Solved: Router config from ASA 5505

NickAgr68 · ‎05-19-2016

Hey everyone,

I'm new to Cisco and trying to figure out how I can get my routers to give internet to my switches from my ASA 5505.

My current topology looks like this: Modem - ASA 5505 - Cisco 1841 - Cisco 2950 - end device

I can get internet access if I plug my computer into the back up my ASA 5505, however, I have three modems that I wanted to set up with different networks for my lab. I have three routers and three switches that i'm looking to run in this fashion if possible.

Any help would be greatly appreciated! Thanks

My current config of my ASA 5505 is:

ASA Version 9.2(3)4
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 11.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa923-4-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Permit_Lan_IP
subnet 11.0.0.0 255.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
object network Permit_Lan_IP
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 4.2.2.2
dhcpd auto_config outside
!
dhcpd address 11.0.0.2-11.0.0.32 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:00da601d0bc1cd8dcba55920136d59ca
: end

The config of my router is:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.2
ip dhcp excluded-address 192.168.0.1 192.168.0.3
!
ip dhcp pool DATA
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 4.2.2.2
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO1841 sn FCZ1438C0Y9
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Serial0/1/0
no ip address
shutdown
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Tim Y · ‎05-23-2016

Did you leave out any configs from the ASA? I don't see any inspection policies and just wondering if it's just because you don't have any or if you left it out. If you did leave anything out, can you post the entire config? If you have an access list configured on the inside interface I'd like to ensure no traffic is being blocked.

A couple configuration changes I would recommend just to rule things out:

ASA

object network obj_any
no nat (inside,outside) dynamic interface
object network Permit_Lan_IP
no nat (inside,outside) dynamic interface

nat (inside,outside) source dynamic any interface

Router

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 dhcp

Apply these configurations and test. Show me the results of show ip route on the router before the change and after.

Regards,

Tim

View solution in original post

Tim Y · ‎05-19-2016

Hi,

At first glance it looks like it should work. Have you done any troubleshooting? When your computer is connected to the switch, can your computer ping 11.0.0.1?

Regards,

Tim

NickAgr68 · ‎05-23-2016

Hi Tim, thanks for the help here.

When I ping the IP of 11.0.0.1, I get destination host unreachable. It does that with every IP I attempt to ping though because I am not connected to the internet when attempting to troubleshoot (until I go on wifi that is).

It has to be how the router is configured because if I am connected to the ASA 5505, I can get internet no problem from the switch. If you look at my router configs, does that look to be an issue with the network and using DHCP both there and on the ASA 5505?

I've been doing a lot of reading over the past few days but still stuck in the same spot.

Thanks!

Tim Y · ‎05-23-2016

Hi,

Can you do a "show ip int brief" on the router and confirm you have received an IP address from the ASA? You should get a 11.0.0.X address on fa0/0.

If you have that, then attempt to ping again except to be sure, ping from the source IP of 11.0.0.X (whatever your router got). "ping 11.0.0.1 source 11.0.0.X" or from source int fa0/0. This a ping from the router to the ASA.

You should be able to ping the ASA from the router on that segment because they're on the same subnet. If not, check the ARP table on the router (show arp) to confirm you can see 11.0.0.1 and the corresponding MAC address. If you can't see that, then you don't even have basic connectivity.

Check your speed/duplex settings
Check that you're using a straight through cable
You may have to use a sub interface on the router with dot1q enabled, or the firewall won't hand your router an IP in the first place or allow communication. I wouldn't think this offhand, but throwing it out there as a possibility.

If all that is fine, then try to ping 8.8.8.8 from the fa0/0 source interface again on the router. If that fails, then we troubleshoot the firewall.

If not, just go through those troubleshooting steps and let me know the results.

Regards,

Tim

NickAgr68 · ‎05-23-2016

Hey Tim,

ok so everything worked up until that last part where I tired to ping 8.8.8.8 and then it failed, which like you mentioned, it could be the firewall.

So from here, what would you suggest for the firewall?

Thank you very much again for your help!

Tim Y · ‎05-23-2016

Did you leave out any configs from the ASA? I don't see any inspection policies and just wondering if it's just because you don't have any or if you left it out. If you did leave anything out, can you post the entire config? If you have an access list configured on the inside interface I'd like to ensure no traffic is being blocked.

A couple configuration changes I would recommend just to rule things out:

ASA

object network obj_any
no nat (inside,outside) dynamic interface
object network Permit_Lan_IP
no nat (inside,outside) dynamic interface

nat (inside,outside) source dynamic any interface

Router

no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 dhcp

Apply these configurations and test. Show me the results of show ip route on the router before the change and after.

Regards,

Tim

NickAgr68 · ‎05-23-2016

Hey Tim,

Thank you so much for the help. This got it taken care of for me and it's now running great! I appreciate the help

Tim Y · ‎05-23-2016

Hi there,

To clarify, the problem was your route. When you use an interface as the next-hop in a static route, the router is expecting the destination addresses to be directly connected to that interface and attempt to find them via ARP. Since they're not, there is no ARP response which is why you saw "Destination host unreachable".

We fixed the problem by changing the route to use an IP address, which instructs the router to ARP for the L2 address of that IP address (which it can get).

Hope this helps.

Regards,

Tim

ncsteven36@aol.com · ‎03-06-2019

Hello!

I am using Cisco packet tracer and I am having trouble pinging from switch and from the router to my CIsco 5505 ASA. Could you possibly help me?