jvpgr
IS-IT--Management
- Nov 7, 2008
- 6
Hi all,
I am new to cisco and I am trying to configure an ASA 5510 to replace a Linux box for the following situation:
LAN ---- 5510 ---- ADSL ROUTER ---- internet
Then Inside IP of the ADSL is set to 192.168.2.1 and is bound to Ethernet 0/0 of the 5510 with IP 192.168.2.2. The NAT is performed on the ADSL Router.
ASA Version 7.0(8), ASDM Version 5.0(8)
the running configuration is as follows
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
description LAN
nameif inside1
security-level 100
ip address 192.168.1.17 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside1
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside1 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside1) 1 192.168.1.0 255.255.255.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd address 192.168.1.18-192.168.1.30 inside1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a57ef453702ba8027d6e8e4f8dbbd127
: end
This configuration worked for a moment, except the dns, but (Murfy's Law) it was not saved to flash due to a power failure .
After that nothing worked.
to be more specific,
when I run ping 192.168.2.1 on the PC attached to inside1 the syslog says:
6|Nov 10 2008 00:46:32|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
6|Nov 10 2008 00:46:34|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
but I get a Request timed out
when I run ping 192.168.1.17 (the interface) on the PC attached to inside1 the syslog says again:
6|Nov 10 2008 00:47:02|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0
6|Nov 10 2008 00:47:02|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0
but I get a reply.
when I am trying to resolve some name the syslog says:
6|Nov 10 2008 00:18:02|302015: Built outbound UDP connection 303 for outside:192.168.2.1/53 (192.168.2.1/53) to inside1:192.168.1.18/3055 (192.168.1.18/3055)
6|Nov 10 2008 00:18:03|110002: Failed to locate egress interface for UDP from inside1:192.168.1.18/3055 to 193.92.150.3/53
and I get a "can not find host" error.
the dhcp assings IP for the pc connected to Inside1, but it does not assign a DNS server, unless I set explicity the DNS servers from that interface in ASDM, what I want if the 5510 to get the DNS servers from the ADSL and to assign them to the connected pcs
Please Help!!!
TIA,
Yannis
I am new to cisco and I am trying to configure an ASA 5510 to replace a Linux box for the following situation:
LAN ---- 5510 ---- ADSL ROUTER ---- internet
Then Inside IP of the ADSL is set to 192.168.2.1 and is bound to Ethernet 0/0 of the 5510 with IP 192.168.2.2. The NAT is performed on the ADSL Router.
ASA Version 7.0(8), ASDM Version 5.0(8)
the running configuration is as follows
Result of the command: "show running-config"
: Saved
:
ASA Version 7.0(8)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
description WAN
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
description LAN
nameif inside1
security-level 100
ip address 192.168.1.17 255.255.255.240
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.240
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside1
dns name-server 192.168.2.1
dns name-server 193.92.150.3
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
!
tcp-map mss-map
exceed-mss allow
!
tcp-map opmap
check-retransmission
checksum-verification
exceed-mss allow
!
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside1 1500
no failover
monitor-interface management
monitor-interface outside
monitor-interface inside1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside1) 1 192.168.1.0 255.255.255.0
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.240 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.14 management
dhcpd address 192.168.1.18-192.168.1.30 inside1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:a57ef453702ba8027d6e8e4f8dbbd127
: end
This configuration worked for a moment, except the dns, but (Murfy's Law) it was not saved to flash due to a power failure .
After that nothing worked.
to be more specific,
when I run ping 192.168.2.1 on the PC attached to inside1 the syslog says:
6|Nov 10 2008 00:46:32|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
6|Nov 10 2008 00:46:34|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.2.1/0 laddr 192.168.2.1/0
but I get a Request timed out
when I run ping 192.168.1.17 (the interface) on the PC attached to inside1 the syslog says again:
6|Nov 10 2008 00:47:02|302020: Built inbound ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0
6|Nov 10 2008 00:47:02|302021: Teardown ICMP connection for faddr 192.168.1.18/512 gaddr 192.168.1.17/0 laddr 192.168.1.17/0
but I get a reply.
when I am trying to resolve some name the syslog says:
6|Nov 10 2008 00:18:02|302015: Built outbound UDP connection 303 for outside:192.168.2.1/53 (192.168.2.1/53) to inside1:192.168.1.18/3055 (192.168.1.18/3055)
6|Nov 10 2008 00:18:03|110002: Failed to locate egress interface for UDP from inside1:192.168.1.18/3055 to 193.92.150.3/53
and I get a "can not find host" error.
the dhcp assings IP for the pc connected to Inside1, but it does not assign a DNS server, unless I set explicity the DNS servers from that interface in ASDM, what I want if the 5510 to get the DNS servers from the ADSL and to assign them to the connected pcs
Please Help!!!
TIA,
Yannis