Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1817
Views
0
Helpful
13
Replies

Setting up ASA 5505

kambodianboi
Level 1
Level 1

‎10-11-2010 07:24 AM

Hi guys,

Im kinda new to these type of system setup for small business. Im helping my dad out to set one up, but im not sure if im doing it correctly. The way I have it hooked up is like this.

T1 => Linksys E1000 (DMZed to ASA 5505) => ASA 5505 => Switch => (10 computers in the network)

So far, I did the basic setup on the ASA 5505, and its network is working fine, all the computers can access the internet. But where I am stuck at is, I am unable to ping the ASA 5505 externally (from the public IP), I already added ICMP echo-reply to the security policy.

Also, when I setup the VPN, it doesn't work, the client PC are unable to communicate with the ASA 5505. Seems like the router DMZ isn't working.

Do I need a different router? Or do I need to configure some items on the ASA 5505?

Any help would be appreciated!

Labels:
0 Helpful
13 Replies 13

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-11-2010 07:34 AM

Jarrod,

ASA has a great packet capturing apability:

"Create a new capture filter."

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807c35e7.shtml

You can capture traffic going to it etc.

In case of VPN you need to capture all traffic on UDP/500 going to ASA's outside interface:

access-list CAPT perm udp any h IP_ADDRESS eq 500

access-l CAPT perm udp h IP_ADDRESS eq 500 any

capture CAPOUT interface outside access-list CAPT

Just subsitute the IP_ADDR and maybe interface name.

If you mean that you cannot ping from "inside" network your ASA's "outside" IP address - it's expected and a known limiation.


What you're seeing might be due to the way Linksys implments "dmz".

Marcin

0 Helpful

kambodianboi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-11-2010 07:45 AM

Thanks Marcin for replying,

I will give it a try and see what traffic the ASA is getting.

As for pinging, I am unable to ping the static IP I assigned to the Linksys (74.82.104.xxx). I ended up buying a WRVS4400n so I can setup the VPN with no problems. Just that its limitation is 5 clients. Although, I am able to ping the WRVS and VPN into it.

But then again, everything on the WRVS is dummied down and simplified, lol.

Any recommendations for a router/modem I can use with the ASA?

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to kambodianboi

‎10-11-2010 08:30 AM

Jarrod,

Well I can't make any recommendations regarding brands...

Usually you'd have the ASA itself terminating circuit from ISP , at least in a small environment.


If that's not a possibility... Well I'd look for a device whih can do bridging and for sure not have any transport-and-above layers functions. A layer two bridge with public IP address being assigned directly to ASA would be THE choice in my opinion.

Marcin

0 Helpful

kambodianboi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-11-2010 08:47 AM

This is a long shot, but just thought I'd ask anyways.

Is it possible for me to plug the ASA to my T1 box then assign a public IP on the ASA? Or is the ASA strictly a Firewall/VPN.

0 Helpful

Rudresh Veerappaji
Cisco Employee
Cisco Employee
In response to kambodianboi

‎10-11-2010 08:51 AM

Hi Jarrod,

Yes, this should be possible. You would need to adjust the default route to point to the next hop at the outside interface of the ASA.

Cheers,

Rudresh V

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to kambodianboi

‎10-11-2010 08:52 AM

Jarrod,

If your ISP is not providing a RJ45 Ethernet I would say no go.

ASAs can only work on Ethernet, fibre or UTP.

Marcin

0 Helpful

kambodianboi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-11-2010 08:58 AM

Actually, the T1 box have 3 RJ45 output.

1 is being used to the Linksys E1000, then to the ASA.

When I went over the ASA configuration, it only allows me to set a Static IP and Subnet, doesn't ask for Gateway. Which I assume it wouldn't work in the first place.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to kambodianboi

‎10-11-2010 11:12 AM

Jarrod,

If it's ethernet, just plug your ASA directly into ISP.

You configure ASA by seeting default route towards the outside.

route outside 0 0 GATEWAY_IP

OR, if your ISP is doing DHCP:

under interface config

ip address dhcp setroute

Marcin

0 Helpful

kambodianboi
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-11-2010 11:15 AM

Thanks for all the replies!

Will try this later tonigt and post my results!

Much appreciated!

0 Helpful

kambodianboi
Level 1
Level 1
In response to kambodianboi

‎10-14-2010 09:06 PM

I got it set and its running great.

I have both ASA 5505 VPN'ed Site to Site, but there is a slight problem. Now that I have them on a VPN, I cant ping each other sites or network the drive. Is there any security settings I have to set to allow these and specific ports?

Thanks again!

0 Helpful

Divya Nair
Cisco Employee
Cisco Employee
In response to kambodianboi

‎10-14-2010 11:00 PM

Hey Jarrod,

You might want to check whether the traffic flowing across the tunnel is being exempted from NAT. This should be checked on both the ASA's.

Divya

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Divya Nair

‎10-15-2010 02:41 AM

As Divya check that out.

If in doubt posts configs from both sides we'll have a look.

Marcin

0 Helpful

kambodianboi
Level 1
Level 1

‎10-15-2010 07:09 AM

Thanks for everyones input!

I got the main important items addressed. Im running Windows 7, and ICMP was disable on its firewall. Overall, I got my applications to communicate over the Site to Site VPN. Although, I still cant get the Network Drive to work any of the machines, but its minor.

0 Helpful
Customers Also Viewed These Support Documents