basic setup for ASA 5510 home lab behind modem using DHCP

inscom.brigadeinscom.brigade Member Posts: 400 ■■■□□□□□□□
I picked up an ASA for home lab.

I am trying to get it setup but I am stuck.

I am just using my home cable service so I will use DHCP for my outside interface.

I gave the inside interface an ip

I can ping 8.8.8.8
and I can ping
my PC

My PC can't ping outside, I think, NAT, ACL, and or object groups is my trouble.

Anyone have a link to a setup similar, or could offer any suggestion?

thanks for reading

Comments

  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    You said you can ping 8.8.8.8, is this from your PC or from the ASA? We will need a little more information to better determine the problem.

    What is the IP of your LAN interface? Did you statically assign the PCs IP? If so, do you have the gateway IP (on the PC) as the LAN interface of the ASA?
  • inscom.brigadeinscom.brigade Member Posts: 400 ■■■□□□□□□□
    sure
    the ASA can ping 8.8.8.8, that interface g0/0 DHCP, is setup, so the ISP is giving the IP
    the ASA can ping both pc's, m0/0 is management only
    but my PC doesn't ping 8.8.8.8

    I will add my 3550 back in later.

    I will post my config if you think that may help

    home%20lab.png
  • MooseboostMooseboost Member Posts: 778 ■■■■□□□□□□
    Posting the config may help.

    My initial thought would be either routing related, zone related, or the outbound NAT. I would check these first. My experience with ASA is limited, I have worked mostly with Juniper SRXs but the principles should be about the same.
  • SimridSimrid Member Posts: 327
    It maybe worth checking what inspection you have going on. Remember, ICMP and ICMP echo is blocked by default.
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • inscom.brigadeinscom.brigade Member Posts: 400 ■■■□□□□□□□
    heres my config mulberryASA1# mulberryASA1# sho run : oops I goofed up this config
  • SimridSimrid Member Posts: 327
    There's a few ways you can allow ICMP through the firewall, the first would be to add it to the inspection. The second would be to create an ACL.


    policy-map global_policy
    class inspection_default
    inspect icmp
    exit
    exit
    access-list from_outside extended permit icmp any any echo
    Network Engineer | London, UK | Currently working on: CCIE Routing & Switching

    sriddle.co.uk
    uk.linkedin.com/in/simonriddle
  • DollarhydeDollarhyde Member Posts: 111
    That seems to me as NAT problem.

    You have this as a config:

    global (outside) 1 24.x.x.x-24.x.0.254
    global (outside) 1 interface
    nat (inside) 1 192.168.112.0 255.255.255.0
    nat (outside) 1 192.168.112.0 255.255.255.0
    nat (outside) 0 0.0.0.0 0.0.0.0

    Your inside IP might be wrong as you are referencing different subnet than the one you mentioned in the diagram.

    Based on what I have seen right now on Cisco's website on how to configure ASA NAT would be


    hostname(config)#nat (inside) 1 192.168.100.0 255.255.255.0

    hostname(config)#global (outside) 1 24.x.x.x-24.x.0.254

    I have some limited experience with ASA's so the config might be wrong.
    ___________________________________________________________________________________________________________
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Your config needs a good bit of cleanup... Here's a few recommendations...

    First, get on 9.x code or at least 8.3+ code if you can. It's the latest and there significant changes to the ASA, particularly NAT, in these code versions and its what you'll need to know for CCNP studies and for most employers.

    Second, I dont remember if 8.2 code is prone to this but you should not post enable/passwd lines publicly.

    Last, I recommend you scrap this configuration and start from scratch. I see a lot of things here that dont make any sense. There's empty object groups, unused object groups, multiple routes and various other settings that in your basic config are not needed and/or have no business being configured which makes me wonder did you do a clear config before dropping your own configuraton... I also am fairly certain that there are a few configurations that I am apparently recalling incorrectly because you seem to have managed to configure it multiple times even though it is normally a single use command.

    I'd be happy to help you try and work out a configuration but discrepancies between your diagram and your config cant be reconciled at this time.

    Just to start here are just a few of the things that are probably undesired:
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    dns domain-lookup outside
    access-list 1
    access-list outside_access_in permit ip any any
    access-list outside_access_in permit tcp any any object-group DM_INLINE_2 (unless you're running a HTTP/HTTPS server)
    I'd even argue access-list outside_access_in icmp any any is undesired and that you more likely want to enable inspection
    logging asdm informational (unless you are using asdm which it does not appear to be the case)
    global (outside) 1 24.x.x.x-24.x.0.254
    nat (outside) 1 192.168.112.0 255.255.255.0
    nat (outside) 0 0.0.0.0 0.0.0.0 (NAT 0 is identity NAT or NO-NAT but NAT only occurs from higher security levels to lower-security levels)
    route outside 0.0.0.0 0.0.0.0 24.0.0.0 1
    route outside 0.0.0.0 0.0.0.0 24.0.x.1 5
    dhcp-client client-id interface inside
    dhcp-client client-id interface outside
    dhcpd auto_config inside (if anything this should be dhcpd auto_config outside)

    Finally, I also suggest you learn the ASA Packet-tracer command and it's outputs...
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
  • inscom.brigadeinscom.brigade Member Posts: 400 ■■■□□□□□□□
    hey Apr911 thanks for some info,
    the ip's and password was all disposable. I blew it all off no worries.

    I thought I would get it up and running with ASA 8.2 and asdm 6.4 then practice some migration.
    seems maybe my Flash drives might have been corrupt. They crashed for good 2 nights ago.
    ANYWAY
    I got it working.
    I did blow off that old OS and downloaded the latest ASA & ASDM from cisco with my account, and did a config config factory reset.
    I set it up how I wanted, and WHAM, 1st try it worked.
    this is what I have up now.

    home%20lab%20up.png
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    Nice. Glad you got it working. Feel free to hit me up if you have any other questions.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
  • inscom.brigadeinscom.brigade Member Posts: 400 ■■■□□□□□□□
    apr911 wrote: »
    Nice. Glad you got it working. Feel free to hit me up if you have any other questions.

    COOL thanks yeah maybe you could help please.
    I made some changes this weekend. I'm looking at my old 3550 10/100 mbps, and thinking why have that.

    interface to printer has security 50 and interface Xeon has security 100.
    from the ASA I can ping both but still no connection from end host to end host


    EDIT:
    EDIT:
    EDIT:
    EDIT:
    got it fixed:
    next project???

    home%20lab%20up%20printer%20down1.png

    EDIT:
    EDIT:
    EDIT:
    EDIT:
    got it fixed:
    next project???
Sign In or Register to comment.