cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1423
Views
0
Helpful
12
Replies

Need Help - Configuration of ASA

Good Morning Cisco Forums,

 

Long time lurker, first time poster. It's been a few years since I've gotten my hands into an ASA, and I recently got one to mess around with in a home lab situation. I've got it (Mostly) configured, but I've run into an odd issue. I can ping by IP and Name from the ASA itself, but can only ping by IP from clients behind the firewall. Not entirely sure what I am missing. Config below -

ASA Version 8.2(5)
!
hostname 236ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 50
 ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 4.2.2.2
 name-server 8.8.8.8
 name-server 8.8.4.4
 name-server 208.67.220.220
 name-server 208.67.222.222
access-list inside_access_in extended permit ip any any log disable
access-list OUTSIDE-IN extended permit icmp any any
access-list OutsideToInside extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 10.1.0.131 255.255.255.255 outside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
 crl configure
crypto-spam removed

quit
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.100-192.168.100.200 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside
!
no threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password Rmrc8sBcdjisO3if encrypted privilege 15
!
class-map global-class
 match any
!
!
policy-map global-policy
 class global-class
  inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d5911ab6a5f54d903a5528de38094ab0

 

Any help would be appreciated. And if possible, I'd appreciate as much hand holding as possible. It's been a long time, and I'm still a little fuzzy, as I've more or less floundered my way this far.

12 Replies 12

Hi,

 You are missing NAT. 

 

object network LAN
  subnet 192.168.100.0 255.255.255.0
  nat (inside,outside) dynamic interface

 

Outside interface have security level 0 for best practice.

 

-If I helped you somehow, please, rate it as useful.-

I'll go try this in 20 minutes and get back to you. Hoping that's it!

I think your nat is ok. That model is for newer versions, though you could try to remove the option norandomseq.

The syntax above, nat (inside,outside), doesn't work for this ASA either... unless I'm doing something wrong.

 

logged in

enable

config t

 

etc..

 

How would I remove what you're saying?

Yes, as I told that config is to newer versions.

To remove:

no nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq

nat (inside) 1 192.168.100.0 255.255.255.0

 

If possible, try to use other version. I have already faced I problem like that, but I am not sure about the version.

Done. No change in regards to being able to access the internet/ping by name from the clients. Any other ideas?

Update...

I have no firmware to update to, so I am stuck working with what I have. I found a different forum post explaining a basic setup, so today I am going to flush it back to factory defaults, and try a base config and see where it gets me. unless you, or anyone else, has any other ideas.

I think it is a good idea.
Erase everything and start again. We may be missing something.

That syntax doesn't work in 8.2(5)

andre.ortega
Spotlight
Spotlight

Hi,

do you have DNS server configured on your clients behind ASA?

I saw that ASA is configured to delivery the dns address, but confirm that clients are getting the DNS server.

Also, are you using which version? It looks like a very old version...

ASA Version 8.2(5). The clients themselves are getting external DNS from the ASA, as that's all they need.
Review Cisco Networking for a $25 gift card