09-21-2015 05:09 PM - edited 03-08-2019 01:53 AM
Hey all,
Not sure I am posting this in the right spot so sorry if im not. New here. My problem is this, and I hope someone can provide me a solution cause its driving me crazy. I'm new to security but am trying to learn. I have a ASA 5510. V8.2(5). I want to connect my outside int to my comcast modem. obviously using dhcp to avoid buying a static IP from them. I have setup my outside to IP address DHCP setroute. and setup my inside. I setup PAT. But I get nothing. No route on my outside, though inside shows fine. No lights on my port on my outside. but inside is fine. ping inside fine. secondary question, would be how to setup a default route to outside if I dont know the IP? Anyways, would love some help! I can provide my run config that I am using if needed. Thanks.
-Mike
Solved! Go to Solution.
 
					
				
		
09-23-2015 08:10 AM
The next thing to try would be to disconnect your ASA from the modem for at least 30 minutes. Don't have anything connected to the Comcast modem. Cable providers sometimes hold mac addresses in their table and they're only assigning the IP address to the first mac address that they see. That may explain why the dlink works. If you disconnect for 30 minutes, it should clear out on their side, but that also means you need to be disconnected from the internet completely and have nothing connected to the modem...
09-22-2015 08:06 AM
"No lights on my port on my outside"
Do you have a light on the Comcast end?
Are you sure the interface is not disabled?
09-22-2015 09:46 AM
Hey All, thanks for responding! My comcast modem does work. I hook it up to a dlink router no issues. maybe just issue a renew IP a couple times when connecting it to the dlink. but it always gets an IP.
When plugging into my outside and rebooting modem, modem looks the same as usual. Im pretty sure interface was not down. from what I remember interface shows as no admin down, but just not up. Where my e0/1 (inside) is up up. static. I've tried moving ports to see if I had a bad one but 0/3 does the same thing. I'm not at home atm, but when I get home I'll post more results of my show route, show ip int ip bri, and show run to give you all more info to work with. thanks again!
09-22-2015 07:19 PM
so here is what I am looking at currently, some of the stuff on my run config is just some options i have seen others use to get theirs to work, so if its off I apologize, just trying whatever I can to see what takes.
show int ip bri
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES DHCP   down                  down
Ethernet0/1                172.16.10.1     YES CONFIG up                    up
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Management0/0              192.168.1.1     YES CONFIG down                  down
###-ASA(config)#
show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
C 172.16.0.0 255.255.0.0 is directly connected, inside
show run
: Saved
:
ASA Version 8.2(5)
!
hostname ####-ASA
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.1 255.255.0.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e6a1629a7d54bdf91b20fff6bdca9584
: end
Please let me know if I need to give any more info or try changing up anything. Thanks!
09-22-2015 10:34 PM
Your ethernet is not up, can you play with the speed 100 and duplex-full settings on your ASA's ethernet 0/0 interface.
and see if your interface light starts coming on. also, have you connected the ASA with a straight or a X-cable to your comcast?
09-23-2015 04:09 AM
Thanks Dennis! I have changed from 10, 100, 1000 and auto. 1000 didnt light up. Here are my show int from 100 and 10 speeds. Thankfully, I do start getting lights on my interface, they last about a second or two but its better than before. I am using a straight cat5.
#####-ASA(config-if)# show int eth0/0
Interface Ethernet0/0 "outside", is down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex, 10 Mbps
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        2 packets output, 1188 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 5 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/255)
        output queue (blocks free curr/low): hardware (255/255)
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        2 packets output, 1152 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  0 bytes/sec
      5 minute drop rate, 0 pkts/sec
#####-ASA(config-if)# show int eth0/0
Interface Ethernet0/0 "outside", is down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex, 10 Mbps
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        3 packets output, 1782 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 6 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/255)
        output queue (blocks free curr/low): hardware (255/255)
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        3 packets output, 1728 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  3 bytes/sec
      5 minute drop rate, 0 pkts/sec
#####-ASA(config-if)# speed 100
#####-ASA(config-if)# shut
#####-ASA(config-if)# no shut
#####-ASA(config-if)# show int eth0/0
Interface Ethernet0/0 "outside", is down, line protocol is down
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex, 100 Mbps
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        0 packets input, 0 bytes, 0 no buffer
        Received 0 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        5 packets output, 2970 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 8 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/255)
        output queue (blocks free curr/low): hardware (255/255)
  Traffic Statistics for "outside":
        0 packets input, 0 bytes
        5 packets output, 2880 bytes
        0 packets dropped
      1 minute input rate 0 pkts/sec,  0 bytes/sec
      1 minute output rate 0 pkts/sec,  9 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec,  0 bytes/sec
      5 minute output rate 0 pkts/sec,  3 bytes/sec
      5 minute drop rate, 0 pkts/sec
#####-ASA(config-if)#
 
					
				
		
09-23-2015 04:23 AM
Mike,
Try changing both speed and duplex to match your modem. The ASA supports auto mdix, but in order to fully disable you need to set both. I noticed that your duplex is still set to auto. Let's see what happens after you do that...
** Edit **
You may need to switch your cable after making this change though. Check the cable now to see if you have a straight through or crossover cable. If it's straight through, you may need a crossover after this change...
HTH,
John
09-23-2015 04:55 AM
changed it to half and then tried full to see if anything changed. Good news is at least on both half and full, the interface is up up. bad news is it still isn't getting an IP. I would think leaving at full would be ok...interface info below :
show int eth0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Half-Duplex(Half-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        1876 packets input, 120064 bytes, 0 no buffer
        Received 1876 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        33 packets output, 19602 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 6 interface resets
        0 late collisions, 0 deferred
        174 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/254)
        output queue (blocks free curr/low): hardware (255/254)
  Traffic Statistics for "outside":
        1676 packets input, 77096 bytes
        33 packets output, 19008 bytes
        0 packets dropped
      1 minute input rate 9 pkts/sec,  427 bytes/sec
      1 minute output rate 0 pkts/sec,  86 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  81 bytes/sec
      5 minute output rate 0 pkts/sec,  26 bytes/sec
      5 minute drop rate, 0 pkts/sec
####-ASA(config-if)# show int eth0/0
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Half-Duplex(Half-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        2012 packets input, 128768 bytes, 0 no buffer
        Received 2012 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        36 packets output, 21384 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 6 interface resets
        0 late collisions, 0 deferred
        174 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/254)
        output queue (blocks free curr/low): hardware (255/254)
  Traffic Statistics for "outside":
        1812 packets input, 83352 bytes
        36 packets output, 20736 bytes
        0 packets dropped
      1 minute input rate 9 pkts/sec,  427 bytes/sec
      1 minute output rate 0 pkts/sec,  86 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  81 bytes/sec
      5 minute output rate 0 pkts/sec,  26 bytes/sec
      5 minute drop rate, 0 pkts/sec
show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route
Gateway of last resort is not set
Interface Ethernet0/0 "outside", is up, line protocol is up
  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 0018.73d6.b28e, MTU 1500
        IP address unassigned
        2386 packets input, 152704 bytes, 0 no buffer
        Received 2386 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        45 packets output, 26730 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 8 interface resets
        0 late collisions, 0 deferred
        186 input reset drops, 0 output reset drops, 0 tx hangs
        input queue (blocks free curr/low): hardware (255/254)
        output queue (blocks free curr/low): hardware (255/254)
  Traffic Statistics for "outside":
        2164 packets input, 99544 bytes
        45 packets output, 25920 bytes
        0 packets dropped
      1 minute input rate 7 pkts/sec,  327 bytes/sec
      1 minute output rate 0 pkts/sec,  86 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 1 pkts/sec,  81 bytes/sec
      5 minute output rate 0 pkts/sec,  26 bytes/sec
      5 minute drop rate, 0 pkts/sec
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES DHCP   up                    up
Ethernet0/1                172.16.10.1     YES CONFIG down                  down
Ethernet0/2                unassigned      YES unset  administratively down down
Ethernet0/3                unassigned      YES unset  administratively down down
Management0/0              192.168.1.1     YES CONFIG down                  down
 
					
				
		
09-23-2015 06:43 AM
Mike,
Leave it at full..you don't want half duplex. So, the next thing is to find out if this is a pppoe account. If it is, you'll need to configure a pppoe client on the ASA. You could probably look through your dlink to see if you can find any login information to the provider. If that's the case, you'll need to configure a vpdn client with your username and password to log into the ISP.
HTH,
John
09-23-2015 07:10 AM
John,
It is a DHCP account. I have never had to enter any pppoe info. Thanks.
 
					
				
		
09-23-2015 08:10 AM
The next thing to try would be to disconnect your ASA from the modem for at least 30 minutes. Don't have anything connected to the Comcast modem. Cable providers sometimes hold mac addresses in their table and they're only assigning the IP address to the first mac address that they see. That may explain why the dlink works. If you disconnect for 30 minutes, it should clear out on their side, but that also means you need to be disconnected from the internet completely and have nothing connected to the modem...
09-23-2015 07:11 PM
Thanks John, that was it! And thank you everyone for your help! I facepalm my stupidity for not checking the port speed and duplex, but lesson learned and maybe someone else can get help from all this too. Thanks again! Now to have some fun with all the other configs!
 
					
				
		
09-23-2015 07:13 PM
Thanks for the rating! Glad to hear it all worked out in the end!
John
 
					
				
		
09-22-2015 08:07 AM
Mike,
Welcome to the forums! Can you post the wan interface (xxxx the address) config? The first step would be to get that part to function before worrying about the inside stuff. If you're not getting a link light though, you may want to make sure that the interface isn't shut. The default route would come from your "setroute" command on the interface. You wouldn't need to statically assign it if it's going to learn it from dhcp.
HTH,
John
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide