Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
30
Helpful
16
Replies

Trouble with ASA5505 behind 871

Go to solution
miketranosky
Level 1
Level 1

‎03-12-2015 06:14 AM - edited ‎03-07-2019 11:03 PM

Hello everyone,

I am having a little trouble with routing and looking for some help or guidance.  My setup is my ISP (Cable) comes in to my Motorola SB modem --> goes to my Cisco 871 FastEthernet4 --> out of the FastEthernet1 (plans to eventually move to FastEthernet0) of the 871 --> into the ASA 5505 Ethernet 0 (outside interface) --> out of the ASA 5505 Ethernet 1 --> into my LAN (DHCP configured for 10.10.10.0 network.)

 

The problem that I am running into is that I am unable to ping through my ASA while connected to my inside interface.  I am; however, able to ping from the console of the ASA to the outside, just not from an inside-connected PC.  Likewise, I am unable to browse or reach the Internet in any way (I wanted to rule out ICMP as being the only protocol blocked.) 

 

I currently have a DHCP pool (10.10.10.0) set up on my 871, because the ASA5505 was added after-the-fact.  Eventually I would like hand out most if not all DHCP addresses from the ASA, but I left the conflicting DHCP pool in place on the router until I get routing through the ASA figured out (I have an access point and some other devices hanging off of that which are Internet-accessible.)  

 

My outside interface (FA4) on the 871 is setup for DHCP.  Inside (FA1) is setup for VLAN5, which is configured as another internal address of 192.168.1.1.  On the ASA, my outside (Ethernet0) interface is setup with an IP address of 192.168.1.2 and my inside (Ethernet 1) interface (plan to have remaining Ethernet ports hand out DHCP addresses as well if possible) are setup for DHCP network 10.10.10.0.  

 

I know I could eliminate the 871 and do all of the routing on the ASA, but that would take the fun out of learning :) Plus, I would like to eventually do some ingress/egress filtering on the edge router.  You'll notice I'm forwarding 32400 for my Plex server as well on the 871 plus I will have to open a few other ports for other applications that require access to the web. 

Below is my 871 config: 

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
enable secret 5 $1$l6em$U/xDm4Ls6932u5AVPvbYU/
!
no aaa new-model
clock timezone est -5
clock summer-time EDT recurring
crypto pki token default removal timeout 0
!
!         
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.10.101 10.10.10.255
!
ip dhcp pool LAN
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server 208.67.222.222 208.67.220.220 
!
!
ip cef
ip domain name lab.local
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username cisco privilege 15 secret 5 $1$eFJE$P3EoqEUbHIAqH5vXe.bFZ/
!         
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
 switchport access vlan 10
!
interface FastEthernet1
 switchport access vlan 5
!
interface FastEthernet2
 switchport access vlan 10
!
interface FastEthernet3
 switchport access vlan 10
!         
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Vlan5
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan10
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
no ip http secure-server
!
!         
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.10 32400 interface FastEthernet4 32400
ip nat inside source static udp 10.10.10.10 32400 interface FastEthernet4 32400
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 30 0
 login local
 transport input ssh
!
scheduler max-task-time 5000
end  

And this is my ASA5505 config: 

asa# sh run
: Saved
:
ASA Version 8.2(2) 
!
hostname asa
enable password aaM6CM7NHIUNxhXl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan5
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 5
!
interface Ethernet0/1
 switchport access vlan 10
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 10.10.10.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.10.10.11-10.10.10.42 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 2Y5LXjCiT.j9NH6j encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination forsport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:e2a74d4bee8105a6f33d77afe97d03c7
: end

Any help or guidance with my config would be greatly appreciated.

I think my problems lie within the ASA config, but maybe I am overlooking something on the 871 too? 

Thank you everyone,
Mike T. 

Labels:
0 Helpful
16 Replies 16

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to miketranosky

‎03-16-2015 05:33 AM

Mike

No problem.

Glad to hear it's all working now and thanks for getting back to me and letting me know.

By all means come back if you need any more help.

Jon

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to miketranosky

‎03-13-2015 06:14 AM

Mike

So relatively briefly the ASA is stateful which means it keeps track of connections going through it.

When it first sees a packet for a new connection it records the source and destination IP addresses and port numbers and with TCP it also records the SYN, SYN-ACK, ACK, FIN flags in the packets.

The important thing to bear in mind is where the connection was initiated from ie. from a client on the inside or from a device on the outside.

Each interface on the ASA has a security level and the rules are -

1) traffic that is initiated from a higher security level to a lower security level is allowed by default eg. from inside to outside on your ASA.

2) traffic that is initiated from a lower security level to a higher security level is denied eg. from outside to inside on your ASA

NAT also comes into it as you have seen but with no nat-control your inside clients are by default allowed to access any device on the outside of the ASA eg. the internet in your example.

The stateful part is that once the ASA has allowed the original packet through, because it has recorded it in the state table, the return traffic is allowed back in.

This happens whether you have no acl on the outside interface applied inbound or whether you do. If you do the acl is not applied to the return traffic

Outside to inside is different. With no acl applied any traffic initiated from the outside to the inside is denied. So in order to allow outside devices to connect to inside devices you need an acl which is what you have added for your Plex server.

And once you have allowed it the stateful part still applies ie. it records the information and so return traffic is allowed with no checks on acls etc.

In terms of NAT, and where I misled you before, if you enable "no nat-control" this is for inside to outside but not outside to inside ie. you still need a NAT statement for that traffic.

Again there are general rules with NAT but put simply to go from inside to outside you can use dynamic NAT/PAT (if you use nat-control) which means the translations are setup dynamically as needed.

For outside to inside you cannot use dynamic translations, you need a permanent translation and this is why you have to use a static NAT translation on your ASA (you can also use a NAT exemption but I don't want to complicate the issue).

So it all depends on where the traffic was initiated from in relation to the ASAs interfaces as to what you need to or don't need both in terms of acls and NAT.

One final point. The ASA is a stateful firewall but it can also do more than just record IPs, ports etc for a certain number of applications eg. http. Here it can look a bit deeper into the packet to check certain things but only for a limited set of applications not all TCP/UDP.

Hope some of that has helped and if you have any queries etc. please fee free to come back.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card