Initial Cisco ASA 5510 Config

Question

I'm trying to set up a new ASA 5510. I have a pretty simple set up with one /24 on the inside NATed to a DHCP address on the outside. Everything on the inside works and I can ping the outside interface from external devices. No matter what I do I can't get anything internal to route across the border to the outside and back. To try and eliminate ACL issues as a possibility I added permit any any rules to the incoming access lists on the inside and outside interfaces. I'd appreciate any help I can get. Here's the sh run.

: Saved
:
ASA Version 8.4(3)
!
hostname gateway
domain-name xxx.local
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.x.x.x
domain-name xxx.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside-network
subnet 10.x.x.x 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
!
object network inside-network
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.x.x.x 255.255.255.0 inside
http authentication-certificate management
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 management
ssh 10.x.x.x 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcp-client client-id interface outside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username xxx password xxx encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:fe19874e18fe7107948eb0ada6240bc2
: end
no asdm history enable

I found something curious, though I'm not sure it helps. When I plug the outside drop directly into my laptop I get a default route to 10.42.45.46 and I can ping it. When I plug the drop into the ASA I get the same route there to 10.42.45.46 but I can't ping it from the ASA This can't be right, can it? — Brendan ODonnell, Mar 28 '12 at 23:14
The outside interface is connected to a Sprint U1901 through a CradlePoint MBR in pass-through mode. I know this set up is a little jenky. We have a dedicated line coming but its going to be maybe a week before they finish construction and I need to get this working in the mean time. — Brendan ODonnell, Mar 29 '12 at 15:03
You might try rebooting those other devices. It could be a MAC address lock. — resmon6, Mar 29 '12 at 15:12
I've tried rebooting all 3 devices (the Sprint, CradlePoint, and Cisco). I've also tried resetting the interface with a shut/no shut several times. No luck. :( — Brendan ODonnell, Mar 29 '12 at 16:01
Hmm that is odd. You should be able to ping your default gateway since `icmp permit any outside` is in your config. The only other thing that might shine some light on this is posting your `show arp` and `show route` outputs. — resmon6, Mar 29 '12 at 17:21
Here's that output. gateway# show arp inside 10.0.1.x xxxx.xxxx.xxxx 18 ... approx 20 more records like this ... gateway# show route ... some default output removed ... Gateway of last resort is 10.42.45.46 to network 0.0.0.0 C 10.0.1.0 255.255.255.0 is directly connected, inside d* 0.0.0.0 0.0.0.0 [1/0] via 10.42.45.46, outside — Brendan ODonnell, Mar 29 '12 at 17:36
That's your problem. If you want to move this to chat I can help you troubleshoot this further — resmon6, Mar 29 '12 at 17:42
What a pain. Ok try this `capture test interface outside` then `ping 10.42.45.46` then `show capture test detail` and see if you see any traffic coming from a mac address other than your ASA's. — resmon6, Mar 29 '12 at 17:54
That worked! I got the MAC address of 10.42.45.46 as 2a30.4410.2789. — Brendan ODonnell, Mar 29 '12 at 17:59

score 1 · Answer 1 · answered Oct 11 '12 at 21:37

1

Did you stick a static route on there?

ASA(config)# route [interface name] [destination address] [netmask] [gateway]

answered Oct 11 '12 at 21:37

Darkmatter

26
2

score 0 · Answer 2 · answered Mar 29 '12 at 18:04

0

For some reason the ARP entry is not being added to your arp table for your default gateway. As a temporary fix you can try adding this manually with the command:

(from config t mode) arp outside 10.42.45.46 2a30.4410.2789 alias

As to why this is happening I'm not sure but you can try to find out by doing packet captures to see if your arp requests are going out and replies are coming back. If they are I would recommend opening a TAC case with Cisco if you have maintenance on the device.

answered Mar 29 '12 at 18:04

resmon6

1,352
6
8

I added the ARP entry but hasn't completely solved the issue. It did change the capture results somewhat. Now I'm seeing the out going echo requests like this: `27: 11:02:50.674327 x.x.x.x > 10.42.45.46: icmp: echo request` And lots of incoming ARP requests like this: `54: 11:02:59.940793 arp who-has x.x.x.x tell 10.42.45.46` – Brendan ODonnell Mar 29 '12 at 18:12
Do you not see any responses going back? it should look like this `1: 13:19:55.634503 802.1Q vlan#70 P0 arp who-has 192.168.1.1 tell 192.168.1.51` `2: 13:19:55.634564 802.1Q vlan#70 P0 arp reply 192.168.1.1 is-at xx:xx:xx:xx:xx:4` – resmon6 Mar 29 '12 at 18:20
I don't see any replies from the ASA back to the gateway. When I run `show capture test | i is-at` all of the lines looked like this `22: 11:02:48.658596 arp reply 10.42.45.46 is-at 2a:30:44:10:27:89` – Brendan ODonnell Mar 29 '12 at 18:23
It looks like they're giving you an IP address in a different subnet than your default gateway. The problem is described [here](https://supportforums.cisco.com/thread/2133340). You'll have to either downgrade the ASA to 8.4(2) or get your ISP to fix that problem on their end. This is Cisco bug ID CSCto63702 – resmon6 Mar 29 '12 at 18:30
I downgraded the ASA to 8.4(2) but that still hasn't resolved the issue. Also my output from `debug arp` is a little different than the linked article. I get `arp-in: Dropping request at outside from unsolicited non-adjacent 10.42.45.46 2a30.4410.2789 for x.x.x.x 0000.0000.0000` – Brendan ODonnell Mar 29 '12 at 20:56
Try removing that static arp entry. You should consider having a conversation with your ISP about your concern for their lack of understanding how basic IP routing works.. – resmon6 Mar 30 '12 at 02:51
I tried having that conversation with someone at their phone support line but he asked me how to spell ARP... I worked around the problem by added another switch that was less picky about ARP packet sources on its own /24 in between the ASA and the Sprint modem and using it to NAT to the outside. – Brendan ODonnell Mar 30 '12 at 16:56

Initial Cisco ASA 5510 Config

2 Answers2