topic You originally stated that in Network Security

ASA 5510, can't connect to the internet through a switch

sj.constantine — Tue, 12 Mar 2019 05:11:47 GMT

I have an ASA 5510 connected to the internet through a switch. I can't hit the internet with the following config, I am not sure why? If I address the switch on the interface facing the internet, it is fine and I can ping anything public which I try.

If I try to ping out through the ASA with the below config, I can't hit anything. If I address the link between the ASA and switch, I can ping across it - so there's no problem with connectivity from the ASA that I can tell.

Any ideas?

Switch:

interface GigabitEthernet0/1

descritiption Link to Internet

switchport access vlan 2

interface GigabitEthernet0/2

description Link to ASA

switchport access vlan 2

ASA:

interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.10.1 255.255.255.252

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

Am I missing something obvious here?

ip address 10.10.10.10.1 255

Marius Gunnerud — Mon, 08 Dec 2014 10:25:02 GMT

ip address 10.10.10.10.1 255.255.255.252

I am assuming that the above is a typo?

Are you able to ping 10.10.10.2 from the ASA?

Do you have any access lists applied to the ASA? You would need an ACL on the outside interface which permites return ICMP packets since both ping request and ping replies are seperate traffic flows.

access-list out-in permit icmp any any

access-group out-in in interface outside

Please remember to select a correct answer and rate helpful posts

If you are only testing it

Karsten Iwen — Mon, 08 Dec 2014 11:02:43 GMT

If you are only testing it with ICMP, then that could be the problem as it's not handled statefully by default. Configure the following and try again:

policy-map global_policy
 class inspection_default
  inspect icmp

And you should also try "real" traffic like surfing the web, telnet/ssh and so on.

hi guys thanks for your

sj.constantine — Mon, 08 Dec 2014 11:44:15 GMT

hi guys

thanks for your responses.

the problem isn't with icmp not being allowed or traffic being blocked on an ACL, because if I address the switch with the default gateway on the interface connecting to the ASA, i can ping it fine. So there's no problem with ICMP being blocked, ie this:

switch:

int gi0/1

ip add 10.10.10.2 255.255.255.255.252

asa:

int eth0/1

ip add 10.10.10.1 255.255.255.252

nameif outside

route outside 0.0.0.0 0.0.0.0 10.10.10.2 1

asa5100# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

I just can't figure why the switch isn't passing the traffic though (if that is indeed the problem), as that is its most basic function - a dumb switchport in the same vlan. right?

Pinging to the ASA has

Karsten Iwen — Mon, 08 Dec 2014 11:50:10 GMT

Pinging to the ASA has nothing to do with pinging through the ASA. The ASA behaves differently then a router when it comes to interface ACLs. On the ASA, the interface ACLs only control through traffic by default. For pinging through the ASA you should inspect icmp (as shown above) or test with other protocols.

i have inspect icmp and an

sj.constantine — Mon, 08 Dec 2014 11:51:07 GMT

i have inspect icmp and an acl permitting icmp both in and out on the outside interface.

still no good.

The ACL on the outside

Karsten Iwen — Mon, 08 Dec 2014 11:59:17 GMT

The ACL on the outside interface is not needed any more if icmp is inspected.

Please show your config
Double-check the ip settings of the internal PC that you use for your tests.
Has your external router a route back to the ASAs internal network?

i am pinging from the ASA

sj.constantine — Mon, 08 Dec 2014 13:37:03 GMT

i am pinging from the ASA itself, not the inside network.

interface Ethernet0/1
speed 100
duplex full
nameif outside
security-level 0
ip address 10.10.10.1 255.255.255.252
!
access-list 101 extended permit icmp any any
access-list 101 extended permit tcp any any
access-list 101 extended permit ip any any
!
access-group 101 in interface outside
access-group 101 out interface outside
!
route outside 0.0.0.0 0.0.0.0 10.10.10.2 1
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
!

asa5510# ping 10.10.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

You originally stated that

Karsten Iwen — Mon, 08 Dec 2014 14:05:24 GMT

You originally stated that you try to ping through the ASA. Now you are pinging from the ASA. But ok ...

After pinging do a "show arp | i 10.10.10.2". You should see an entry there which means that you can reach that device. Most likely, icmp is blocked on the 10.10.10.2 device. Continue troubleshooting there.

Argh, my bad - sorry!Doesn't

sj.constantine — Mon, 08 Dec 2014 14:11:13 GMT

Argh, my bad - sorry!

Doesn't show up in the ARP table

asa5510# sh arp
mgmt 172.17.240.65 000b.45e2.484a 44

ICMP isn't blocked on the gateway (10.10.10.2) as when I address my switch as 10.10.10.1, I can ping the gateway/anything on the internet. It's only when I address the ASA that I can't ping/reach the internet.

The switchports are access ports in the same vlan without any other config - towards the internet and towards the ASA. They should be passing traffic without any restrictions.

When you don't see an arp

Karsten Iwen — Mon, 08 Dec 2014 14:38:32 GMT

When you don't see an arp entry, then the gateway doesn't talk to your ASA.

Please try to unplug the outside interface and the gateway from the switch before testing. It could be that old arp-entries prohibit the communication.

Since you have the switch as

Marius Gunnerud — Mon, 08 Dec 2014 19:38:55 GMT

Since you have the switch as the default route for the ASA, are you able to ping the internet from the switch? Have you defined a default route on the switch?

Please remember to select a correct answer and rate helpful posts