5505 - no Internet access from inside interface [resolved]

tbrendle — Tue, 12 Mar 2019 02:02:47 GMT

I can't believe this is stumping me and I know the answer will result in a major face-palm, but I'm getting dizzy from running in circles... This is as basic as it gets and from everything I've read, this config should work as is (without requiring access-list to surf from inside vlan). Packet-tracer shows DROP from implicit rule, but I can't figure out why since it's traffic from a low to high security level....

Issue:

Unable to route from inside vlan to outside/internet

Physical Setup (from LANs to Internet):

ASA5505 Eth0/0 to Soho Router(w/ wireless).

Soho Router to ISP modem.

Logical:

Soho Router:

Wan IP: x.x.x.x

LAN IP: 192.168.2.x /24 [dhcp range 1-128].

ASA Config:

ASA Version 8.4(6)
!
hostname HOME-LAB
enable password QgAPCjD3jLFbKB5Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan10
nameif outside
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
ftp mode passive
object network inside-net
subnet 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-net
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

! ----- output ommitted -----!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global

============

Packet-tracer:

HOME-LAB# packet-tracer input inside icmp 10.2.2.1 0 0 1 192.168.2.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.0 255.255.255.0 outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

=======================

Thanks in advance for your time!

5505 - no Internet access from inside interface

tbrendle — Tue, 25 Jun 2013 22:42:07 GMT

Added notes: outside route works fine, and NAT appears to be properly configured...

---- output -----

HOME-LAB# sh nat trans int outside det

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic inside-net interface

translate_hits = 1366, untranslate_hits = 0

Source - Origin: 10.2.2.0/24, Translated: 192.168.2.254/24

HOME-LAB# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms

5505 - no Internet access from inside interface

tbrendle — Wed, 26 Jun 2013 01:28:05 GMT

Config issue resolved....

For some reason it didn't like my nat statement:

Was within the object group 'inside-net':

nat (inside,outside) dynamic interface

Changed to:

nat (inside,outside) source dynamic inside-net interface

topic 5505 - no Internet access from inside interface in Network Security

5505 - no Internet access from inside interface [resolved]

5505 - no Internet access from inside interface

5505 - no Internet access from inside interface