Re: Modem Bridge Mode but couldn't get online

andyferguson1977 · ‎10-03-2018

Guys

Please help.

When home last night was was excited to connect my Cisco ASA 5510. I put my comcast modem in bridge mode, connect my ASA, interface0/0 - connected to cable modem and interface 0/1 connect to my switch.

I just couldn't go online. Please help.

Configuration below. What am I doing wrong?

hostname CL-ASA-FW
domain-name obs.local
enable password 5YXTz585pEJVixTrde encrypted
passwd 2KFQnbNIdI.2KdxYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.198.1.45 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.46 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name strategiclynk.local
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 192.168.1.94-12012
host 192.168.1.94
object network RDP-DrewPC
host 192.168.1.94
object service RDP-Service-Custom
service tcp destination eq 12012
access-list outside_access_in extended permit object RDP-Service-Custom any object RDP-DrewPC
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any echo outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static RDP-DrewPC interface service any RDP-Service-Custom
!
object network obj_any
nat (inside,outside) dynamic interface
object network 192.168.1.94-12012
nat (inside,outside) static interface
object network RDP-DrewPC
nat (inside,outside) static interface service tcp 12012 12012
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=CL-ASA-FW
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 79bbb25b
308201fb 30820164 a0030201 02020479 bbb25b30 0d06092a 864886f7 0d010105
05003042 31123010 06035504 03130943 4c2d4153 412d4657 312c302a 06092a86
4886f70d 01090216 1d434c2d 4153412d 46572e73 74726174 65676963 6c796e6b
2e6c6f63 616c301e 170d3138 31303032 31373135 34305a17 0d323830 39323931
37313534 305a3042 31123010 06035504 03130943 4c2d4153 412d4657 312c302a
06092a86 4886f70d 01090216 1d434c2d 4153412d 46572e73 74726174 65676963
6c796e6b 2e6c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 818100e3 f9b02552 79da8ba2 d458c649 419bd200 473cf577 862b786d
3ef20506 3c0dc05f df0e285c 8333ac59 e0494190 d8d300da 1b104102 808e6f0c
dcf0ecb4 b92bb516 03882305 8d3dc890 1c0b0ee9 f8a597fe ec43a354 845bb666
26cd6a3a 658591ff c3e3bf7b c20c1d4d 934850b7 77257b29 a3c3bfa4 4cd02e23
2f3c7a25 d5d0e502 03010001 300d0609 2a864886 f70d0101 05050003 8181000e
fafe821d 080cfd79 96dc5f6a 3f80f569 42e68cfd ff950c7b 45caf35a f4ded579
12ee5725 fd362406 348f4542 83957b25 cd95aca1 2281fd98 380ab705 be242010
747bf721 45522a44 a1409f29 a1d310dd bc4fbfc3 742f8aa4 54023c1e 9535ee8b
6fe6872c e51fe90c 934a9d22 d0a711a6 667440a8 fd49bb25 e3f998b7 86e0c2
quit
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username strategiclynk password o.JsKSZ8AvKIe7Gf encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:49ddd01bdc53f9f1a7dc190ee7e3e618

Marvin Rhoads · ‎10-03-2018

Checking on the basics - did you get an IP address assigned to the ASA from your ISP modem? Is the ASA able to reach the Internet (e.g., ping 8.8.8.8)?

For general operations you might want to add:

policy-map global_policy
class inspection_default
inspect icmp

..so that you can ping outbound.

andyferguson1977 · ‎10-03-2018

Awesome, thanks for the tip. I will add it for sure.

How can I check to see if the ASA got an ip from the ISP Modem

Marvin Rhoads · ‎10-03-2018

"show ip address" will output the current addresses.

Also check that you got a default route "show route".

With both of those verify the ASA can reach the Internet. If it can't your hosts behind it certainly won't.

andyferguson1977 · ‎10-03-2018

When I do show route, I'm getting

Gateway of last resort is not set

C 192.168.1.0 255.255.255.0 is directly connected, management
C 192.198.1.0 255.255.255.0 is directly connected, inside
CL-ASA-FW(config)# Gateway of last resort is not set

How would I configure the default route

Thanks

Marvin Rhoads · ‎10-03-2018

So it looks like DHCP is not passing you a route on the outside. You can hack it by manually adding a default route using the ISP router as the gateway.

Did you at least get an IP address from it?

andyferguson1977 · ‎10-03-2018

checking now

andyferguson1977 · ‎10-03-2018

remember that my IP from the ISP is dynamic

Does that make a difference

Marvin Rhoads · ‎10-03-2018

Yes, it's dynamic - that's why it's a bit of a hack because if it changes the routing potentially gets broken. The upstream gateway usually isn't what changes though - only the address given out to you.

andyferguson1977 · ‎10-03-2018

I am not getting an IP address

andyferguson1977 · ‎10-04-2018

So I was going to remove the setroute command so I entered

IP Address dhcp (Without the setroute) and got the error message below

interface ethernet0/0
CL-ASA-FW(config-if)# nameif outside
CL-ASA-FW(config-if)# securit
CL-ASA-FW(config-if)# security-level 0
CL-ASA-FW(config-if)# ip address dhcp
WARNING: All traffic destined to the IP address of the outside interface is being redirected.
WARNING: Users may not be able to access any service enabled on the outside interface.