Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA 5510 default configuration with ADSL router

Status
Not open for further replies.

jvpgr

IS-IT--Management
Nov 7, 2008
6
Hi all,

I am new to cisco and I am trying to configure an ASA 5510 to replace a Linux box for the following situation:

LAN ---- 5510 ---- ADSL ROUTER ---- internet

Then Inside IP of the ADSL is set to 192.168.2.1 and is bound to Ethernet 0/0 of the 5510 with IP 192.168.2.2. The NAT is performed on the ADSL Router.

ASA Version 7.0(8), ASDM Version 5.0(8)

the running configuration is as follows

Result of the command: "show running-config"

: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
description LAN
nameif inside1
security-level 100
ip address 192.168.1.17 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside1
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside1 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside1) 1 192.168.1.0 255.255.255.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd address 192.168.1.18-192.168.1.30 inside1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a57ef453702ba8027d6e8e4f8dbbd127
: end

This configuration worked for a moment, except the dns, but (Murfy's Law) it was not saved to flash due to a power failure :(.

After that nothing worked.

to be more specific,

when I run ping 192.168.2.1 on the PC attached to inside1 the syslog says:

6|Nov 10 2008 00:46:32|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
6|Nov 10 2008 00:46:34|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0

but I get a Request timed out

when I run ping 192.168.1.17 (the interface) on the PC attached to inside1 the syslog says again:

6|Nov 10 2008 00:47:02|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0
6|Nov 10 2008 00:47:02|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0

but I get a reply.

when I am trying to resolve some name the syslog says:

6|Nov 10 2008 00:18:02|302015: Built outbound UDP connection 303 for outside:192.168.2.1/53 (192.168.2.1/53) to inside1:192.168.1.18/3055 (192.168.1.18/3055)
6|Nov 10 2008 00:18:03|110002: Failed to locate egress interface for UDP from inside1:192.168.1.18/3055 to 193.92.150.3/53

and I get a "can not find host" error.

the dhcp assings IP for the pc connected to Inside1, but it does not assign a DNS server, unless I set explicity the DNS servers from that interface in ASDM, what I want if the 5510 to get the DNS servers from the ADSL and to assign them to the connected pcs

Please Help!!!

TIA,
Yannis
 
I can't help with all your problems, but you will find the ASA blocks pings from hosts on the LAN.

If you want to allow pings from the LAN, you need to add the following commands.

ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect icmp

Just curious... what happens when you ping an outside IP from the ASA using the CLI?


 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top