Solved: ASA 5505 Help

swashbuckler · ‎06-28-2013

I am pretty much stuck on this and fairly new. I hope somebody can help and thanks in advance.

I have a ASA 5505 behind my 10.0.0.1 modem, using an network of 192.168.1.0.

From the ASA, I can ping the modem 10.0.0.1, I also can ping the providers DNS server.

I have a laptop connected directly to the ASA (port 1) but from the laptop I cannot get out. I cant ping the modem 10.0.0.1.

I have looked it over and over, but I am missing something.

My attached ASA config:

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.199.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

cadet alain · ‎06-28-2013

Hi,

you need to inspect icmp(it is not by default) because otherwise the return traffic will get dropped on the outside interface.

you can do this with the fixup protocol icmp command.

Also make sure your default gateway on the PC is the ASA inside interface, you can make your ASA a DHCP server for inside hosts:

dhcpd enable inside

dhcpd address 192.168.1.2-192.168.1.254

dhcpd dns x.x.x.x

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎06-28-2013

Hi,

no just do what I posted and then renew your IP with ipconfig/renew and you should have a correct IP with correct default gateway.

Don't forget to inspect icmp if you want your ping to work but otherwise TCP and UDP will work correctly.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

mahesh18 · ‎06-28-2013

Hi Gailey,

You need to add the command dhcpd dns 75.75.75.75.

Regards

Mahesh

View solution in original post

mahesh18 · ‎06-28-2013

Hi Gailey,

Whats the IP address your Laptop has and whats gateway of Laptop?

Did you define DHCP pool on the ASA?

Regards

MAhesh

swashbuckler · ‎06-28-2013

ipconfig of laptop is 169.254.29.218.

Not sure if I defined the DHCP pool on the ASA.

Do you know the proper syntax?

Thanks in advanced.

cadet alain · ‎06-28-2013

Hi,

169.254.x.x is APIPA address which is used when the client can't get an IP from a DHCP server.

I explained how to set the DHCP server on ASA in my previous post.

Regards

Alain

Don't forget to rate helpful posts.

cadet alain · ‎06-28-2013

Hi,

you need to inspect icmp(it is not by default) because otherwise the return traffic will get dropped on the outside interface.

you can do this with the fixup protocol icmp command.

Also make sure your default gateway on the PC is the ASA inside interface, you can make your ASA a DHCP server for inside hosts:

dhcpd enable inside

dhcpd address 192.168.1.2-192.168.1.254

dhcpd dns x.x.x.x

Regards

Alain

Don't forget to rate helpful posts.

swashbuckler · ‎06-28-2013

so I would tie that to outside interface?

command:

dhcpd address 192.168.1.2-192.168.1.254 outside

Thanks

cadet alain · ‎06-28-2013

Hi,

no just do what I posted and then renew your IP with ipconfig/renew and you should have a correct IP with correct default gateway.

Don't forget to inspect icmp if you want your ping to work but otherwise TCP and UDP will work correctly.

Regards

Alain

Don't forget to rate helpful posts.

swashbuckler · ‎06-28-2013

I did do that command under ASA(config)# dhcpd address 192.168.1.2-192.168.1.254 and I got incomplete command.

Thanks

swashbuckler · ‎06-28-2013

i changed the command to inside interface and it worked.

Looks like I am getting closer.

I can now ping the modem 10.0.0.1 and the providers DNS server 75.75.75.75 but I cannot access internet.

The dhcpd dns x.x.x.x command, should that be dhcpd dns (ASA)hostname or dhcpd dns 75.75.75.75 (provider)

Thanks

mahesh18 · ‎06-28-2013

Hi Gailey,

You need to add the command dhcpd dns 75.75.75.75.

Regards

Mahesh

swashbuckler · ‎06-28-2013

thats what I thought, it all works now.

Thanks for both your help.