more familar with Cisco's ASA hardware etc.

I want it  to do the routing for my home network. The way things are setup at the moment is pretty standard. I have an ADSL modem which is also a router which was provided by my ISP (Orange).

The first thing I did was change the router to be in "modem only" mode which seems to have worked. I then got the ASA to use PPPOE by following this guide http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/pppoe.html  I assume that worked as it is authenticating with the ISP and I'm getting a puplic IP address assigned to the outside interface. The default gateway is being set by the "ip address pppoe set route" command which I have verified with the "show route" command. The problem I'm having is that even though I'm getting a public IP I can't ping any thing from the ASA I've pinged 8.8.8.8 and 4.4.4.2 using the outside interface as the source but I'm not getting any responce. I have tried changing the MTU a few times to different amounts on the outside interface with no luck.

Any help would be greatly appriciated.

Eli

10 Replies 10

By default ICMP is not statefully inspected. But it's only one command to change that. You should have the following config and the marked line has to be added:

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp          ! <---- here you tell the ASA to inspect ICMP pings

!

service-policy global_policy global

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten thanks so much for taking the time to reply. Unfortunately that didn't fix the problem.

I probably wasn't clear enough in my first post, what I meant was even though I am getting an public IP address I'm not getting any kind of Internet connectivity at all. I made the changes you suggested but my pings are still getting four question marks. I think this might be a bit deeper than adding the inspect icmp to my config but I can't quite figure out what is wrong. I'll post up my config which will hopefully shed some light on the situation. I haven't added any NAT statements yet but that shouldn't make a difference if I'm pinging from the ASA.

: Saved

:

ASA Version 8.4(4)1

!

no command-alias exec s

command-alias exec s show int ip brief

hostname ASA

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description OUTSIDE INTERFACE

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

description INSIDE INTERFACE

speed 100

duplex full

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address pppoe setroute

!

ftp mode passive

dns server-group DefaultDNS

pager lines 24

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 60

vpdn group ISP request dialout pppoe

vpdn group ISP localname ******.******.co.uk@fs

vpdn group ISP ppp authentication chap

vpdn username ******.*******.co.uk@fs password ***** store-local

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

username ***** password xojiSuOUYof076h9 encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:c2131948f160376e4e4a83bcbde23d9f

: end

what is the output of the following commands:

show int ip brief

show route

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Bro

In your Cisco ASA FW, just key in "icmp permit any outside" under the global mode (config t), and let me know if you can ping public IP addresses from the Cisco ASA FW console? If this doesn't work, replace your Cisco ASA with a workstation (configure PPPoE as well) and let me know if the workstation's dos prompt can ping public IP addresses?

By the way, can you also remoce the speed/duplex parameters for now stated under your "interface Ethernet0/0"

Warm regards,
Ramraj Sivagnanam Sivajanam

Hey guys sorry it has taken me so long to respond I've been really busy with work. I got round to trying what you requested.

Setting up my laptop with a PPPOE connection directly to the Modem did the same thing as with the ASA as in I got an Public IP but I couldn't access the internet or ping anything.

I tried the icmp permit any outside command and I still can't ping anything on the internet. Also I noticed I can ping my public IP from the ASA but not from my laptop when it is connected directly to the ASA not sure why that is.

I'm starting to think more and more that this is a problem with either my modem or my ISP.

The output of the commands are

ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is 213.1.112.4 to network 0.0.0.0

C    192.168.1.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 213.1.112.4, outside

ASA# show interface ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                unassigned      YES unset  up                    up

Ethernet0/1                unassigned      YES unset  up                    up

Ethernet0/2                unassigned      YES unset  administratively down down

Ethernet0/3                unassigned      YES unset  administratively down down

Ethernet0/4                unassigned      YES unset  administratively down down

Ethernet0/5                unassigned      YES unset  administratively down down

Ethernet0/6                unassigned      YES unset  administratively down down

Ethernet0/7                unassigned      YES unset  administratively down down

Internal-Data0/0           unassigned      YES unset  up                    up

Internal-Data0/1           unassigned      YES unset  up                    up

Vlan1                      192.168.1.1     YES CONFIG up                    up

Vlan2                      2*.2*.1*2.**     YES CONFIG up                    up

Virtual0                   127.0.0.1       YES unset  up                    up

Hello,

1- You cannot ping a distant interface on an ASA ( That means that if you have a pc on the inside interface you CAN ping the inside interface but you CANNOT ping the outside interface , this is just a security meassure.)

2- From the ASA can you ping  2*.2*.1*2.** 

3- If you do a show arp do you see an entry for the Modem?

4-Please reload the modem and let me know what happens after you try it one more time

Regards,

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

Thanks for clearing up why I couldn't ping from my PC to the outside interface. I am able to ping my public IP from the ASA.

I can't do the show arp and reload the modem just now because people are using the internet and I'm going out, but I will be able to do it tomorrow and post back.

Thanks

Eli

Hello,

what do you mean by  I can't do the show arp, why can't you do that on the asa?? It will let us know if the asa has an entry for the modem MAC address.

Also  I dont understand this " I am able to ping my public IP from the ASA."

Do you mean you can ping the ip address assigned on your interface (asa) or you can ping your default gateway ( the modem) I need you to ping the modem's IP.

Please let me know the results that I will be more than glad to help

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio

What I mean is that I'm going out soon and people are using the internet, if I have to put the Router into modem mode and connect the ASA the internet goes down for everyone. I can't do it until tomorrow evening hence not being able to run the show arp command right now...

When I say "I am able to ping my public IP from the ASA" I mean I can ping 2*.2*.1*2.** from the ASA succesfully. Also the Modems IP address is just a static LAN address for managing it, its passing the public IP address from my ISP onto my ASA if you mean can I ping my default gateway which is 213.1.112.4 (the DG from my ISP) then no I can't.

I hope that clears up what I'm saying.

Thanks

Hello,

Well that is the problem, there is no even layer 3 communication between your ASA and the modem. and the problem might go to layer 2 ( no arp entries on the asa)

So reload the modem and try to ping the default gateway (ISP)

I'll wait your answer tomorrow

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card