topic Hi,Can you not apply the in Network Security

ASA 5505 9.2 No Internet Access

Bighead81 — Tue, 12 Mar 2019 05:28:24 GMT

Working with an ASA 5505 that is not allowing me to connect to the internet.

I am able to ping desktop PC inside interface but from the firewall not able to ping outside to 8.8.8.8.

Ive troubleshooted with outside interface ip DHCP routeset, icmp session,

Any help to correct this would be appreciated.

[Internet - virgin modem mode sh2 - Firewall - Switch - PC]

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain

names
!
interface Ethernet0/0
description -OUTSIDE CONNECTION TO ISP-
switchport access vlan 2
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Ethernet0/1
switchport access vlan 200
switchport protected
shutdown
!
interface Ethernet0/2
switchport access vlan 200
shutdown
!
interface Ethernet0/3
switchport access vlan 200
shutdown
!
interface Ethernet0/4
switchport access vlan 200
shutdown
!
interface Ethernet0/5
switchport access vlan 200
shutdown
!
interface Ethernet0/6
switchport access vlan 200
shutdown
!
interface Ethernet0/7
description -INSIDE CONNNECTION TO SWITCH-
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!

boot system disk0:/asa923-k8.bin

ftp mode passive

object network obj_any
subnet 0.0.0.0 0.0.0.0

access-list outside_in extended permit icmp any any echo
access-list outside_in extended deny ip any any log

access-list inside_in extended permit ip any any
access-list inside_in extended deny ip any any log

pager lines 24
logging enable
logging monitor warnings
logging asdm informational

mtu inside 1500
mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 240

no arp permit-nonconnected

nat (inside,outside) source dynamic obj_any interface

access-group inside_in in interface inside
access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 74.XX.XX.239 1 <ip outside interface>

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside
!
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username larias password I8668T9sKGdWDfCW encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2c757df828bc16b3dd0d4d74e28a6917
: end

DEBUG - Ping 8.8.8.8 from FW

6|Feb 08 2015 03:03:46|305011: Built dynamic UDP translation from inside:192.168.0.2/50432 to outside:74.XX.XX.239 /50432
6|Feb 08 2015 03:03:46|302015: Built outbound UDP connection 126 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/50432 (74.XX.XX.239 /50432)
6|Feb 08 2015 03:04:00|305012: Teardown dynamic UDP translation from inside:192.168.0.2/57818 to outside:74.XX.XX.239 /57818 duration 0:02:39
6|Feb 08 2015 03:04:23|302016: Teardown UDP connection 124 for outside:8.8.8.8/53 to inside:192.168.0.2/52833 duration 0:02:08 bytes 215
6|Feb 08 2015 03:04:36|305011: Built dynamic UDP translation from inside:192.168.0.2/50290 to outside:74.XX.XX.239 /50290
6|Feb 08 2015 03:04:36|302015: Built outbound UDP connection 127 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/50290 (74.XX.XX.239 /50290)
6|Feb 08 2015 03:04:39|305011: Built dynamic UDP translation from inside:192.168.0.2/51985 to outside:74.XX.XX.239 /51985
6|Feb 08 2015 03:04:39|302015: Built outbound UDP connection 128 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/51985 (74.XX.XX.239 /51985)
6|Feb 08 2015 03:04:53|302010: 4 in use, 19 most used
6|Feb 08 2015 03:04:54|305012: Teardown dynamic UDP translation from inside:192.168.0.2/52833 to outside:74.XX.XX.239 /52833 duration 0:02:39
6|Feb 08 2015 03:05:10|302016: Teardown UDP connection 125 for outside:8.8.8.8/53 to inside:192.168.0.2/50272 duration 0:02:08 bytes 215
6|Feb 08 2015 03:05:33|305011: Built dynamic UDP translation from inside:192.168.0.2/49447 to outside:74.XX.XX.239 /49447
6|Feb 08 2015 03:05:33|302015: Built outbound UDP connection 129 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/49447 (74.XX.XX.239 /49447)
6|Feb 08 2015 03:05:41|305012: Teardown dynamic UDP translation from inside:192.168.0.2/50272 to outside:74.XX.XX.239 /50272 duration 0:02:39
6|Feb 08 2015 03:05:54|302016: Teardown UDP connection 126 for outside:8.8.8.8/53 to inside:192.168.0.2/50432 duration 0:02:08 bytes 215
6|Feb 08 2015 03:06:25|305012: Teardown dynamic UDP translation from inside:192.168.0.2/50432 to outside:74.XX.XX.239 /50432 duration 0:02:39

Hi,It looks like there is an

APPIREDDY — Sun, 08 Feb 2015 11:22:02 GMT

Hi,

It looks like there is an issue with NAT. try the following.

1) remove the following statements with 'no' followed by the command

object network obj_any
subnet 0.0.0.0 0.0.0.0

and

nat (inside,outside) source dynamic obj_any interface

2) now add the following

object network 192.168.0.0_net

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) dynamic interface

Hope this will help.

regards

reddy

Thanks for the response. I

Bighead81 — Sun, 08 Feb 2015 14:28:16 GMT

Thanks for the response.

I removed and added your recommendations and then had to add route outside 0.0.0.0 0.0.0.0 7.x.x.1 (default gw isp)

Still no outside ping!

object network NAT_ALL subnet

David paull — Sun, 08 Feb 2015 17:04:04 GMT

object network NAT_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic NAT_ALL interface

That will nat anything from inside to your asa's external interface IP...in asa 8.4, not sure how the wording is in 9.1

When you say you added a default route -- did you make that default route point to the next layer 3 hop?

Can you ping the next hop from your ASA? can you ping the external interface at that next hop device?

Can you do the following on your asa

access-list CAPNAME extended permit ip any any

capture CAPIN interface inside match access-list CAPNAME

capture CAPOUT interface outside match access-list CAPNAME

That would be nice to see the request going to the inside interface, being translated, and leaving the outside interface as the NAT'd ip address. Running those capture, then a ping from the host to 8.8.8.8 (just 4 is fine) then posting show cap CAPIN and show cap CAPOUT will probably solve our issue, or at least really narrow it down by telling us where to look.

The default route ip is the

Bighead81 — Sun, 08 Feb 2015 21:06:59 GMT

The default route ip is the default gateway of my ISP. When I connect modem directly to PC I get connection and I can see DGW and assigned ip address. This has remained static as both FW and desktop have been assigned the same MAC.

Not able to ping anything at all after ASA

I have added capture.

Opened port dhcps port and seeing capture below.

home-fw-1# sh capture CAPOUT

14 packets captured

   1: 11:03:57.960155       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   2: 11:04:02.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   3: 11:04:08.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   4: 11:04:15.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   5: 11:04:23.960109       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   6: 11:04:32.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   7: 11:04:42.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   8: 11:04:45.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   9: 11:04:49.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 11:04:54.960109       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 11:05:00.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 11:05:07.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 11:05:15.960094       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 11:05:24.960079       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14 packets shown
home-fw-1# sh capture CAPIN

0 packet captured

0 packet shown
home-fw-1#

home-fw-1# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 7.x.x.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 7.x.x.1, outside
C        192.168.0.0 255.255.255.0 is directly connected, inside
L        192.168.0.254 255.255.255.255 is directly connected, inside

home-fw-1# sh run dhcpd
dhcpd dns 7.x.x.1
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside. I'm using static ips

home-fw-1# sh dhcpd state
Context Not Configured for DHCP
Interface inside, Not Configured for DHCP
Interface outside, Configured for DHCP CLIENT

It seems no outbound connection is permitted.

Same output with NAT_ALL

Cheers

Hi,Can you ping 8.8.8.8 from

APPIREDDY — Sun, 08 Feb 2015 22:04:16 GMT

Hi,

Can you ping 8.8.8.8 from the FW itself?

Some ISP's bind the MAC address to devices and only those devices are allowed to communicate to outside world. If that is the case, you need to ask them to clear the arp and give them the ASA FW mac address to register. ( are you getting IP address for outside interface? looks like DHCP client is enabled on outside from the above)

If you manually configure primary DNS on the PC to 8.8.8.8, Can you reach internet from internet explorer?

Can you use packet trace from ASDM and select the interface as inside and protocol as tcp source port as 2005 ( or any random port) and destination ip : 216.58.208.46 and destination port as: 80 and post the result here?

Also please post the results of >

show xlate

show nat

show run nat

show run object

show conn

Hi, I will have to contact

Bighead81 — Sun, 08 Feb 2015 22:40:53 GMT

Hi,

I do have is ip address bound to my mac address, which has given me the same ip address and will continue to do so which is 7.x.x.239 (default gateway is .1 of this) but I have applied dhcp setroute because of ISP.

Outputs

home-fw-1# packet-tracer input inside tcp 192.168.0.254 2005 216.58.208.46 80 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bca08, priority=1, domain=permit, deny=false
        hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 7.x.x.1, outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc28f3d8, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

home-fw-1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_in; 2 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any echo (hitcnt=0) 0x80a148e1
access-list outside_in line 2 extended deny ip any any log informational interval 300 (hitcnt=0) 0x4cc7a6a3
access-list inside_in; 3 elements; name hash: 0xd3a8690b
access-list inside_in line 1 extended permit udp any any eq bootpc (hitcnt=0) 0x8352f743
access-list inside_in line 2 extended permit udp any any eq bootps (hitcnt=0) 0xa1bb4ef7
access-list inside_in line 3 extended deny ip any any log informational interval 300 (hitcnt=0) 0x14c87690

home-fw-1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:03:53 timeout 0:00:00

home-fw-1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic NAT_ALL interface
translate_hits = 0, untranslate_hits = 0

home-fw-1# show run nat
nat (inside,outside) source dynamic NAT_ALL interface

home-fw-1# sh run object
object network NAT_ALL
subnet 0.0.0.0 0.0.0.0

home-fw-1# show conn
1 in use, 1 most used

Hi,Can you not apply the

APPIREDDY — Sun, 08 Feb 2015 22:40:54 GMT

Hi,

Can you not apply the inside ACL and see what happens?

also can you change

nat (inside,outside) source dynamic NAT_ALL interface

nat (inside,outside) source dynamic interface

you don't need to say NAT_ALL in nat statement.

So you're showing NO ip

David paull — Mon, 09 Feb 2015 04:22:30 GMT

So you're showing NO ip traffic entering your ASA.

And you're showing ip traffic leaving your ASA from 0.0.0.0 destined to 255.255.255.255.

Clearly your NAT is not working.

i have same problem~~~!!! ASA

Raymond Kwok — Mon, 09 Feb 2015 07:24:10 GMT

i have same problem~~~!!!

ASA Version 9.1(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.0.101 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.3.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
object network inside_to_outside
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic inside_to_outside interface
route outside 0.0.0.0 0.0.0.0 192.168.0.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:07bc1ae9495d68bfec29ef67ce1f30e9
: end

i can using console to ping 8.8.8.8

but my inside network cannot access internet~~~~~~~

anyone can help me~~~

thanks

did you make the NAT changes

APPIREDDY — Mon, 09 Feb 2015 18:18:29 GMT

did you make the NAT changes as suggested? is it working? pls let us know.

change it from

nat (inside,outside) source dynamic NAT_ALL interface

nat (inside,outside) source dynamic interface

you don't need to say NAT_ALL in nat statement.

hi i following your step i

Raymond Kwok — Tue, 10 Feb 2015 03:49:33 GMT

i following your step i can access internet a few mins...............

do you have other solution??

thanks

Raymond

Ive troubleshooted -ACL

Bighead81 — Tue, 10 Feb 2015 17:11:44 GMT

Ive troubleshooted the following -

Erase all / fresh config

ACL any4. You now have to specify ipv4 or ipv6 for any

inspect traffic dns, http

Reapplying DHCPD config for inside

Permiting ICMP traffic [echo, unreachable, time]

Recommended nat statements

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Cisco recommends the above.

I have attached latest config.

When I do a packet trace for internal source ip to isp default gateway with dhcp ports it says ok- same for internal to google.com OK again

home-fw-1# packet-tracer input inside udp 192.168.0.2 68 7.X.X.1 67 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 7.X.X.239, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
object-group network ALL-SUBNET-INT
network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
network-object 0.0.0.0 0.0.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc4920b8, priority=13, domain=permit, deny=false
        hits=184, user_data=0xca9962c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.0.0_net
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.0.2/68 to 0.0.0.0/306
Forward Flow based lookup yields rule:
in id=0xcc5fee38, priority=6, domain=nat, deny=false
        hits=107, user_data=0xcca768b8, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
        hits=268, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9c2650, priority=0, domain=inspect-ip-options, deny=true
        hits=201, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcca0ded8, priority=0, domain=host-limit, deny=false
        hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
        hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc9eca40, priority=0, domain=inspect-ip-options, deny=true
        hits=189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 212, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

When I ping to either 8.8.8.8 or default gw it fails and capture gives this output.

home-fw-1# sh capture CAPIN

0 packet captured

0 packet shown
home-fw-1# sh capture CAPOUT

17 packets captured

   1: 15:01:08.320036       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   2: 15:01:18.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   3: 15:01:21.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   4: 15:01:25.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   5: 15:01:30.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   6: 15:01:36.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   7: 15:01:43.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   8: 15:01:51.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   9: 15:02:00.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 15:02:10.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 15:02:13.319929       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 15:02:17.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 15:02:22.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 15:02:28.319990       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
15: 15:02:35.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
16: 15:02:43.320006       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
17: 15:02:52.319975       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548

Im going to leave the firewall on in the mean time and leave it on for 24 hours. ISP clear their ARP in the early hours
My mac address is bound to the same ip, which i have assigned both to FW and PC.

I also bypass the switch and the computer can king default gateway but nothing on the isp interface or default gateway.

Any other ideas?

It's still not natting. You

David paull — Tue, 10 Feb 2015 17:11:45 GMT

It's still not natting. You have packets leaving from 0.0.0.0 to 255.255.255.255

object network 192.168.0.0_net
 nat (inside,outside) dynamic interface

You need to define what is INCLUDED in the object network NAMED 192.168.0.0_net

object-group network 192.168.0.0_net

network-object 192.168.0.0 255.255.255.0 !or whatever your subnet is

nat (inside,outside) source dynamic 192.168.0.0_net interface

That WILL nat your traffic to the external interface.

I know you think you created a range, and you did with your range statement but you never called it with:

network-object object NAMEHERE

I have tried that nat

Bighead81 — Tue, 10 Feb 2015 18:29:05 GMT

I have tried that nat statement (quite a few times) and its still not working.

Object group contains 192.168.0.0 / 24 and 0.0.0.0 0.0.0.0

When I connect desktop I have been assigned the correct 192.168.x.x internal ip with gateway but cannot ping or surf web. From computer I can ping inside default gateway and nothing else.

I won't be back until tonight

David paull — Tue, 10 Feb 2015 18:35:53 GMT

I won't be back until tonight. Can you post:

1) Your updated, newest, current configuration?

2) clear cap capin

3) clear cap capout

4) Ping from an inside device to 8.8.8.8.

5) and then also put up your newest captures (capin and capout)

If you change your config between posting and tonight, back it up so that any changes I can help you make can be put in.

Thanks!

:ASA Version 9.2(3)! xlate

Bighead81 — Tue, 10 Feb 2015 19:30:15 GMT

:
ASA Version 9.2(3)
!

xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
description -OUTSIDE CONNECTION TO ISP-
switchport access vlan 2
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Ethernet0/1
switchport access vlan 2
switchport protected
shutdown
!
interface Ethernet0/2
switchport access vlan 200
shutdown
!
interface Ethernet0/3
switchport access vlan 200
shutdown
!
interface Ethernet0/4
switchport access vlan 200
shutdown
!
interface Ethernet0/5
switchport access vlan 200
shutdown
!
interface Ethernet0/6
switchport access vlan 200
shutdown
!
interface Ethernet0/7
description -INSIDE CONNNECTION TO SWITCH-
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
delay 10

!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
delay 10
!

!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone GMT 0

dns server-group DefaultDNS
domain-name home-fw-1.com
object-group network ALL-SUBNET-INT
network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
network-object 0.0.0.0 0.0.0.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network INSIDE_NET
network-object 192.168.0.0 255.255.255.0

access-list outside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list outside_in extended deny ip object-group ALL-SUBNET-EXT object-group ALL-SUBNET-INT
access-list inside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list inside_in extended deny ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list CAPNAME extended permit ip any4 any4

pager lines 24
mtu inside 1500
mtu outside 1500

ip verify reverse-path interface inside
ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 240
no arp permit-nonconnected

nat (inside,outside) source dynamic INSIDE_NET interface
access-group inside_in in interface inside
access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 7.X.X.1 1 <default gw of ISP>
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 7.X.X.1 <default gw of ISP>
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain XXXX.com
!
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5ebe606760ff455d1efc1e486c33e687
: end

From computer. I am assigned 192.168.X.X ip address with correct default gw but not able to ping 7.X.X.1 (ISP Default GW) or 7.X.X.239 (FW outside interface ip).

home-fw-1# sh capture CAPIN

38 packets captured

   1: 19:27:44.698389       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
   2: 19:27:45.686640       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
   3: 19:27:46.686381       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
   4: 19:27:47.695352       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
   5: 19:27:48.687830       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
   6: 19:27:48.687906       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
   7: 19:27:50.687342       802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
   8: 19:27:52.689951       802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
   9: 19:27:54.990305       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
10: 19:27:55.739417       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
11: 19:27:56.488805       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
12: 19:27:56.781530       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
13: 19:27:57.250383       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
14: 19:27:57.771551       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
15: 19:27:58.241381       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
16: 19:27:59.241152       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
17: 19:27:59.770742       802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
18: 19:28:01.240618       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
19: 19:28:04.073986       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
20: 19:28:04.823047       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
21: 19:28:05.242632       802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
22: 19:28:05.572464       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
23: 19:28:06.416085       802.1Q vlan#1 P0 192.168.0.2.68 > 255.255.255.255.67: udp 300
24: 19:28:06.416375       802.1Q vlan#1 P0 192.168.0.254.67 > 192.168.0.2.68: udp 286
25: 19:28:06.440239       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
26: 19:28:07.432030       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
27: 19:28:09.440330       802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
28: 19:28:13.743537       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
29: 19:28:14.492299       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
30: 19:28:14.498875       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
31: 19:28:15.241976       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
32: 19:28:16.005584       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
33: 19:28:16.991495       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
34: 19:28:17.994196       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
35: 19:28:19.064724       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
36: 19:28:19.993494       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
37: 19:28:23.994623       802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
38: 19:28:24.065456       802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
38 packets shown
home-fw-1# sh capture CAPout

14 packets captured

   1: 19:27:14.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   2: 19:27:17.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   3: 19:27:21.941510       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   4: 19:27:26.941479       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   5: 19:27:32.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   6: 19:27:39.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   7: 19:27:47.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   8: 19:27:56.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
   9: 19:28:06.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 19:28:09.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 19:28:13.940060       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 19:28:18.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 19:28:24.940045       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 19:28:31.940075       802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14 packets shown

Hi,again you got the NAT

APPIREDDY — Tue, 10 Feb 2015 23:19:22 GMT

Hi,

again you got the NAT statement wrong

>>>nat (inside,outside) source dynamic INSIDE_NET interface

this should be

nat (inside,outside) source dynamic interface

and the above should be with in the object group/object as shown below, please add them one below the other, but remove the old one's before you put the following

object-group network INSIDE_NET
network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic interface

regards

I fully concur with what

David paull — Wed, 11 Feb 2015 04:31:28 GMT

I fully concur with what Appireddy is saying.

I feel like your nat command is just floating in your configs and not under that object-group...but his fixes that also.

Please try that and report back.

Also, I see no pings coming from 192.168.0.2 to 8.8.8.8 on your inside interface. Why?

I have tried various NAT

Bighead81 — Wed, 11 Feb 2015 22:23:47 GMT

Downloaded a fresh IOS and I now see tangible data.

home-fw-1# sh capture CAPIN

346 packets captured

   1: 21:48:55.966853       802.1Q vlan#1 P0 192.168.0.2.138 > 192.168.0.255.138: udp 212
   2: 21:49:12.089457       802.1Q vlan#1 P0 192.168.0.2.53698 > 8.8.8.8.53: udp 32
   3: 21:49:12.147300       802.1Q vlan#1 P0 192.168.0.2.56480 > 8.8.8.8.53: udp 43
   4: 21:49:13.086604       802.1Q vlan#1 P0 192.168.0.2.53698 > 8.8.8.8.53: udp 32
   5: 21:49:13.146553       802.1Q vlan#1 P0 192.168.0.2.56480 > 8.8.8.8.53: udp 43
   6: 21:49:14.086528       802.1Q vlan#1 P0 192.168.0.2.53698 > 8.8.8.8.53: udp 32
   7: 21:49:14.146507       802.1Q vlan#1 P0 192.168.0.2.56480 > 8.8.8.8.53: udp 43
   8: 21:49:16.087474       802.1Q vlan#1 P0 192.168.0.2.53698 > 8.8.8.8.53: udp 32
   9: 21:49:16.147468       802.1Q vlan#1 P0 192.168.0.2.56480 > 8.8.8.8.53: udp 43
10: 21:49:20.087413       802.1Q vlan#1 P0 192.168.0.2.53698 > 8.8.8.8.53: udp 32
11: 21:49:20.147361       802.1Q vlan#1 P0 192.168.0.2.56480 > 8.8.8.8.53: udp 43
12: 21:49:24.087809       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
13: 21:49:24.837221       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
14: 21:49:25.588211       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
15: 21:49:35.751700       802.1Q vlan#1 P0 192.168.0.2.62640 > 8.8.8.8.53: udp 40
16: 21:49:36.049313       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
17: 21:49:36.748832       802.1Q vlan#1 P0 192.168.0.2.62640 > 8.8.8.8.53: udp 40
18: 21:49:36.798817       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
19: 21:49:37.548830       802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
20: 21:49:37.748801       802.1Q vlan#1 P0 192.168.0.2.62640 > 8.8.8.8.53: udp 40
21: 21:49:39.748771       802.1Q vlan#1 P0 192.168.0.2.62640 > 8.8.8.8.53: udp 40
22: 21:49:43.748649       802.1Q vlan#1 P0 192.168.0.2.62640 > 8.8.8.8.53: udp 40
home-fw-1# sh capture CAPOUT

3 packets captured

   1: 21:50:36.833620       802.1Q vlan#2 P0 10.X.X.1.67 > 255.255.255.255.68: udp 312
   2: 21:55:52.483175       802.1Q vlan#2 P0 10.X.X.1.67 > 255.255.255.255.68: udp 301
   3: 21:55:52.516300       802.1Q vlan#2 P0 10.X.X.1.67 > 255.255.255.255.68: udp 301
3 packets

I have inputted recommended NAT but it allows only "source dynamic any interface" under object-group. I have translated hits with sh nat but still no working ping.