Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
4
Helpful
7
Replies

Help with Cisco ASA 5505 and no iternet.

chad
Level 1
Level 1

‎07-29-2013 10:20 AM - edited ‎03-04-2019 08:35 PM

Hello, I'm trying to configure a Cisco ASA 5505 router with our Comcast modem. The router will give out a local IP address, but no one can get online. I set a the DNS to go to 208.67.222.222 and 8.8.8.8. In network objects it has global set to from any to any with ip set to deny. Should that be set up to do that? Do I need to and an network object that has inside to outside alow? What might I be scewing up?

Thanks

Labels:
0 Helpful
7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

‎07-29-2013 10:51 AM

Hi,

Post your config.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

chad
Level 1
Level 1
In response to cadet alain

‎07-29-2013 02:05 PM

: Saved

:

ASA Version 8.4(6)5

!

hostname ciscoasa

domain-name wp.comcast.net

enable password 3aTg8pKbdiI5KJTP encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

boot system disk0:/asa846-5-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 8.8.8.8

domain-name wp.comcast.net

object network cfserver

host 10.0.0.254

object service rdc

service tcp destination eq 3389

object network sqlserver

host 10.0.0.249

object network cb1

range 67.111.0.0 67.111.1.128

object network cb2

host 208.0.0.0

object network hostworks

host 67.0.0.0

access-list inside_access extended permit tcp any object cfserver eq www

access-list outside_access_in extended permit tcp object hostworks object cfserver eq www

access-list outside_access_in extended permit object rdc object hostworks object sqlserver

access-list outside_access_in extended permit object rdc object cb1 object sqlserver

access-list outside_access_in extended permit object rdc object cb2 object sqlserver

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network cfserver

nat (outside,inside) static cfserver service tcp www www

access-group inside_access in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.0.0.150-10.0.0.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username zzzz password cz8RhoFEqvcRInDw encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d381a336b00819172fb18f6e1be5a45d

: end

asdm image disk0:/asdm-712-102.bin

no asdm history enable

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to chad

‎07-29-2013 02:30 PM

Hi Chad,

try adding the following:

!

object network inside_network_range

range 10.0.0.150 10.0.0.254

!

nat (inside, outside) source dynamic inside_network_range interface

!

route outside 0.0.0.0 .0.0.0.0

!

...replace with whatever your modems internal IP is.

cheers,

Seb.

0 Helpful

chad
Level 1
Level 1
In response to Seb Rupik

‎07-29-2013 04:15 PM

OK I did this:

nat (inside,outside) source dynamic any interface

In NAT it wouldn't take inside_network_range it kept saying inside_network_range was the same as inside. Where do I add

route outside 0.0.0.0 .0.0.0.0 ? I didn't see anything for route.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to chad

‎07-29-2013 10:58 PM

Hi,

1)

your router should have given you the default gateway: ip address dhcp setroute

show route should show you this default route.Can you ping 8.8.8.8 from the ASA ?

2) you should inspect ICMP so you can ping from inside to outside

policy-map global_policy

class inspection_default

  inspect icmp

3) you should advertise a dns server with DHCP:

    dhcpd dns  "primary server" "secondary server"

4) no access-group inside_access in interface inside

5) you must do dynamic PAT on the outside interface as already explained by Seb

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

chad
Level 1
Level 1

‎08-13-2013 01:17 PM

OK I am using a different internet connection now. Has a static IP. For the outside they said to use pppoe. Here's my updated log. Modem is connected to port 0 (outside) and my computer is connected to 7 (inside). For the life of me I still can't get it to work any help would be great. Thanks.

: Saved

:

ASA Version 8.4(6)5

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group cl

ip address pppoe

!

boot system disk0:/asa846-5-k8.bin

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 8.8.8.8

object network cfserver

host 10.0.0.254

object service rdc

service tcp destination eq 3389

object network sqlserver

host 10.0.0.249

object network cb1

range 67.111.111.0 67.111.111.128

object network cb2

host 208.0.0.0

object network hw

host 67.111.111.11

object network inside_network_range

range 10.0.0.1 10.0.0.254

object network obj-10.0.0.0

subnet 10.0.0.0 255.255.255.0

object service all

service tcp source gt 1 destination gt 1

object network outsideip

host 55.000.000.00

access-list inside_access extended permit tcp any object cfserver eq www

access-list inside_access extended permit object all any object outsideip

access-list outside_access_in extended permit tcp object hostworks object cfserver eq www

access-list outside_access_in extended permit object rdc object hostworks object sqlserver

access-list outside_access_in extended permit object rdc object cb1 object sqlserver

access-list outside_access_in extended permit object rdc object cb2 object sqlserver

access-list capin extended permit icmp any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source dynamic inside_network_range interface

!

object network cfserver

nat (outside,inside) static cfserver service tcp www www

object network obj-10.0.0.0

nat (inside,outside) dynamic interface

access-group inside_access in interface inside

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

vpdn group cl request dialout pppoe

vpdn group cl localname twistandshout@qwest.net

vpdn group cl ppp authentication pap

vpdn username twistandshout@qwest.net password ***** store-local

dhcpd address 10.0.0.130-10.0.0.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username zzzz password cz8RhoFEqvcRInDw encrypted privilege 15

username test password P4ttSyrm33SV8TYp encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7099137a8240215dc330d5dabab8c131

: end

asdm image disk0:/asdm-712-102.bin

no asdm history enable

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to chad

‎08-13-2013 11:39 PM

Hi,

can you do this command and post the result:

packet-tracer input inside icmp 10.0.0.20 8 0 8.8.8.8 detailed

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card