basic setup for ASA 5510 home lab behind modem using DHCP

inscom.brigade

I picked up an ASA for home lab.

I am trying to get it setup but I am stuck.

I am just using my home cable service so I will use DHCP for my outside interface.

I gave the inside interface an ip

I can ping 8.8.8.8
and I can ping
my PC

My PC can't ping outside, I think, NAT, ACL, and or object groups is my trouble.

Anyone have a link to a setup similar, or could offer any suggestion?

thanks for reading

Mooseboost

You said you can ping 8.8.8.8, is this from your PC or from the ASA? We will need a little more information to better determine the problem.

What is the IP of your LAN interface? Did you statically assign the PCs IP? If so, do you have the gateway IP (on the PC) as the LAN interface of the ASA?

inscom.brigade

sure
the ASA can ping 8.8.8.8, that interface g0/0 DHCP, is setup, so the ISP is giving the IP
the ASA can ping both pc's, m0/0 is management only
but my PC doesn't ping 8.8.8.8

I will add my 3550 back in later.

I will post my config if you think that may help

Mooseboost

Posting the config may help.

My initial thought would be either routing related, zone related, or the outbound NAT. I would check these first. My experience with ASA is limited, I have worked mostly with Juniper SRXs but the principles should be about the same.

Simrid

It maybe worth checking what inspection you have going on. Remember, ICMP and ICMP echo is blocked by default.

inscom.brigade

heres my config mulberryASA1# mulberryASA1# sho run : oops I goofed up this config

Simrid

There's a few ways you can allow ICMP through the firewall, the first would be to add it to the inspection. The second would be to create an ACL.


policy-map global_policy
class inspection_default
inspect icmp
exit
exit
access-list from_outside extended permit icmp any any echo

Dollarhyde

That seems to me as NAT problem.

You have this as a config:

global (outside) 1 24.x.x.x-24.x.0.254
global (outside) 1 interface
nat (inside) 1 192.168.112.0 255.255.255.0
nat (outside) 1 192.168.112.0 255.255.255.0
nat (outside) 0 0.0.0.0 0.0.0.0

Your inside IP might be wrong as you are referencing different subnet than the one you mentioned in the diagram.

Based on what I have seen right now on Cisco's website on how to configure ASA NAT would be


hostname(config)#nat (inside) 1 192.168.100.0 255.255.255.0

hostname(config)#global (outside) 1 24.x.x.x-24.x.0.254

I have some limited experience with ASA's so the config might be wrong.

apr911

Your config needs a good bit of cleanup... Here's a few recommendations...

First, get on 9.x code or at least 8.3+ code if you can. It's the latest and there significant changes to the ASA, particularly NAT, in these code versions and its what you'll need to know for CCNP studies and for most employers.

Second, I dont remember if 8.2 code is prone to this but you should not post enable/passwd lines publicly.

Last, I recommend you scrap this configuration and start from scratch. I see a lot of things here that dont make any sense. There's empty object groups, unused object groups, multiple routes and various other settings that in your basic config are not needed and/or have no business being configured which makes me wonder did you do a clear config before dropping your own configuraton... I also am fairly certain that there are a few configurations that I am apparently recalling incorrectly because you seem to have managed to configure it multiple times even though it is normally a single use command.

I'd be happy to help you try and work out a configuration but discrepancies between your diagram and your config cant be reconciled at this time.

Just to start here are just a few of the things that are probably undesired:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
dns domain-lookup outside
access-list 1
access-list outside_access_in permit ip any any
access-list outside_access_in permit tcp any any object-group DM_INLINE_2 (unless you're running a HTTP/HTTPS server)
I'd even argue access-list outside_access_in icmp any any is undesired and that you more likely want to enable inspection
logging asdm informational (unless you are using asdm which it does not appear to be the case)
global (outside) 1 24.x.x.x-24.x.0.254
nat (outside) 1 192.168.112.0 255.255.255.0
nat (outside) 0 0.0.0.0 0.0.0.0 (NAT 0 is identity NAT or NO-NAT but NAT only occurs from higher security levels to lower-security levels)
route outside 0.0.0.0 0.0.0.0 24.0.0.0 1
route outside 0.0.0.0 0.0.0.0 24.0.x.1 5
dhcp-client client-id interface inside
dhcp-client client-id interface outside
dhcpd auto_config inside (if anything this should be dhcpd auto_config outside)

Finally, I also suggest you learn the ASA Packet-tracer command and it's outputs...

inscom.brigade

hey Apr911 thanks for some info,
the ip's and password was all disposable. I blew it all off no worries.

I thought I would get it up and running with ASA 8.2 and asdm 6.4 then practice some migration.
seems maybe my Flash drives might have been corrupt. They crashed for good 2 nights ago.
ANYWAY
I got it working.
I did blow off that old OS and downloaded the latest ASA & ASDM from cisco with my account, and did a config config factory reset.
I set it up how I wanted, and WHAM, 1st try it worked.
this is what I have up now.

apr911

Nice. Glad you got it working. Feel free to hit me up if you have any other questions.

inscom.brigade

apr911 wrote: »

Nice. Glad you got it working. Feel free to hit me up if you have any other questions.

COOL thanks yeah maybe you could help please.
I made some changes this weekend. I'm looking at my old 3550 10/100 mbps, and thinking why have that.

interface to printer has security 50 and interface Xeon has security 100.
from the ASA I can ping both but still no connection from end host to end host


EDIT:
EDIT:
EDIT:
EDIT:
got it fixed:
next project???



EDIT:
EDIT:
EDIT:
EDIT:
got it fixed:
next project???