Can't access internet with ASA 5505

ZF XCX — Tue, 12 Mar 2019 06:48:21 GMT

Hi all,

Feel really silly with this, I'm sure I've followed so many guides, and literally stuck with the default configuration (factory resetting numerous times!) but still can't connect out.

I've been given a LAN IP Range, with /29 address. I've been told that x.x.x.16 is network address, .17 is router address & default gateway, .18-.22 useable.

If I connect a network cable straight to the router they supply, and do manual IP config (as DHCP etc is disabled) with those values and their DNS servers, I can access the net fine.

As soon as I connect ASA 5505 the troubles begin!

My private network IP range is 192.168.128.1-255. I've set the Cisco ASA 5505 to 192.168.128.9, and got a DHCP server up and running, assigning IPs etc (from .50 upwards). The DNS i've tried setting but none of the IPs given by my ISP will resolve, presumably due to firewall connectivity issues. For default gateway I've tried my public IP as given by ISP x.x.x.17, and I've also tried 192.168.128.9 as suggested on some other sites (I believe this to be the correct config now too, but it still won't work)

I can ping 192.168.128.9, but can't ping anything on the internet. Trying to connect to site just gives me DNS errors and 'resolving host' or waiting for host etc.

I've also got the following line in my logs - but not sure why as I wasn't trying to connect to google or use their DNS!

Oct 28 2015 21:47:04

192.168.128.50

63110

8.8.4.4

Deny udp

src inside:192.168.128.50/63110

dst outside:8.8.4.4/53 by access-group "inside_access_in" [0x0, 0x0]

What's this "inside_access_in"?! I only have inside and outside. I've tried to access IPs from ASDM troubleshooter, but I get blocked by rule - there is an implicit Deny rule, but I haven't set up any deny rules - I've put some allow outs (as in guides I've seen). Ahhh help!?!?! 🙂

Here is the config - haven't done very much at all as I literally want to get on the internet and save it, then care about the rest! This is my first cisco config so I want to learn... but it's also becoming mission critical that the new internet is up ASAP.

: Written by enable_15 at 21:22:45.339 UTC Wed Oct 28 2015
!
ASA Version 9.0(1)
!
hostname cisco1234
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.128.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.19 (ISP public address - is this supposed to be another 192.168.128.x address!? DHCP on the outside interface won't work either - it will on inside, but I want static).
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object icmp
service-object udp
service-object tcp
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq www
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
ny interface outside
access-list global_access extended permit object-group DM_INLINE_SERVICE_2 any i
nterface outside
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 an
y interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 ISPGATEWAY (x.x.x.17) 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Hi ZF XCX,

Akshay Rastogi — Thu, 29 Oct 2015 02:04:11 GMT

Hi ZF XCX,

Uf you have not configured below access-list then you have not performed the factory default properly. Below are the access-list present on ASA:

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a
ny interface outside
access-list global_access extended permit object-group DM_INLINE_SERVICE_2 any i
nterface outside
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 an
y interface outside

These access-list might be the reason you are being denied to go out.

If you wish to remove all the configuration then perform 'clear configuration all' on configuration termial mode.

If you do not wish to clear all the configuration, then remove the access-list from interfaces with below commands:

no access-group inside_access_in in interface inside
no access-group outside_access_in in interface outside
no access-group global_access global

Also you do not have any NAT configured on ASA. To allow communication between private to public, you need NAT. Please perform the below commands:

object network obj-any

subnet 0 0

nat (inside,outside) dynamic interface

This would PAT your all the internal subnet to outside interface IP address.

It is a very basic setup. No need of access-list on any interface. This would enable internet connectivity through your ASA.

Regards,

Akshay Rastogi

Hi Akshay

ZF XCX — Thu, 29 Oct 2015 10:23:34 GMT

Hi Akshay

Many thanks for your reply. After performing these my computer says 'internet' but I still can't do anything. With asdm I have an implicit deny global ip rule - Is that right, I can't get rid of it

Can you ping an internet IP

Jon Marshall — Thu, 29 Oct 2015 12:22:38 GMT

Can you ping an internet IP from the firewall itself ?

How are you testing internet access from the PC ?

If it is with trying to connect to a web server does your PC have a DNS server ?

If it is with ping you need to add something to your configuration.

Can you answer the above and if you can ping from the firewall itself can you post your latest configuration.

Jon

Hi,

Mohammed Ismail Shareef — Fri, 30 Oct 2015 00:14:31 GMT

Hi,

Can we have teamviewer session and fix your issue ?

Ping me on Skype : mshareef2833

Regards

@Mohammed

Thank you - sorry the DNS

ZF XCX — Wed, 04 Nov 2015 20:54:58 GMT

Thank you - sorry the DNS server wasn't properly set to process DNS, and the PCs weren't picking up the firewall as the gateway properly - were trying to jump straight to the router (as when it was setup originally to test, without the firewall). That's sorted now 🙂

Have a lot of Cisco studying to do!!! 🙂

topic Thank you - sorry the DNS in Network Security

Can't access internet with ASA 5505

Hi ZF XCX,

Hi Akshay

Can you ping an internet IP

Hi,

Thank you - sorry the DNS