topic Re: ASA: no internet connection in Network Security

ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 14:54:26 GMT

I have a problem that I don't know what else to do. Can you help me?

In my environment I have 2 ISP links, the main one and redundancy.
I changed the operator of the redundancy link.
I connected the router to the ASA, deletes the old routes from this interface, changed the name, IP and mask. Then I created the static route again with the new gateway.

Through ASDM > Tools > Ping, on this ISP's interface I can ping the router, but I don't have an output for 8.8.8.8.
I put a notebook directly on the router and the ping is ok, but apparently the ASA is not coming out.

The NAT rules I didn't change because there was no change. But the thing is, not even the ASA itself is going out through this ISP

Re: ASA: no internet connection

Kasun Bandara — Tue, 05 Jul 2022 15:00:16 GMT

if you changed interface names, IP addresses too, better check NAT configurations again.

also share some screen captures of routing and NAT to get an idea.

Re: ASA: no internet connection

MHM Cisco World — Tue, 05 Jul 2022 15:02:57 GMT

friend
after you check the ACL and NAT "in NAT please add route-lockup" if not success then
you need floating timeout command to add, please see below link.
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113592-udp-traffic-fails-00.html

Re: ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 15:53:01 GMT

I redid the NAT rule, but still no success.
I only have one route using this interface.
I am attaching the two images

Re: ASA: no internet connection

Kasun Bandara — Tue, 05 Jul 2022 16:03:58 GMT

your captures seems ok. but i noticed 2 points.

1. your route priority is 100. check if you have any other default routes with less priority than 100. if so you need to make sure primary ISP have lower priority than backup ISP.

2. there is a more NAT statements in background. check if your packet hits top NATs before hit correct one.

also use packet tracer option to simulate traffic and see whether traffic is blocking by ALC or any other step.

Re: ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 16:05:31 GMT

How would I check the ACL?

My case was with the backup link, so the route metric was the highest.
From what I understand in that link you shared, it would be for the lowest metric routes.. isn't that it?

Re: ASA: no internet connection

MHM Cisco World — Tue, 05 Jul 2022 16:36:09 GMT

as mention above since the config of route is OK still you need NAT
please select "object network" NAT rule
and then config dynamic NAT

Re: ASA: no internet connection

MHM Cisco World — Tue, 05 Jul 2022 17:33:12 GMT

Can you share cli config?

Re: ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 19:01:28 GMT

I redid the NAT rule the way you instructed but nothing changed.
The ASA shouldn't be able to PING it out even without the NAT rule (if it was a NAT problem)

using packet capture for the interface I can see some requests. I contacted the ISP operator and they manage to ping the IP I put. So it looks like the configuration from outside to ASA is ok.

It seems to me that something was tied up but I can't identify what it is.

Re: ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 19:02:02 GMT

what would be the best way to do this?

Re: ASA: no internet connection

MHM Cisco World — Tue, 05 Jul 2022 20:09:58 GMT

you need talent to ASA to access and cli

also

this link helpful for you

https://www.youtube.com/watch?v=_0D8DlkdRRA

Re: ASA: no internet connection

patricia.quintao — Tue, 05 Jul 2022 21:33:16 GMT

I noticed from my monitoring that PRTG flags as the link up.
Apparently the ASA is not going out through the backup link as the main one is active, even though I force the ping through the backup interface.
I'll check a good time to take the main link down to confirm if the backup will take over by the ASA.

Re: ASA: no internet connection

MHM Cisco World — Tue, 05 Jul 2022 22:09:38 GMT

Yes but for TEST only change the metric of primary route to be higher than the backup route.

Re: ASA: no internet connection

patricia.quintao — Wed, 06 Jul 2022 18:17:15 GMT

Confirmed. The ASA does not communicate over another internet interface when the main one has a lower metric. That's why the ping test through the backup interface didn't work.
Thanks for the support.