topic ASA 5510 No Internet Connection on the inside Interface in Network Security

ASA 5510 No Internet Connection on the inside Interface

Philipp Hoeffker — Mon, 11 Mar 2019 22:09:57 GMT

Hi all,

so i have a ASA 5510.

The ASA is Connect with the Internet through PPOE DSL MODEM

The outside Interface get an IP

The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online)

But the HOST do not connect to the Internet because the DNS Server is timed out

Here my Config:

ciscoasa> ena

Password: *******

ciscoasa# show run

: Saved

ASA Version 8.4(2)

hostname ciscoasa

enable password xxx

passwd xxx

names

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group T-Online

ip address pppoe setroute

interface Ethernet0/1

shutdown

no nameif

security-level 100

no ip address

interface Ethernet0/2

nameif inside

security-level 100

ip address 172.20.0.1 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 217.5.100.185

name-server 217.5.100.186

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

<--- More --->

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

route outside 0.0.0.0 0.0.0.0 <ip of the outside interface> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.20.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

<--- More --->

ssh timeout 5

console timeout 0

vpdn group T-Online request dialout pppoe

vpdn group T-Online localname <t-online username>

vpdn group T-Online ppp authentication pap

vpdn username <t-online username> password xxx

dhcpd address 172.20.0.100-172.20.0.200 inside

dhcpd dns 217.5.100.185 217.5.100.186 interface inside

dhcpd enable inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

<--- More --->

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b28f45c98568fb8d01293cf71256fa82

<--- More --->

: end

ciscoasa#

I Think this must be a NAT/ACL Problem but when i configure nat the same Problem still exists

CAn someone Help me ?

ASA 5510 No Internet Connection on the inside Interface

varrao — Wed, 04 Jan 2012 16:26:57 GMT

Hi Philipp,

It definitely seems to be a NAT issue, you would need to add this:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

If it still does not work, please reboot the modem and the ASA once and then check again.\

Hope that helps,

Thanks,

Varun

ASA 5510 No Internet Connection on the inside Interface

mvsheik123 — Wed, 04 Jan 2012 17:03:41 GMT

Hi Varun,

I guess you oversighted that ASA version is 8.4 :-).

Philipp,

For the new version try this...

object network obj_any

subnet 0.0.0.0 0.0.0.0 --> You can replace 0/0 with your internal subnet.
nat (inside,outside) dynamic interface

For more information on pre/post 8.3 syntax changes, refer the below link...

https://supportforums.cisco.com/docs/DOC-9129

hth

ASA 5510 No Internet Connection on the inside Interface

varrao — Wed, 04 Jan 2012 17:37:25 GMT

Oh yess, definitely, thanks. I jsut didnt see any nat statement in there, n might have overlooked the one you specified

Cheers,

Varun

Re: ASA 5510 No Internet Connection on the inside Interface

Philipp Hoeffker — Thu, 05 Jan 2012 09:14:43 GMT

OK i see it 🙂

But when i config this the Problem still exist 😞

New Config:

iscoasa# show run

: Saved

ASA Version 8.4(2)

hostname ciscoasa

enable password xxx

passwd xxx

names

interface Ethernet0/0

nameif outside

security-level 0

pppoe client vpdn group T-Online

ip address pppoe setroute

interface Ethernet0/1

shutdown

no nameif

security-level 100

no ip address

interface Ethernet0/2

nameif inside

security-level 100

ip address 172.20.0.1 255.255.0.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 217.5.100.185

name-server 217.5.100.186

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network Testpc

host 172.20.100.1

access-list inside_in extended permit ip any interface outside

access-list inside_access_in extended permit ip 172.20.0.0 255.255.0.0 interface outside

access-list inside_access_in extended permit ip object Testpc interface outside

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

object network obj_any

nat (inside,outside) dynamic interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 87.139.227.44 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 172.20.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn group T-Online request dialout pppoe

vpdn group T-Online localname

vpdn group T-Online ppp authentication pap

vpdn username password xxx

dhcpd address 172.20.100.1-172.20.100.200 inside

dhcpd enable inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3b1058e17ecd9f9dd895841e0cdf9688

: end

ciscoasa#

The new acls are a try to solve this output from the ASDM Logging:

443 Deny TCP (no connection) from 172.20.100.1/50142 to 172.20.0.1/443 flags FIN ACK on interface inside

Update:

I have remove the acls so that only "Lower Interface" rule is working

It seems that the connection to the DNS Server is established but than theconnection is closed with "Teardown" befor the information is transmittet.

All packets are translatet but is not working

Log Entrys:

217.100.5.185| 53|172.20.100.1 |63320|Teardown UDP connection 1552 for outside:217.100.5.185/53 to inside:172.20.100.1/63320 duration 0:02:07 bytes 129

217.100.5.186| 53|172.20.100.1 |63320|Teardown UDP connection 1551 for outside:217.100.5.186/53 to inside:172.20.100.1/63320 duration 0:02:08 bytes 172

172.20.100.1 |54829|217.100.5.186| 53|Built outbound UDP connection 1562 for outside:217.100.5.186/53 (217.100.5.186/53) to inside:172.20.100.1/54829 (ISP given IP/29049)

172.20.100.1 |54829|217.100.5.185| 53|Built outbound UDP connection 1561 for outside:217.100.5.185/53 (217.100.5.185/53) to inside:172.20.100.1/54829 (ISP given IP/29049)

172.20.100.1 |54829|87.139.227.44|29049|Built dynamic UDP translation from inside:172.20.100.1/54829 to ISP given IP/29049

Re: ASA 5510 No Internet Connection on the inside Interface

Philipp Hoeffker — Thu, 05 Jan 2012 15:58:19 GMT

Update:

The Problem is caused @ the outside Interface

Incomming Packtes ar droped through an outside acl.

The packet flows is broken @ an acl from the outside to the inside

When i openthe wall the nat drop the packet -.........

Re: ASA 5510 No Internet Connection on the inside Interface

Julio Carvajal — Thu, 05 Jan 2012 17:17:38 GMT

Hello Philiopp,

Please add the following access-list

access-list inside_in line 1 permit ip any any

Then provide me the following outputs:

- packet-tracer input inside tcp 172.20.1.15 1025 4.2.2.2 80

- fixup protocol icmp

-Try to ping from the PC 87.139.227.44 and let me know the result

-Ping for the ASA to 4.2.2.2

Regards,

Re: ASA 5510 No Internet Connection on the inside Interface

Philipp Hoeffker — Fri, 06 Jan 2012 08:52:01 GMT

Thanks ,

here the Output you need:

ciscoasa(config)#packet-tracer input inside Tcp 172.10.1.15 1025 4.2.2.2 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_any

nat (inside,outside) dynamic interface

Additional Information:

Dynamic translate 172.10.1.15/1025 to 87.139.227.44/22793

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 294, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

ciscoasa(config)# ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 60/68/70 ms

ciscoasa(config)#

-----------------------------------------------------------------------------

Ping from PC:

Microsoft Windows [Version 6.1.7601]

C:\Users\Technik>ping 87.139.227.44

Ping wird ausgeführt für 87.139.227.44 mit 32 Bytes Daten:

Zeitüberschreitung der Anforderung.

Ping-Statistik für 87.139.227.44:

Pakete: Gesendet = 4, Empfangen = 0, Verloren = 4

(100% Verlust),

C:\Users\Technik>

Re: ASA 5510 No Internet Connection on the inside Interface

Julio Carvajal — Fri, 06 Jan 2012 17:39:36 GMT

So the ASA does have internet connectivity..

Did you add the command fixup protocol ICMP??

Re: ASA 5510 No Internet Connection on the inside Interface

Philipp Hoeffker — Sat, 07 Jan 2012 16:19:31 GMT

Yes, i have enter this command but nothing chnage. I have activate vpn over ssl as a test, it works fine but the inside host has no connection to the outside.

ASA 5510 No Internet Connection on the inside Interface

mvsheik123 — Sat, 07 Jan 2012 16:47:31 GMT

The new config you posted- ASA missing DNS IPs for hosts.

dhcpd dns 217.5.100.185 217.5.100.186 interface inside --> Add this to ASA

Also, remove access-group inside_access_in in interface inside (you add later if required)

Try with this and see how it goes. If any issues, try to browse using IP instead of DNS name.

Thx