08-15-2013 01:03 AM - edited 03-11-2019 07:25 PM
Hi all,
I have a Cisco877 DSL router wich is in bridge mode so the ASA5505 gets the public IP.
This works, however nothing else is.
I'm unable to access the Internet, i cant access the ASA on the Outside Interface.
All results in SYN errors.
I'm stuck and would appriciate some help.
Thanks in advance.
Ruud
Config Cisco877
bridge irb
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
ip virtual-reassembly in
atm route-bridged ip
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
no ip address
bridge-group 1
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
bridge 1 protocol ieee
bridge 1 route ip
Config ASA5505
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address dhcp setroute
!
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any4 any4
access-list global_access extended permit ip any any
access-list global_access extended permit icmp any4 any4
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any4 any4
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1 aes128-sha1 rc4-sha1
08-15-2013 01:09 AM
Your ASA tries to get it's outside IP by DHCP, but it has to use PPPOE:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080ab7ce9.shtml
BTW: Using an IOS router as a dsl modem is really a waste of ressources. A cheap dsl-modem would be fine for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-15-2013 01:22 AM
The ASA is getting the right address using DHCP.
I dont have a username and password so i cant use PPPoE.
The Cisco 877 was the device i used before to access the Internet with this DSL line.
There was no need for PPPoE.
See the old config of the 877 below:
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
aaa new-model
!!
aaa authentication login local_authen local
aaa authorization exec local_author local
!!
aaa session-id common
crypto pki certificate chain tti
crypto pki certificate chain TP-self-signed-3629992121
certificate self-signed 01
quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.9
ip dhcp excluded-address 192.168.100.16 192.168.100.254
!
ip dhcp pool Internet-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 217.149.192.6 217.149.196.6
domain-name uni.nl
!
ip vrf Secure
!
no ip bootp server
ip domain name uni.nl
ip inspect name inspect-out http urlfilter audit-trail off
ip inspect name inspect-in http urlfilter audit-trail off
ip urlfilter exclusive-domain permit .windowsupdate.com
ip urlfilter exclusive-domain permit .microsoft.com
!
multilink bundle-name authenticated
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address dhcp
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
description SecureNetwerk
switchport access vlan 20
!
!
interface Vlan20
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect inspect-in in
ip virtual-reassembly
ip route-cache flow
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
!
!
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source static esp 10.10.10.4 interface ATM0
ip nat inside source static tcp 10.10.10.2 443 85.223.x.y 443 extendable
!
08-15-2013 01:52 AM
The ASA is getting the right address using DHCP.
I dont have a username and password so i cant use PPPoE.
oh, I wasn't aware of any DSL-provider using DHCP. Only saw PPPoE ...
Can you reach any destinations (inside or outside) *from* the ASA?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-15-2013 02:04 AM
No, i cant reach anything.
When i do a packet trace it shows i should be able to connect. Nothing in its way that blocking traffic.
08-15-2013 02:30 AM
No, i cant reach anything.
Not even an internal system? How is your internal setup? And post the output of "show route".
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-15-2013 03:29 AM
When your ASA gets an IP from DHCP, it also gets a gateway address. Can you ping the gateway address from the outside interface of the ASA?
Sent from Cisco Technical Support iPhone App
08-16-2013 01:24 AM
Perhaps the provider limited access to the MAC address of ATM device, since there's no authentication with DHCP?
Michael
Please rate all helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide