Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1826
Views
0
Helpful
5
Replies

Configuring ASA-5506X for use with Cable Modem

Joshua Smick
Level 1
Level 1

‎11-21-2015 05:19 PM - edited ‎03-08-2019 02:47 AM

I recently obtained an ASA-5506X for my home lab.  I don't have a lot of firewall experience, and I'm trying to connect out to the internet using the ASA.  The ASA is directly connected to a cable modem, and a 2901 router on the inside.  The ASA can ping out to the internet, and the the router (and the rest of the LAN) can ping the firewall, but cannot get out to the internet.  This is the configuration I'm using:

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.5(1)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface GigabitEthernet1/2

 nameif inside

 security-level 100

 ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet1/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/5

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/6

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/7

 shutdown

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet1/8

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

ftp mode passive

object network obj_any

 subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

 nat (any,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

http server enable

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.0.5-192.168.0.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

What am I doing wrong?  

Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎11-23-2015 01:03 PM

Perhaps it's just wrong testing. Did you test anything other than PING?

For using PING, you have to enable icmp-inspection:

policy-map global_policy
 class inspection_default
  inspect icmp

0 Helpful

Joshua Smick
Level 1
Level 1
In response to Karsten Iwen

‎11-23-2015 01:33 PM

Hmmm, that didn't work.  Could it be something on the router?  

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Joshua Smick

‎11-23-2015 04:09 PM

You tell us that the router and the LAN can ping the ASA but you do not tell us whether they are pinging the ASA inside interface or outside interface. My guess is that they are pinging the inside interface (which is an address in their subnet) and that if they attempt to ping the outside interface that it would fail. This leads me to guess that the router does not have a default route with the firewall as the next hop.

HTH

Rick

HTH

Rick
0 Helpful

Joshua Smick
Level 1
Level 1
In response to Richard Burts

‎11-23-2015 04:17 PM

I am able to ping the inside interface.  The outside interface is going to a cable modem on the ASA.  I am able to ping the outside interface on the router as well, but I can't ping anything past that.  

I have the following route to the firewall:

ip route 0.0.0.0 0.0.0.0 192.168.0.1

0 Helpful

Karsten Iwen
VIP
VIP
In response to Joshua Smick

‎11-24-2015 12:04 AM

You topology is the following?

Internet ----- ASA ----- c2901 ----- LAN

Then the ASA needs a route to your inside LAN:

route inside NET MASK NEXT-HOP

Where NET/MASK is your internal LAN and NEXT-HOP is the IP of the c2901 in the 192.168.0.0 network.

0 Helpful
Customers Also Viewed These Support Documents