topic Hi jumora:"traknerud" asks in Network Security

Setup ASA 5515x with internet connection

traknerud — Tue, 12 Mar 2019 03:10:57 GMT

I'm trying to figure out how to do a basic setup of our new ASA 5515x in a manner that will allow clients on the inside to access the internet.

I know the topic has been covered before in many post here, but I've read them all (all I could find anyway) tested their accepted solutions but without luck.

But given my ASA experience, which is zero, this could be my own fault.

I think the problem might be caused by the fact that internet is two hops away. The ASA is on a segment, which shares internet access with six other networks. So we got a NAT over NAT situation here. But this did not prevent our old linux based firewall from reaching the internet, so the obstacle should be possible to overcome.

The setup I'm trying to make work is as follows:

External IP XX.XX.XX.XX

ISP router - 192.168.3.1 (LAN side)

ASA5515x - 192.168.3.6 outside / 192.168.0.1 inside / 192.168.1.1 managment

The question is how to give clients on the inside of the ASA access to the internet in this situation?

I followed the setup wizard (yes, I'm using ASDM) to get the basics in place. No luck.

After reading about other ASA owners without internet I found a Cisco guide on how to give two internal networks internet access. Followed half the guide, since I only have one net on the inside. (Basicly all I did was create i new NAT rule to NAT all inside IPs when going outside). Still no internet, but after this I could ping the ISP router from clients inside which was a great improvement. Pinging 8.8.8.8 or 4.2.2.2 is however always failing.

I also experimented with ping and trace in ADSM. No rute to host is always the result when using 8.8.8.8. Using 192.168.3.1 will however work in one direction. I did notice that some traffic is blocked by ACL, but I'm not sure that is a problem. The ASA is in factory setting when it comes to access rules.

Any help or advice is very very welcome!

Setup ASA 5515x with internet connection

Jon Marshall — Fri, 29 Nov 2013 15:01:28 GMT

It sounds like you have NAT setup okay. What you need though is a default route on your ASA so it knows where to send internet packets to. Sorry i don't use ADSM but on the command line it would be -

route outside 0.0.0.0 0.0.0.0 192.168.3.1

Jon

Setup ASA 5515x with internet connection

jumora — Sat, 30 Nov 2013 05:22:49 GMT

Please post configuration, we need to know if the NAT rule is correct, if the routing is setup, if the interfaces are correctly setup, if the security level are also, the information that you have provided is useful but we need more.

Value our effort and rate the assistance!

Setup ASA 5515x with internet connection

traknerud — Sun, 01 Dec 2013 16:43:52 GMT

Jon, you're quite right.

I added a route for "everyone" inside (0.0.0.0) to the LAN IP of my ISP router, and voila. Even the ASA found a route to 8.8.8.8 ;o)

In my old firewall there was a factory defined default route that took care of this. Not really sure under which circumstances it would be useful NOT to route inside traffic outside, but I guess Cisco has their reasons.

Anyway, thanks for helping a n00b reach the www

I have the same situation but

Eurosigma — Thu, 22 May 2014 12:32:45 GMT

I have the same situation but with no NAT or access rules configured.

How should I configure those rules?

Thank you.

What rules?? Sorry can you

jumora — Thu, 22 May 2014 18:13:51 GMT

What rules?? Sorry can you post the complete question

Replied in Eurosigma's

Marvin Rhoads — Thu, 22 May 2014 18:27:56 GMT

Replied in Eurosigma's separate post:

https://supportforums.cisco.com/discussion/12211886/how-connect-internet-asa-5515-x

Hi jumora:"traknerud" asks

Eurosigma — Thu, 22 May 2014 20:06:41 GMT

Hi jumora:

"traknerud" asks what's wrong with his config. And Jon Marshall says that is NAT rules seems right but he is missing a default static route.

I do have a static route but i don't know how should I configure NAT, and I can't see traknerud's NAT configuration. That's why I ask about it.

I attached my "show run" output in case it helps.

email me your number at

jumora — Thu, 22 May 2014 22:12:29 GMT

email me your number at jumora@cisco.com or juanmh84@hotmail.com and we can talk things through and maybe help you out with the configuration.

Hello again: Like Marvin

Eurosigma — Fri, 23 May 2014 05:53:04 GMT

Hello again:

Like Marvin pointed out in a separate post, I DO reach the internet, it's just pings that are not allowed through.

Thank you.

enable

jumora — Fri, 23 May 2014 16:46:41 GMT

enable
config t
policy-map global_policy
 class inspection_default 
inspect icmp 
inspect icmp error

ASA/PIX/FWSM: Handling ICMP Pings and Traceroute

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/15246-31.html