Nat with asa 5505 9.1x comcast dhcp

Roman Bessonov · ‎05-18-2013

here is my config, i dont know what is wrong.

Well its in this line but do i have to type in a ip even if comcast is giving me a dhcp address?

route outside 0.0.0.0 0.0.0.0 any 1

=============================

hostname asa1

domain-name mydomain.com

enable password rwt5UQJihEq2/Qae encrypted

names

!

interface Vlan1

description to inside VLAN

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

description to outside interface (DHCP Cablemodem)

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

description physical connection to Comcast Cablemodem

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd rwt5UQJihEq2/Qae encrypted

banner motd

banner motd +-------------------------------------------------------------------+

banner motd | |

banner motd | *** Unauthorized Use or Access Prohibited *** |

banner motd | |

banner motd | For Authorized Official Use Only |

banner motd | You must have explicit permission to access or |

banner motd | configure this device. All activities performed |

banner motd | on this device may be logged, and violations of |

banner motd | this policy may result in disciplinary action, and |

banner motd | may be reported to law enforcement authorities. |

banner motd | |

banner motd | There is no right to privacy on this device. |

banner motd | |

banner motd +-------------------------------------------------------------------+

banner motd

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.2.2.2

name-server 75.75.75.75

object network obj_any

subnet 0.0.0.0 0.0.0.0

access-list outside_in extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 any 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh scopy enable

ssh 192.168.1.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

!

dhcpd dns 4.2.2.2 75.75.75.75

dhcpd lease 691200

dhcpd ping_timeout 750

dhcpd domain mydomain.com

dhcpd auto_config outside

!

dhcpd address 192.168.1.20-192.168.1.50 inside

dhcpd enable inside

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

username admin password J5nTOEDhPTdyBWnI encrypted privilege 15

prompt hostname context

: end

Maykol Rojas · ‎05-19-2013

Roman,

If your ISP is giving you a Default gateway as well (most common scenario ever when using DHCP), then you dont need the route command, the dhcp set route that you have on the interface should take care of that.

That being said, remove the line (if it is there), grab the show ip and the show route to see if you are getting a route.

Mike Rojas

Mike

Roman Bessonov · ‎05-19-2013

thanks..

i tryed that, at first it didnt go.. turned out there was an issue with my modem registering. its all fixed now. but i also upgraded the asa iso image and that worked with no issues.

as of right now its all working..

really quickly tho, how hard/easy would it be to set up vpn using a dynamic adress from one asa to mine?

Roman Bessonov · ‎05-20-2013

this might be a dumb question but do i need to have a domain name?

James Leinweber · ‎05-21-2013

If you are generating certificate signing requests for 3rd-party certificates or using ssh, you probably need a domain name. You don't need a domain name just to filter traffic, and you can change the domain name without affecting the ACL's and access-groups.

-- Jim Leinweber, WI State Lab of Hygiene