ASA 5520 Routes

[schroednic]

I'm trying to setup a default route to get my ASA 5520 on the internet.

For some reason, the IOS only wants me to create a route on the Management interface???
I have 4 gigabit ethernet ports available. Actually have a public IP assigned to Gigabit 0/1, but can't assign a static route out to the default gateway.

Any ideas, thanks in advance.

 

[dgrizzard]

You're note able to do

route outside 0.0.0.0 0.0.0.0 <Next hop IP Address> 1

 

[dgrizzard]

That was a question...

?

 

[schroednic]

I get an invalid input detected at ^ at the beginning of the word outside.

Am in the config interface mode for that gigabitethernet interface.
Interface is up and protocol is up.

 

[dgrizzard]

You don't need to be in the interface configuration, and make sure your outside interface is actually named outside.

 

[stubnski]

post a scrubbed config


Stubnski

 

[schroednic]

Here is the config and the Show Int. The gateway (.161) can be pinged via the internet. Interface 0/1 has the assigned valid public IP address and is attached to the active switch.

CONFIG:

ASA Version 8.2(1)
!
hostname ME
enable password
passwd
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
ip address x.x.x.165 255.255.255.224
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b1ee9c2bac70fd2ece46ccb400308614
: end


SHOW INT:

Interface GigabitEthernet0/0 "", is administratively down, line protocol is down

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 4055.3981.dff8, MTU not set
IP address unassigned
3678322 packets input, 327759244 bytes, 0 no buffer
Received 172852 broadcasts, 0 runts, 0 giants
6003 input errors, 0 CRC, 0 frame, 6003 overrun, 0 ignored, 0 abort
4 L2 decode drops
3505642 packets output, 322512792 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/253)
output queue (blocks free curr/low): hardware (255/252)
Interface GigabitEthernet0/1 "", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(10 Mbps)
Available but not configured via nameif
MAC address 4055.3981.dff9, MTU not set
IP address x.x.x.165, subnet mask 255.255.255.224
2045 packets input, 130880 bytes, 0 no buffer
Received 2045 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2045 L2 decode drops
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/254)
output queue (blocks free curr/low): hardware (255/254)
Interface GigabitEthernet0/2 "", is administratively down, line protocol is down

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 4055.3981.dffa, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Interface GigabitEthernet0/3 "", is administratively down, line protocol is down

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 4055.3981.dffb, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (255/255)
output queue (blocks free curr/low): hardware (255/255)
Interface Management0/0 "management", is down, line protocol is down
Hardware is i82557, BW 100 Mbps, DLY 100 usec
Auto-Duplex, Auto-Speed
MAC address 4055.3981.dffc, MTU 1500
IP address 192.168.1.1, subnet mask 255.255.255.0
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/0) software (0/0)
Traffic Statistics for "management":
0 packets input, 0 bytes
0 packets output, 0 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Management-only interface. Blocked 0 through-the-device packets

 

[dgrizzard]

interface GigabitEthernet0/1
no nameif

That needs to be...

interface GigabitEthernet0/1
nameif outside
security-level 0

Then run the code I pasted before. You should really run through the initial config wizard to get this configured at least at first.

 

[schroednic]

dgrizzard;

Thanks, that opened up access so one can "ping" the firewalls. Trying now to open up access to http/https on that public IP, so I can run ASDM software.

Tried a command:

http x.x.x.166 255.255.255.224 outside

failed stating it is inconsistent??
Any ideas, thanks for you help so far.

 

[MrShed]

Firstly why would you open up management to the public internet??

If you wanted to do it (please dont!) then you would need to create an ACL, then apply in global config:


"access-group xxx in interface outside"

Where xxx is your ACL number.

 

[dgrizzard]

First, Mrshed is correct, do not allow ASDM, I would say any management access, from the outside. You could put an ACL on but I would prefer to do a VPN client access into the ASA and then get access from the VPN client pool.

Second, that command tells the ASA *who* can access the http service and what interface that it applies to. So if you had a 192.168.1.0/24 as your network and you wanted anyone on that network to be able to access the ASDM you would do...

http 192.168.1.0 255.255.255.0 inside

You would also need to do:

http server enable