topic Okay, I didn't know that. I in Network Security

ASA Internet Access

Shawnw4401 — Tue, 12 Mar 2019 09:20:12 GMT

Can someone please help me with this ASA? I'm new to working on ASAs and trying to learn more about them. This is just a test lab ASA for home environment purposes. Security practices aren't my main concern right now. I am just trying to learn how to configure it.

Right now, I have a pretty much a blank ASA, aside from my interfaces and NATreferences.

interface Ethernet0/0
description To Internet
nameif Outside
security-level 0
ip address dhcp
!
interface Ethernet0/1
description To Secondary_LAN_Router
nameif Secondary_LAN
security-level 100
ip address 10.2.0.1 255.255.255.252
!
interface Ethernet0/2
description To Primary_LAN_Router
nameif Primary_LAN
security-level 100
ip address 10.1.0.1 255.255.255.252
!
interface Ethernet0/3
description To Honeypot
nameif Honeypot
security-level 0
ip address 192.168.0.1 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.100.2 255.255.255.0

object network Permit_Secondary_LAN
subnet 10.2.0.0 255.255.255.252
object network Permit_Primary_LAN
subnet 10.1.0.0 255.255.255.252
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu Secondary_LAN 1500
mtu Primary_LAN 1500
mtu Honeypot 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Secondary_LAN,Outside) source dynamic Permit_Secondary_LAN pat-pool interface
nat (Primary_LAN,Outside) source dynamic Permit_Primary_LAN pat-pool interface

Please let me know if I am missing anything. Right now I cannot ping the internet from an inside interface, but I can from my outside.

ciscoasa(config)# ping Outside google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.147, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
ciscoasa(config)# ping Pri
ciscoasa(config)# ping Primary_LAN google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.147, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ciscoasa(config)# show nat
Manual NAT Policies (Section 1)
1 (Secondary_LAN) to (Outside) source dynamic Permit_Secondary_LAN pat-pool interface
translate_hits = 0, untranslate_hits = 0
2 (Primary_LAN) to (Outside) source dynamic Permit_Primary_LAN pat-pool interface
translate_hits = 0, untranslate_hits = 0

All help is greatly appreciated. Thank you!

you can't ping internet from

Ashish Jhaldiyal — Wed, 10 May 2017 01:47:45 GMT

you can't ping internet from inside interface, If you want to test internet connectivity connect a PC behind Primary_LAN interface you should be able to ping/access internet sites.

Okay, I didn't know that. I

Shawnw4401 — Wed, 10 May 2017 02:34:27 GMT

Okay, I didn't know that. I tried pinging from the router connected to the ASA (10.1.0.2)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
WAN_Router#ping 8.8.8.8 source 10.1.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.2
.....
Success rate is 0 percent (0/5)

It couldn't even talk to the DNS server (8.8.8.8), which I am assuming because it cannot get out past the ASA.

Shawn,

Ashish Jhaldiyal — Wed, 10 May 2017 02:45:57 GMT

Shawn,

I see some issue with NAT, Do you want to translate LAN subnets with pat-pool or Outside interface IP?

you can try this

nat (Secondary_LAN,Outside) source dynamic Permit_Secondary_LAN interface

nat (Primary_LAN,Outside) source dynamic Permit_Primary_LAN interface

Ashish,

Shawnw4401 — Wed, 10 May 2017 23:10:42 GMT

Ashish,

Changing the NAT statement didn't change anything. What I am trying to do is equivalent to the router side when putting in a nat translation [ip nat inside source list access-list interface interface overload].

Make sure you have an access

cofee — Thu, 11 May 2017 00:04:20 GMT

Make sure you have an access list that allows icmp reply, because by default ASA doesn't inspect icmp packets. By default Asa only inspects TCP and udp. You can create an access list allowing icmp and apply it to ASAs outside interface.

You can use packet tracer utility to check where the packet is dropping.

packet-tracer input secondary_lan icmp x.x.x.x 8 0 8.8.8.8

replace x.x.x.x with source address

also so if you are trying to ping an outside address like Google DNS from a device that's behind the firewall just make sure that device has a default gateway configured