topic Hi Ahmed, the ISP's default in Network Security

ASA 5540 question

tinhnho123 — Tue, 12 Mar 2019 08:03:19 GMT

Hello guys,

I have a ASA 5540 that I'd like to configure for my brand office. Below my network topology:

Comcast---->Cisco ASA 5540 ----> L3 switch----> PC.

The ASA 5540 is reset to factory default setting. The goal is that I'd like to get my PCs online from this brand office.

The ASA has code version 9.1(5). Here is what I've configured so far:

interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 12.3.4.5 255.255.255.0
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0

object network net-192.168.1
subnet 192.168.1.0 255.255.255.0

object network net-192.168.1
nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 12.3.4.1 1

I connected my PC to the L3 switch, I can ping the 192.168.1.1 (ASA inside) but unable to ping the outside and also can't get online while using google DNS 8.8.8.8 for my PC.

Any ideas why it doesn't work? Thanks.

To get ping working you'll

Philip D'Ath — Sat, 23 Jul 2016 13:54:09 GMT

To get ping working you'll probably need to add something like:

policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
policy-map global_policy
 class inspection_default
 inspect ftp 
 inspect h323 h225 
 inspect h323 ras 
 inspect ip-options 
 inspect netbios 
 inspect rsh 
 inspect rtsp 
 inspect skinny 
 inspect sqlnet 
 inspect sunrpc 
 inspect tftp 
 inspect sip 
 inspect xdmcp 
 inspect icmp 
 inspect icmp error 
 inspect pptp 
 inspect dns preset_dns_map

Philip is correct regarding

Marvin Rhoads — Sat, 23 Jul 2016 14:21:15 GMT

Philip is correct regarding ping.

I would also advise that ping is a poor tool for troubleshooting. More useful would be packet-tracer. It has both a GUI (ASDM) and cli version.

For instance:

packet-tracer input inside <tcp or udp> <source ip> <source port> <destination ip> <destination port>

...will show you the logic the ASA uses for a given packet with the specified 5-tuple (protocol, source ip, source port, destination ip, destination port).

hi,

johnlloyd_13 — Mon, 25 Jul 2016 06:40:24 GMT

hi,

is there a typo? make sure the NAT statements coincides with the nameif given.

nat (Inside,outside) dynamic interface

could you post show int ip brief and ping 8.8.8.8 from the ASA?

Hi Guys,

tinhnho123 — Sat, 30 Jul 2016 01:11:25 GMT

Hi Guys,

Sorry I was out of town and just got back today.

Below are the results which you guys asked me to run on the ASA

ASA-Lab01# packet-tracer input inside tcp 12.3.4.5 80 8.8.8.8 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 57580, packet dispatched to next module

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

ASA-Lab01#
========================

ASA-Lab01# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 12.3.4.5 YES manual up up
GigabitEthernet0/1 192.168.1.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
GigabitEthernet0/3 unassigned YES unset administratively down down
Management0/0 172.20.16.10 YES manual up up
ASA-Lab01#
=========================
Ping 8.8.8.8
ASA-Lab01# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA-Lab01#
========================
Ping ISP's gateway:
ASA-Lab01# ping 12.3.4.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.3.4.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-Lab01#

I still can't get to the internet and also can't ping any public IP either.

Thanks.

Hi;

ahmedshoaib — Sat, 30 Jul 2016 01:11:26 GMT

Hi;

What is you ISP gateway is 12.3.4.9 or 12.3.4.1?

If its 12.3.4.9 then please modify you static route (route Outside 0 0 12.3.4.9) and verify.

If not can you also share the output of show nat & show xlate command.

Thanks & Best regards;

Ditto to what ahmed suggested

Marvin Rhoads — Sat, 30 Jul 2016 02:57:17 GMT

Ditto to what ahmed suggested.

Packet-tracer confirms the ASA setup is OK. You have an issue with / getting past the upstream gateway (Comcast router).

Hi Ahmed, the ISP's default

tinhnho123 — Sat, 30 Jul 2016 04:13:55 GMT

Hi Ahmed, the ISP's default gateway is 12.3.4.1.

ASA-Lab01# sh nat

Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic net-192.168.1 interface
translate_hits = 106, untranslate_hits = 87
ASA-Lab01#
ASA-Lab01# sh xlate
0 in use, 101 most used
ASA-Lab01#

Hi Marvin, I thought the Comcast router was having issue early today too so I setup a router with IP 12.3.4.9 as its outside interface, the route is working fine with the internet. My router can ping the ISP gateway and 8.8.8.8 and I can ping the ASA 12.3.4.5 and vice versa. I think I'm going to reboot the comcast router to see if it would help. I'll update you guys later. thanks.

Hi,

ahmedshoaib — Sat, 30 Jul 2016 07:51:55 GMT

Hi,

You see the both output packet tracer and show nat both shows that its not a nat issue.

Mostprobably it's router issue.

Thanks