Re: Need Help - Configuration of ASA

BumblingBlunderbuss · ‎12-21-2017

Good Morning Cisco Forums,

Long time lurker, first time poster. It's been a few years since I've gotten my hands into an ASA, and I recently got one to mess around with in a home lab situation. I've got it (Mostly) configured, but I've run into an odd issue. I can ping by IP and Name from the ASA itself, but can only ping by IP from clients behind the firewall. Not entirely sure what I am missing. Config below -

ASA Version 8.2(5)
!
hostname 236ASA
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 50
ip address 192.168.5.254 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.2
name-server 8.8.8.8
name-server 8.8.4.4
name-server 208.67.220.220
name-server 208.67.222.222
access-list inside_access_in extended permit ip any any log disable
access-list OUTSIDE-IN extended permit icmp any any
access-list OutsideToInside extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.5.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 10.1.0.131 255.255.255.255 outside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto-spam removed

quit
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.100.100-192.168.100.200 inside
dhcpd dns 4.2.2.2 8.8.8.8 interface inside
dhcpd enable inside
!
no threat-detection basic-threat
no threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password Rmrc8sBcdjisO3if encrypted privilege 15
!
class-map global-class
match any
!
!
policy-map global-policy
class global-class
inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d5911ab6a5f54d903a5528de38094ab0

Any help would be appreciated. And if possible, I'd appreciate as much hand holding as possible. It's been a long time, and I'm still a little fuzzy, as I've more or less floundered my way this far.

Flavio Miranda · ‎12-21-2017

Hi,

You are missing NAT.

object network LAN
subnet 192.168.100.0 255.255.255.0
nat (inside,outside) dynamic interface

Outside interface have security level 0 for best practice.

-If I helped you somehow, please, rate it as useful.-

BumblingBlunderbuss · ‎12-21-2017

I'll go try this in 20 minutes and get back to you. Hoping that's it!

andre.ortega · ‎12-21-2017

I think your nat is ok. That model is for newer versions, though you could try to remove the option norandomseq.

BumblingBlunderbuss · ‎12-21-2017

The syntax above, nat (inside,outside), doesn't work for this ASA either... unless I'm doing something wrong.

logged in

enable

config t

etc..

How would I remove what you're saying?

andre.ortega · ‎12-21-2017

Yes, as I told that config is to newer versions.

To remove:

no nat (inside) 1 192.168.100.0 255.255.255.0 norandomseq

nat (inside) 1 192.168.100.0 255.255.255.0

If possible, try to use other version. I have already faced I problem like that, but I am not sure about the version.

BumblingBlunderbuss · ‎12-21-2017

Done. No change in regards to being able to access the internet/ping by name from the clients. Any other ideas?

andre.ortega · ‎12-22-2017

Update...

BumblingBlunderbuss · ‎12-22-2017

I have no firmware to update to, so I am stuck working with what I have. I found a different forum post explaining a basic setup, so today I am going to flush it back to factory defaults, and try a base config and see where it gets me. unless you, or anyone else, has any other ideas.

andre.ortega · ‎12-22-2017

I think it is a good idea.
Erase everything and start again. We may be missing something.

BumblingBlunderbuss · ‎01-08-2018

That syntax doesn't work in 8.2(5)

andre.ortega · ‎12-21-2017

Hi,

do you have DNS server configured on your clients behind ASA?

I saw that ASA is configured to delivery the dns address, but confirm that clients are getting the DNS server.

Also, are you using which version? It looks like a very old version...

BumblingBlunderbuss · ‎12-21-2017

ASA Version 8.2(5). The clients themselves are getting external DNS from the ASA, as that's all they need.