topic Correction: I just refreshed in Network Security

5506 No internet access

fbrunell — Tue, 12 Mar 2019 09:13:58 GMT

New to this, forgive me. I'm trying to configure a new 5506 to firewall two internet connections into my existing network. For testing, I have a laptop connected to the 5506 and a line from my cable internet connected as well. Every time I try to change the inside network to our IP schema, I break it. If I drop back to default mode, internet works again. I should add, that I was experiencing the same problem on an old 5505 I was playing around with before. Trying to use the ASDM primarily for this. Thanks.

Hi fbrunell@wfft.com,

JP Miranda Z — Wed, 19 Apr 2017 01:17:02 GMT

Hi fbrunell@wfft.com,

I can definitely help you fixing this really quick by checking your current config through the outputs of the CLI, now if you are trying to learn through ASDM you can take a look to the following guide:

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html

Hope this info helps!!

Rate if helps you!

-JP-

Thanks for getting back to me

fbrunell — Wed, 19 Apr 2017 13:08:56 GMT

Thanks for getting back to me. I was using dynamic PAT, but not in a specific manner like that. I am still having a problem. Right now I have 4 rules in the NAT rules table. I've tried moving the new rule to the top of the list, and I've tried deleting the other rules, but neither command works. It looks like the one rule higher in the list is static, so I presume that rule would prevent my new rule from working.

Correction: I just refreshed

fbrunell — Wed, 19 Apr 2017 13:14:02 GMT

Correction: I just refreshed from the device, and was able to modify the Rules. Am only seeing the new rule now. But still I don't have internet. Thanks.

Can share the configuration

JP Miranda Z — Wed, 19 Apr 2017 13:25:16 GMT

Can share the configuration you are trying to use?

If you are sure the configuration is right will be necessary to get in to the ASA through the CLI and check a couple of commands:

sh xlate

packet-tracer input inside icmp <insideip> 8 0 4.2.2.2 detail

Hope this info helps!!

Rate if helps you!

-JP-

I'm not sure now much you

fbrunell — Wed, 19 Apr 2017 13:59:29 GMT

I'm not sure now much you want to know about the config, but I have the following interfaces: outside (DHCP), inside (not using, but enabled), insidemain (10.142.0.10), outside2 (DHCP, not connected yet but enabled). I setup the NAT rule as directed under the PAT section with an IP of 10.142.0.0 255.255.0.0 and source interface of insidemain.

And here are the CLI commands requested:

inftwof1rtr010# sh xlate
0 in use, 1 most used

inftwof1rtr010# packet-tracer input insidemain icmp 10.142.0.15 8 0 4.2.2.2 de$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.10.1 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_10.142.0.0
nat (insidemain,outside) dynamic interface
Additional Information:
Dynamic translate 10.142.0.15/0 to 10.1.10.66/64682
Forward Flow based lookup yields rule:
in id=0x2aaac23aed40, priority=6, domain=nat, deny=false
hits=0, user_data=0x2aaac2360060, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.142.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=insidemain, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac0ca6ff0, priority=0, domain=nat-per-session, deny=true
hits=65, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, pr
otocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac17b4c20, priority=0, domain=inspect-ip-options, deny=true
hits=213, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=insidemain, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac17b4430, priority=66, domain=inspect-icmp-error, deny=false
hits=2, user_data=0x2aaac17b39a0, cs_id=0x0, use_real_addr, flags=0x0, p
rotocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=insidemain, output_ifc=any

Phase: 6
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac228e960, priority=0, domain=user-statistics, deny=false
hits=27, user_data=0x2aaac1dc1450, cs_id=0x0, reverse, flags=0x0, protoc
ol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 146, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Thanks

OK, I figured out that the

fbrunell — Fri, 21 Apr 2017 19:44:48 GMT

OK, I figured out that the issue was with DNS. If I turn on DHCP with auto-config from "outside" interface, it will work. However, this is not how it will be setup in the working environment. So, my question is perhaps more of a "best-practice" question. Should I setup my existing DNS server with forwarding to the DNS server IPs from my ISP, or would I setup forwarding to the ASA and setup the DNS server list there?

Thanks!

So I got the DNS question

fbrunell — Mon, 24 Apr 2017 16:51:04 GMT

So I got the DNS question resolved, I think. I've setup my DNS server for forwarding. Will find out for sure shortly when I deploy the ASA in my network. I was having another issue getting my second ISP to work, that turned out to be a routing problem, solution here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html