Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1240
Views
0
Helpful
7
Replies

Unable to connect to the internet on ASA 5505

dixonsamuel
Level 1
Level 1

‎03-09-2011 08:18 PM - edited ‎03-11-2019 01:04 PM

appreciate for any assistance..

i'm unable to have any internet connection for my new setup.

here's the overview.

cisco.png

Current setup is

Internet -> Router -> PIX 501 -> Switch -> clients

Internet -> static ip given is 210.193.34.1 - 210.193.34.6

Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246

PIX 501 setting ->

IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as i'm unable to access it.

local ip is 192.168.1.1

Clients - > 192.168.1.0

Old setup is working fine and connected to internet.

for the new setup, as i do not want any downtime for the old setup.

As you can see, there are two firewalls connected concurrently to the router.

i've configured it this way.

Internet -> Router -> ASA 5505 -> Switch -> clients

ASA 5505 setting ->

IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?),

local ip/ Inside Interface is 192.168.2.1

Clients - > 192.168.2.0

some setup details.

security policy, NAT, set to default.

routing is route outside 0.0.0.0 0.0.0.0 210193.34.6

I'm unable to access after a week of troubleshooting.

will really appreciate any help given.

Thank you so much.

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎03-09-2011 08:31 PM

Can you please share your old PIX config as well as the router config as i find the diagram is a little misleading in terms of the internal ip address of the router, not sure how it connects.

0 Helpful

dixonsamuel
Level 1
Level 1
In response to Jennifer Halim

‎03-09-2011 08:32 PM

thanks for the reply..

i'm unable to access my pix config as https://192.168.1.1 doesn't allow me to acces cause of the java issue..

which might be due to old firmware..

internal ip address of router is 192.168.1.246

NAT address of the router is 210.193.34.1

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to dixonsamuel

‎03-09-2011 08:49 PM

what about CLI of the PIX, can you telnet or ssh to it?

I would like to know how they are physically and logically connected, ie:

what is the PIX outside interface ip address, and how is it connected to the router (ie; on which interface of the router and what is the router ip address that connects to the PIX).

what default route is configured on the PIX?

what default route is configured on the 192.168.1.0/24 host?

0 Helpful

dixonsamuel
Level 1
Level 1
In response to Jennifer Halim

‎03-09-2011 09:29 PM

Hi there,

thank you for the reply.

unable to SSH/Telnet into the PIX.


what is the PIX outside interface ip address, and how is it connected  to the router (ie; on which interface of the router and what is the  router ip address that connects to the PIX).

The outside interface is unknown as i'm unable to log into the PIX to view it. However, from the router, i can see that the IP to the eth1 port which is the PIX is 210.193.34.2

It is connected to Eth1 port. I'm unsure of what is the IP that is connected to the PIX internally between the router and PIX. only IP i can see is from the router's configuration page of each interface and the IP that it is holding.

what default route is configured on the PIX?

what default route is configured on the 192.168.1.0/24 host?

for the default ip would be 192.168.1.1.

Unable to view the route as i am unable to access the PIX

still trying to see any other ways to access it.


0 Helpful

dixonsamuel
Level 1
Level 1
In response to dixonsamuel

‎03-09-2011 09:54 PM

finally managed to get into my PIX 501 through serial port.

here's the NAT, Access-list and route

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 192.168.1.201 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

outside 0.0.0.0 0.0.0.0 210.193.34.1 1 OTHER static
        inside 192.168.1.0 255.255.255.0 192.168.1.1 1 CONNECT static
        outside 210.193.34.0 255.255.255.240 210.193.34.2 1 CONNECT static


access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
            alert-interval 300
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip any 192.168.1.128 255.255.255.128 (hitcnt=0)
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 permit ip any 192.168.1.128 255.255.255.128 (hitcnt=0)
access-list progession; 32 elements
access-list progession line 1 deny tcp any host 192.168.1.201 eq h323 (hitcnt=0)
access-list progession line 2 deny tcp any host 192.168.1.201 eq 491 (hitcnt=0)
access-list progession line 3 deny tcp any host 192.168.1.201 eq 1731 (hitcnt=0)
access-list progession line 4 deny tcp any host 192.168.1.201 eq 1503 (hitcnt=0)
access-list progession line 5 deny tcp any host 192.168.1.201 eq 522 (hitcnt=0)
access-list progession line 6 deny tcp any host 192.168.1.201 eq ldap (hitcnt=0)
access-list progession line 7 permit udp any host 192.168.1.201 eq 3389 (hitcnt=0)
access-list progession line 8 permit tcp any host 192.168.1.201 eq 3389 (hitcnt=0)
access-list progession line 9 permit tcp any eq smtp host 210.193.34.4 eq smtp (hitcnt=0)
access-list progession line 10 deny udp any host 210.193.34.4 eq 1433 (hitcnt=0)
access-list progession line 11 deny tcp any host 210.193.34.4 eq 1433 (hitcnt=0)
access-list progession line 12 deny tcp any host 210.193.34.4 eq ftp (hitcnt=0)
access-list progession line 13 permit tcp any host 210.193.34.5 eq 3389 (hitcnt=0)
access-list progession line 14 permit udp any host 210.193.34.5 eq 3389 (hitcnt=0)
access-list progession line 15 permit tcp any host 210.193.34.5 eq ldap (hitcnt=0)
access-list progession line 16 permit tcp any host 210.193.34.5 eq 522 (hitcnt=0)
access-list progession line 17 permit tcp any host 210.193.34.5 eq 1503 (hitcnt=0)
access-list progession line 18 permit tcp any host 210.193.34.5 eq h323 (hitcnt=0)
access-list progession line 19 permit tcp any host 210.193.34.5 eq 1731 (hitcnt=0)
access-list progession line 20 permit tcp any host 210.193.34.5 eq pop3 (hitcnt=0)
access-list progession line 21 permit tcp any host 210.193.34.5 eq smtp (hitcnt=0)
access-list progession line 22 permit tcp any host 210.193.34.2 eq 8180 (hitcnt=0)
access-list progession line 23 permit tcp any host 210.193.34.2 eq 8080 (hitcnt=0)
access-list progession line 24 permit tcp any host 210.193.34.3 eq 3389 (hitcnt=0)
access-list progession line 25 permit udp any host 210.193.34.3 eq 3389 (hitcnt=0)
access-list progession line 26 permit tcp any host 210.193.34.3 eq ldap (hitcnt=0)
access-list progession line 27 permit tcp any host 210.193.34.3 eq 522 (hitcnt=0)
access-list progession line 28 permit tcp any host 210.193.34.3 eq 1503 (hitcnt=0)
access-list progession line 29 permit tcp any host 210.193.34.3 eq h323 (hitcnt=0)
access-list progession line 30 permit tcp any host 210.193.34.3 eq 1731 (hitcnt=0)
access-list progession line 31 permit tcp any host 210.193.34.3 eq 491 (hitcnt=0)
access-list progession line 32 permit tcp any host 210.193.34.3 eq ftp (hitcnt=0)

0 Helpful

dixonsamuel
Level 1
Level 1
In response to dixonsamuel

‎03-09-2011 10:41 PM

here's the whole sh run list.

appreciate any help..

thank you.

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password z2vs55gu63RUr13Q encrypted
passwd udP8/FVE2A82hUnp encrypted
hostname progression-pixfirewall
domain-name progression.com.sg
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list inside_outbound_nat0_acl permit ip any 192.168.1.128 255.255.255.128
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.128 255.255.255.128
access-list progession deny tcp any host 192.168.1.201 eq h323
access-list progession deny tcp any host 192.168.1.201 eq 491
access-list progession deny tcp any host 192.168.1.201 eq 1731
access-list progession deny tcp any host 192.168.1.201 eq 1503
access-list progession deny tcp any host 192.168.1.201 eq 522
access-list progession deny tcp any host 192.168.1.201 eq ldap
access-list progession permit udp any host 192.168.1.201 eq 3389
access-list progession permit tcp any host 192.168.1.201 eq 3389
access-list progession permit tcp any eq smtp host 210.193.34.4 eq smtp
access-list progession deny udp any host 210.193.34.4 eq 1433
access-list progession deny tcp any host 210.193.34.4 eq 1433
access-list progession deny tcp any host 210.193.34.4 eq ftp
access-list progession permit tcp any host 210.193.34.5 eq 3389
access-list progession permit udp any host 210.193.34.5 eq 3389
access-list progession permit tcp any host 210.193.34.5 eq ldap
access-list progession permit tcp any host 210.193.34.5 eq 522
access-list progession permit tcp any host 210.193.34.5 eq 1503
access-list progession permit tcp any host 210.193.34.5 eq h323
access-list progession permit tcp any host 210.193.34.5 eq 1731
access-list progession permit tcp any host 210.193.34.5 eq pop3
access-list progession permit tcp any host 210.193.34.5 eq smtp
access-list progession permit tcp any host 210.193.34.2 eq 8180
access-list progession permit tcp any host 210.193.34.2 eq 8080
access-list progession permit tcp any host 210.193.34.3 eq 3389
access-list progession permit udp any host 210.193.34.3 eq 3389
access-list progession permit tcp any host 210.193.34.3 eq ldap
access-list progession permit tcp any host 210.193.34.3 eq 522
access-list progession permit tcp any host 210.193.34.3 eq 1503
access-list progession permit tcp any host 210.193.34.3 eq h323
access-list progession permit tcp any host 210.193.34.3 eq 1731
access-list progession permit tcp any host 210.193.34.3 eq 491
access-list progession permit tcp any host 210.193.34.3 eq ftp
pager lines 24
logging on
logging standby
logging device-id ipaddress inside
logging host inside 192.168.1.1 6/1470
mtu outside 1500
mtu inside 1500
ip address outside 210.193.34.2 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_pool 192.168.1.151-192.168.1.199
pdm location 192.168.1.200 255.255.255.255 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.202 255.255.255.255 inside
pdm location 192.168.1.203 255.255.255.255 inside
pdm location 210.193.0.0 255.255.0.0 outside
pdm location 192.168.1.202 255.255.255.255 outside
pdm location 193.168.1.200 255.255.255.255 inside
pdm location 210.193.34.6 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 0 192.168.1.201 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) udp 210.193.34.4 1433 192.168.1.201 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.4 1433 192.168.1.201 1433 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.4 ftp 192.168.1.201 ftp netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.4 smtp 192.168.1.201 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 3389 192.168.1.202 3389 netmask 255.255.255.255 0 0
static (inside,outside) udp 210.193.34.5 3389 192.168.1.202 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 522 192.168.1.202 522 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 ldap 192.168.1.202 ldap netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 1503 192.168.1.202 1503 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 h323 192.168.1.202 h323 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.5 1731 192.168.1.202 1731 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 8080 192.168.1.202 8080 netmask 255.255.255                    .255 0 0
static (inside,outside) tcp interface 8180 192.168.1.202 8180 netmask 255.255.255                    .255 0 0
static (inside,outside) tcp 210.193.34.5 pop3 192.168.1.202 pop3 netmask 255.255.                    255.255 0 0
static (inside,outside) tcp 210.193.34.5 smtp 192.168.1.202 smtp netmask 255.255.                    255.255 0 0
static (inside,outside) tcp 210.193.34.3 3389 192.168.1.200 3389 netmask 255.255.                    255.255 0 0
static (inside,outside) udp 210.193.34.3 3389 192.168.1.200 3389 netmask 255.255.                    255.255 0 0
static (inside,outside) tcp 210.193.34.3 522 192.168.1.200 522 netmask 255.255.25                    5.255 0 0
static (inside,outside) tcp 210.193.34.3 ldap 192.168.1.200 ldap netmask 255.255.                    255.255 0 0
static (inside,outside) tcp 210.193.34.3 1503 192.168.1.200 1503 netmask 255.255.                    255.255 0 0
static (inside,outside) tcp 210.193.34.3 h323 192.168.1.200 h323 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.3 1731 192.168.1.200 1731 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.3 491 192.168.1.200 491 netmask 255.255.255.255 0 0
static (inside,outside) tcp 210.193.34.3 ftp 192.168.1.200 ftp netmask 255.255.255.255 0 0
access-group progession in interface outside
route outside 0.0.0.0 0.0.0.0 210.193.34.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup Progession_VPN address-pool vpn_pool
vpngroup Progession_VPN dns-server 210.193.2.34 210.193.2.36
vpngroup Progession_VPN default-domain progession.com.sg
vpngroup Progession_VPN idle-time 1800
vpngroup Progession_VPN password ********
telnet timeout 5
ssh 210.193.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.30 inside
dhcpd dns 210.193.2.34 210.193.2.36
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd domain progession.com.sg
dhcpd auto_config outside
dhcpd enable inside
username progession password z2vs55gu63RUr13Q encrypted privilege 15
terminal width 80
Cryptochecksum:1505d9ac63e6673679bfe79fd5a3a818
: end

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to dixonsamuel

‎03-11-2011 03:08 AM

OK, so your ASA outside interface needs to be connected in the same network as the PIX outside interface as well as the router interface.

You will have to assign your ASA outside interface with one of the spare ip address you have in the 210.193.34.0/28 subnet, you mention earlier that 210.193.34.6 is free, so you can assign that on your ASA outside interface. Then you would need to configure default gateway on the ASA to point towards the router - 210.193.34.1, same as what your PIX is pointing to.

Hope that helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card