Showing results for 
Search instead for 
Did you mean: 

Roman Bessonov

Nat with asa 5505 9.1x comcast dhcp

here is my config, i dont know what is wrong.

Well its in this line but do i have to type in a ip even if comcast is giving me a dhcp address?

route outside any 1


hostname asa1


enable password rwt5UQJihEq2/Qae encrypted



interface Vlan1

description to inside VLAN

nameif inside

security-level 100

ip address


interface Vlan2

description to outside interface (DHCP Cablemodem)

nameif outside

security-level 0

ip address dhcp setroute


interface Ethernet0/0

description physical connection to Comcast Cablemodem

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd rwt5UQJihEq2/Qae encrypted

banner motd

banner motd +-------------------------------------------------------------------+

banner motd |                                                                   |

banner motd |               *** Unauthorized Use or Access Prohibited ***       |

banner motd |                                                                   |

banner motd |                  For Authorized Official Use Only                 |

banner motd |          You must have explicit permission to access or           |

banner motd |          configure this device. All activities performed          |

banner motd |          on this device may be logged, and violations of          |

banner motd |        this policy may result in disciplinary action, and         |

banner motd |          may be reported to law enforcement authorities.          |

banner motd |                                                                   |

banner motd |           There is no right to privacy on this device.            |

banner motd |                                                                   |

banner motd +-------------------------------------------------------------------+

banner motd







ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS



object network obj_any


access-list outside_in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected


object network obj_any

nat (inside,outside) dynamic interface

access-group outside_in in interface outside

route outside any 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http inside

http outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh inside

ssh outside

ssh timeout 5

ssh version 2

console timeout 0






dhcpd dns

dhcpd lease 691200

dhcpd ping_timeout 750

dhcpd domain

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

username admin password J5nTOEDhPTdyBWnI encrypted privilege 15

prompt hostname context

: end

Maykol Rojas
Cisco Employee


If your ISP is giving you a Default gateway as well (most common scenario ever when using DHCP), then you dont need the route command, the dhcp set route that you have on the interface should take care of that.

That being said, remove the line (if it is there), grab the show ip and the show route to see if you are getting a route.

Mike Rojas



i tryed that, at first it didnt go.. turned out there was an issue with my modem registering. its all fixed now. but i also upgraded the asa iso image and that worked with no issues.

as of right now its all working..

really quickly tho, how hard/easy would it be to set up vpn using a dynamic adress from one asa to mine?

Roman Bessonov

this might be a dumb question but do i need to have a domain name?

If you are generating certificate signing requests for 3rd-party certificates or using ssh, you probably need a domain name.  You don't need a domain name just to filter traffic, and you can change the domain name without affecting the ACL's and access-groups.

-- Jim Leinweber, WI State Lab of Hygiene

Content for Community-Ad