Help with my Cisco ASA

WasteTimeChangingCars · 19 Aug 2012 at 15:28

I've been trying to configure a cisco ASA 5505 for my home network but I'm not having much joy with it. I've looked at countless guides, tutorials and followed the ASA setup wizard in ASDM. Could someone look at my config and shed some light on where I'm going wrong? Note The Cisco 1841 is running sub-interfaces for my VLAN's

Below is a sample of how my network connects up

Code:

192.168.1.1(Billion router)===192.168.1.2(ASA)192.168.2.1===(Cisco 1841)192.168.2.2  192.168.10.1 192.168.20.1 192.168.30.1

Code:

Result of the command: "sh run"

: Saved
:
ASA Version 7.2(4) 
!
hostname Bayswater
domain-name drury.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 192.168.1.1
 domain-name drury.local
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.2.1 tunneled
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 version 1
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.129 inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:065cff50cce30b96fe96983a25ebc947
: end

Chief Wiggum · 19 Aug 2012 at 21:32

It depends what your problem is...
The ip route on the outside is wrong, so your default router is itself, instead of the billion router (assume that's your Internet connection) it should be 192.168.1.1 not 192.168.2.1

Then you've also got no inside routes (unless you're running RIP on the 1841?) so you need to add route inside network mask 192.168.2.2 (the 1841)
Then you may need some rules to allow the traffic, I can't remember if it's permit any out of the box...

/edit Try this from the command line or multi-command box in adsm:

Code:

conf t
no route outside 0.0.0.0 0.0.0.0 192.168.2.1 tunneled
route outside 0.0.0.0 0.0.0.0 192.168.1.1
route inside 192.168.10.0 255.255.255.0 192.168.2.2
route inside 192.168.20.0 255.255.255.0 192.168.2.2
route inside 192.168.30.0 255.255.255.0 192.168.2.2
exit

Then on the 1841 make sure that you have:

Code:

ip route 0.0.0.0 0.0.0.0 192.168.2.1

Then on the billion, if you're not NATing everything behind the outside address of the ASA you're going to need to add static routes of the networks behind the ASA via the outside interface of the ASA, so:
192.168.2.0 /24
192.168.10.0 /24
192.168.20.0 /24
192.168.30.0 /24
Via 192.168.1.2

WasteTimeChangingCars · 20 Aug 2012 at 19:55

Thanks for the advice I'll give it ago this weekend

WasteTimeChangingCars · 25 Aug 2012 at 13:10

I tried what you suggested but i still can't seem to figure out why i can't get internet access when the ASA is running. I'm pretty sure it's something simple but i can't see it for looking. I've attached both the ASA and the 1841 running configs. The Billion router is running NAT and RIP. ASA was configured with ASDM

CIsco ASA 5505

Code:

: Saved
: Written by enable_15 at 01:09:55.968 UTC Sat Aug 25 2012
!
ASA Version 7.2(4) 
!
hostname Bayswater
domain-name drury.local
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0 
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 192.168.1.1
 domain-name drury.local
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
access-list outside_access_in extended permit ip any 192.168.10.0 255.255.255.0 
access-list outside_access_in extended permit ip any 192.168.20.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
!
router rip
 network 192.168.1.0
 network 192.168.2.0
 version 1
 no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.2-192.168.2.129 inside
!

username douglas password dFakwzrndCTRqh2t encrypted
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:bc20b7bfa360f3c9b1620c48d9cd1b6c
: end

Cisco 1841

Code:

Piccadilly_Circus#sh run
Building configuration...

Current configuration : 4754 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Piccadilly_Circus
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.20.2
ip dhcp excluded-address 192.168.10.4
!
ip dhcp pool vlan-10
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.2.1
!
ip dhcp pool vlan-20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.2.1
!
!
ip domain name vlan.gatway
ip host LG-NAS 192.168.10.4
ip name-server 192.168.2.1
ip name-server 8.8.8.8
ip name-server 212.69.36.3
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-979462596
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-979462596
 revocation-check none
 rsakeypair TP-self-signed-979462596
!
!

Piccadilly_Circus#sh run
Building configuration...

Current configuration : 4754 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Piccadilly_Circus
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.20.1
ip dhcp excluded-address 192.168.2.2
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.20.2
ip dhcp excluded-address 192.168.10.4
!
ip dhcp pool vlan-10
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.1
   dns-server 192.168.2.1
!
ip dhcp pool vlan-20
   network 192.168.20.0 255.255.255.0
   default-router 192.168.20.1
   dns-server 192.168.2.1
!
!
ip domain name vlan.gatway
ip host LG-NAS 192.168.10.4
ip name-server 192.168.2.1
ip name-server 8.8.8.8
ip name-server 212.69.36.3
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-979462596
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-979462596
 revocation-check none
 rsakeypair TP-self-signed-979462596
!
!
crypto pki certificate chain TP-self-signed-979462596
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39373934 36323539 36301E17 0D313230 33323831 38323435
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 39343632
  35393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B68963BD 5C5501C6 1EFAC417 DB24E95D 07D62B6B A1C816B1 4D7EC354 E2211DBF
  1D60AFCD 34CC6CAB C3C410D0 6DC72C4E C6B5CB74 BE58E060 211E3441 778A2D31
  7A718B4E B04F9B75 C237A515 B7B8874F 258935E4 22176DE3 5FF67512 264125AF
  DECBD5F2 820E23F5 8365699D DEC24A63 DAE5A80A 499DD36C 391B4942 32E0C4A1
  02030100 01A37D30 7B300F06 03551D13 0101FF04 05300301 01FF3028 0603551D
  11042130 1F821D50 69636361 64696C6C 795F4369 72637573 2E766C61 6E2E6761
  74776179 301F0603 551D2304 18301680 145DE525 D00567A0 AC8E6F36 C3FC953C
  7016B25A DD301D06 03551D0E 04160414 5DE525D0 0567A0AC 8E6F36C3 FC953C70
  16B25ADD 300D0609 2A864886 F70D0101 04050003 8181008E D77EC1CB 7A65602A
  01E6FBEA 6E41A771 2656EA8A D4B0F105 545C0256 8B052B7B FA3BEAAB 1C6C44B6
  C58A9467 61F2891C 599DEC43 1784BC1C D729FC07 B7233166 E2178772 927B8A3F
  8C6F3739 BB057BBE 46879F6B 403056AC FE17FCD9 A83C38AC 5647A666 01A5B71D
  1528083F 0027C33F 87B350B7 7A845253 F8EB361F 8A8AEA
        quit
!
!
username douglas privilege 15 secret 5 $1$j8nS$kQ8Bvdlpg8naq8zCS.tCp/
archive
 log config
  hidekeys
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
!
interface FastEthernet0/1.1
 description vlan 1$FW_OUTSIDE$
 encapsulation dot1Q 1 native
 ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/1.10
 description vlan 10$FW_INSIDE$
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
!
interface FastEthernet0/1.20
 description vlan 20$FW_INSIDE$
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
!
interface FastEthernet0/1.30
 description vlan 30$ETH-LAN$
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
!
router rip
 network 192.168.2.0
 network 192.168.10.0
 network 192.168.20.0
 network 192.168.30.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip http server
ip http secure-server
!
snmp-server community PacketTrap RW
!
!
!
!
control-plane
!
line con 0
 logging synchronous
line aux 0
line vty 0
 password cisco
 login
line vty 1 4
 login
line vty 5 9
 login
!
scheduler allocate 20000 1000
end

Chief Wiggum · 25 Aug 2012 at 13:17

Hmmm, try working backwards, from the ASA ASDM, try pinging google.com, if you can't then it gives a starting point for investigation.
If you can, then try from the 1841 to th ASA, then the 1841 to the Billion

Also have a look at the sh ip route command, make sure that everything is populating in the rip tables, you can probably remove the static routes

WasteTimeChangingCars · 25 Aug 2012 at 13:57

I can ping any address on the inside but, as seen as I try to ping addresses on the outside and or 8.8.8.8, bbc.co.uk it starts to fail. I think it's my access rules but I'm not sure what.

Chief Wiggum · 25 Aug 2012 at 16:18

Ok, is that from the ASA itself? Can you ping the billion from the ASA?

WasteTimeChangingCars · 25 Aug 2012 at 16:40

I can ping from the 1841 to the ASA inside address (192.168.2.1) and from the ASA to all the sub interfaces on the 1841. However on 1841 and ASA when I ping the ASA outside address (192.168.1.2) or the Billion 192.168.1.1 the pings fail

$c8t@ · 26 Aug 2012 at 20:13

to allow ICMP "through" the ASA you need to add ICMP to the global inspection policy, try this:

Code:

policy-map global_policy
 class inspection_default
  inspect icmp

2. to allow ICMP traffic TO an interface on the ASA you need to add icmp allow statements:

icmp permit <network> <mask> echo <Interface>

3. i'd delete the outside_access_in ACL too. It's wrong and its not needed for your testing. Traffic from a higher security interface to a lower sec interface is allowed by default. Traffic "sourced" from those networks listed would also fail an URPF check on the outside interface but thats besides the point.

Cheers,

WasteTimeChangingCars · 2 Sep 2012 at 10:23

Well I've made progress. When a device on subnet 192.168.2.0/24 pings the ASA pings are successful but that's where the success stops. Still on subnet 192.168.2.0/24 when I try to ping the outside interface and beyond pings fail and it's the same story on any other subnet

I've attached the updated config for the ASA if someone can make any sense of it

Code:

Bayswater# sh run

: Saved

:

ASA Version 7.2(4) 

!

hostname Bayswater

domain-name drury.local

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 192.168.1.2 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 8.8.8.8

 name-server 192.168.1.1

 domain-name drury.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_access_in extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.1.0 255.255.255.0 
pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit 192.168.2.0 255.255.255.0 echo inside

icmp permit 192.168.10.0 255.255.255.0 echo inside

icmp permit 192.168.20.0 255.255.255.0 echo inside

icmp permit 192.168.1.0 255.255.255.0 echo inside

icmp permit 192.168.1.0 255.255.255.0 echo outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

!

router rip

 network 192.168.1.0

 network 192.168.2.0

 version 1

 no auto-summary

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.2-192.168.2.129 inside

!


username douglas password dFakwzrndCTRqh2t encrypted

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:7a015caed88c20798d3e2b610454a019

: end


Bayswater#

ASA RIP routes

Code:

Bayswater# sh route
Gateway of last resort is 192.168.1.1 to network 0.0.0.0


R    192.168.30.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

R    212.69.47.0 255.255.255.0 [120/1] via 192.168.1.1, 0:00:25, outside

R    192.168.10.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback

R    192.168.20.0 255.255.255.0 [120/1] via 192.168.2.2, 0:00:09, inside

C    192.168.1.0 255.255.255.0 is directly connected, outside

C    192.168.2.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.1.1, outside


Bayswater#

Chief Wiggum · 2 Sep 2012 at 11:14

ok, from the ASA itself, can you ping 192.168.1.1 ?

Can you see all the correct RIP routes on the Billion router - it should match what you have on the ASA pretty much

WasteTimeChangingCars · 2 Sep 2012 at 11:26

Pings to 192.168.1.1 fail

The Billion router is seeing the correct RIP routes and are both pretty much the same