https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808208#M493151 <HTML><HEAD></HEAD><BODY><P>I am not very confortable with cli commands. I use adsm to configure my firewall. Everything is working fine on my firewall. All my rules are working fine. The only thing missing is any of my PCs or laptops which are in the same network are not able to browse internet with the default gateway of my firewall.</P><P></P><P>Default route on outside interface is 0.0.0.0 0.0.0.0 124.153.85.235</P></BODY></HTML> Wed, 16 Nov 2011 08:53:09 GMT naushad_khan 2011-11-16T08:53:09Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808206#M493144 <P>What should i do on my Cisco ASA 5505 firewall to grant access to my network systems to access internet via gateway. I use ASDM to configure the firewall.</P> Mon, 11 Mar 2019 21:51:28 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808206#M493144 naushad_khan 2019-03-11T21:51:28Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808207#M493148 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1)configure a default route on Outside interface. the CLI command is route outside&nbsp; 0.0.0.0 0.0.0.0 x.x.x.x&nbsp; where x.x.x.x is the next-hop IP.</P><P>2) configure NAT but the syntax differs since 8.3 OS</P><P>3) configure ICMP inspection if you want&nbsp; ping replies from outside to get to inside hosts</P><P></P><P>I think It's better you post your config: show run and we will tell you what's missing.</P><P></P><P>Regards.</P><P></P><P>Alain.</P></BODY></HTML> Wed, 16 Nov 2011 08:41:07 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808207#M493148 cadet alain 2011-11-16T08:41:07Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808208#M493151 <HTML><HEAD></HEAD><BODY><P>I am not very confortable with cli commands. I use adsm to configure my firewall. Everything is working fine on my firewall. All my rules are working fine. The only thing missing is any of my PCs or laptops which are in the same network are not able to browse internet with the default gateway of my firewall.</P><P></P><P>Default route on outside interface is 0.0.0.0 0.0.0.0 124.153.85.235</P></BODY></HTML> Wed, 16 Nov 2011 08:53:09 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808208#M493151 naushad_khan 2011-11-16T08:53:09Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808209#M493154 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I'm not a big fan of GUIs&nbsp; but you can paste CLI configs into the ASDM if my memory is good.</P><P>So pasting show run would give us the config and we could look at it to see if it's ok.</P><P>Second step would be to perform a packet-tracer and post result here.</P><P>here's a video that demonstrates the feature: <A href="http://www.youtube.com/watch?v=T9G5FKItoyw">http://www.youtube.com/watch?v=T9G5FKItoyw</A></P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Wed, 16 Nov 2011 08:59:57 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808209#M493154 cadet alain 2011-11-16T08:59:57Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808210#M493156 <HTML><HEAD></HEAD><BODY><P>Result of the command: "show run"</P><P></P><P>: Saved</P><P>:</P><P>ASA Version 8.2(1) </P><P>!</P><P>hostname OCTOPUS-FIREWALL</P><P>names</P><P>!</P><P>interface Vlan1</P><P>description "***Connection on Inside port ETH 0/1***"</P><P>nameif Inside</P><P>security-level 100</P><P>ip address 10.100.1.1 255.255.255.0 </P><P>!</P><P>interface Vlan2</P><P>description "***Uplink connection on Outside Port ETH0/0***"</P><P>nameif Outside</P><P>security-level 0</P><P>ip address 124.153.82.50 255.255.255.248 </P><P>!</P><P>interface Vlan3</P><P>description "connected_on_192.168.1.x"</P><P>no nameif</P><P>no security-level</P><P>ip address 192.168.1.1 255.255.255.0 </P><P>!</P><P>interface Ethernet0/0</P><P>switchport access vlan 2</P><P>speed 100</P><P>duplex full</P><P>!</P><P>interface Ethernet0/1</P><P>!</P><P>interface Ethernet0/2</P><P>!</P><P>interface Ethernet0/3</P><P>!</P><P>interface Ethernet0/4</P><P>!</P><P>interface Ethernet0/5</P><P>!</P><P>interface Ethernet0/6</P><P>!</P><P>interface Ethernet0/7</P><P>!</P><P>boot system disk0:/asa821-k8.bin</P><P>ftp mode passive</P><P>clock timezone IST 5 30</P><P>dns domain-lookup Inside</P><P>dns domain-lookup Outside</P><P>dns server-group DefaultDNS</P><P>name-server 124.153.69.80</P><P>name-server 124.153.69.15</P><P>object-group network Netmagic_Monitor_Group</P><P>network-object host 124.153.69.124</P><P>network-object host 124.153.69.121</P><P>network-object host 124.153.69.123</P><P>network-object host 123.108.39.124</P><P>network-object host 124.153.99.124</P><P>network-object host 180.179.39.124</P><P>network-object host 124.153.69.203</P><P>network-object host 124.153.69.204</P><P>object-group network Netmagic_Network_Group</P><P>network-object host 124.153.99.242</P><P>network-object host 123.108.39.242</P><P>network-object host 124.153.69.242</P><P>network-object host 180.179.39.242</P><P>network-object host 202.87.39.242</P><P>object-group service 7070 tcp</P><P>port-object eq 7070</P><P>access-list 101 extended permit tcp any host 124.153.85.175 eq 8085 </P><P>access-list 101 extended deny ip host 204.152.184.139 any </P><P>access-list 101 extended deny ip host 58.63.237.42 any </P><P>access-list 101 extended deny ip host 58.252.208.131 any </P><P>access-list 101 extended permit ip object-group Netmagic_Network_Group any </P><P>access-list 101 extended deny ip host 60.250.122.226 any </P><P>access-list 101 extended permit ip object-group Netmagic_Monitor_Group any </P><P>access-list 101 extended deny ip host 121.254.71.105 any </P><P>access-list 101 extended permit tcp any host 124.153.85.232 eq ftp </P><P>access-list 101 extended permit tcp any host 124.153.85.232 eq 8085 </P><P>access-list 101 extended permit tcp any host 124.153.85.235 eq 8081 </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq www </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq 1433 </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq https </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq ftp </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq ssh </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq ftp-data </P><P>access-list 101 extended permit tcp any host 124.153.85.233 eq 59001 </P><P>access-list 101 extended permit tcp any host 124.153.85.172 eq 8085 </P><P>access-list 101 extended permit tcp any host 124.153.85.172 eq ftp </P><P>access-list 101 extended permit tcp any host 124.153.85.173 eq 8085 </P><P>access-list 101 extended permit tcp any host 124.153.85.173 range ftp-data ftp </P><P>access-list 101 extended permit tcp any host 124.153.85.174 eq www </P><P>access-list 101 extended permit tcp any host 124.153.82.53 eq 8085 </P><P>access-list 101 extended permit tcp any host 124.153.85.235 eq 8094 </P><P>access-list 101 extended permit tcp any host 124.153.85.234 eq 8080 </P><P>access-list 101 extended permit tcp any host 124.153.85.172 eq 7272 </P><P>access-list 101 extended permit icmp any host 124.153.85.173 </P><P>access-list 101 extended permit tcp any host 124.153.82.52 eq 8081 </P><P>access-list 101 extended permit icmp any host 124.153.85.235 </P><P>access-list 108 extended deny tcp any host 58.63.237.42 </P><P>access-list 108 extended deny udp any host 58.63.237.42 </P><P>access-list 108 extended deny udp any host 121.254.71.105 </P><P>access-list 108 extended deny udp any host 60.250.122.226 </P><P>access-list 108 extended deny tcp any host 121.254.71.105 </P><P>access-list 108 extended deny ip any host 61.157.96.8 </P><P>access-list 108 extended deny ip any host 58.252.208.131 </P><P>access-list 108 extended deny tcp any host 60.250.122.226 </P><P>access-list 108 extended permit ip any any </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.220 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.26 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 213.171.216.50 eq smtp </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.172 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.10 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.218 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.97 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.25 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.60 host 72.14.213.109 eq 465 </P><P>access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 72.14.213.109 eq 465 </P><P>pager lines 24</P><P>logging enable</P><P>logging timestamp</P><P>logging trap critical</P><P>logging asdm informational</P><P>logging facility 18</P><P>logging host Outside 202.87.39.89</P><P>mtu Inside 1500</P><P>mtu Outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>asdm image disk0:/asdm-621.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>global (Outside) 1 124.153.82.54</P><P>nat (Inside) 1 access-list octopusepat_82_54</P><P>static (Inside,Outside) 124.153.85.232 10.100.1.5 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.234 10.100.1.38 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.233 10.100.1.120 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.173 10.100.1.2 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.82.53 10.100.1.98 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.174 10.100.1.11 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.172 10.100.1.100 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.175 10.100.1.52 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.85.235 10.100.1.55 netmask 255.255.255.255 </P><P>static (Inside,Outside) 124.153.82.52 10.100.1.10 netmask 255.255.255.255 </P><P>static (Outside,Inside) 124.153.82.50 10.100.1.1 netmask 255.255.255.255 </P><P>access-group 108 in interface Inside</P><P>access-group 101 in interface Outside</P><P>route Outside 0.0.0.0 0.0.0.0 124.153.82.49 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute</P><P>timeout tcp-proxy-reassembly 0:01:00</P><P>dynamic-access-policy-record DfltAccessPolicy</P><P>aaa authentication ssh console TACACS+ LOCAL</P><P>aaa authorization command LOCAL </P><P>http server enable</P><P>http 10.100.1.0 255.255.255.0 Inside</P><P>http 122.170.115.164 255.255.255.255 Outside</P><P>snmp-server host Outside 123.108.39.124 community chn2000</P><P>snmp-server host Outside 123.108.39.39 community chn2000</P><P>snmp-server host Outside 124.153.69.121 community chn2000</P><P>snmp-server host Outside 124.153.69.123 community chn2000</P><P>snmp-server host Outside 124.153.69.124 community chn2000</P><P>snmp-server host Outside 124.153.69.203 community chn2000</P><P>snmp-server host Outside 124.153.69.204 community chn2000</P><P>snmp-server host Outside 124.153.99.124 community chn2000</P><P>snmp-server host Outside 124.153.99.39 community chn2000</P><P>snmp-server host Outside 180.179.39.124 community chn2000</P><P>snmp-server host Outside 202.87.39.39 community chn2000</P><P>snmp-server host Outside 202.87.44.69 community chn2000</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server community *****</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>crypto ipsec security-association lifetime seconds 28800</P><P>crypto ipsec security-association lifetime kilobytes 4608000</P><P>crypto isakmp policy 5</P><P>authentication pre-share</P><P>encryption 3des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>crypto isakmp policy 10</P><P>authentication pre-share</P><P>encryption des</P><P>hash sha</P><P>group 2</P><P>lifetime 86400</P><P>telnet timeout 5</P><P>ssh 124.153.69.242 255.255.255.255 Outside</P><P>ssh 122.170.115.164 255.255.255.255 Outside</P><P>ssh timeout 5</P><P>console timeout 5</P><P></P><P>threat-detection basic-threat</P><P>threat-detection statistics port</P><P>threat-detection statistics protocol</P><P>threat-detection statistics access-list</P><P>no threat-detection statistics tcp-intercept</P><P>ntp authenticate</P><P>ntp trusted-key 1</P><P>webvpn</P><P>username cisco password miNpFGsdff.9QSZNEuyO encrypted</P><P>username netmagic password VWIMcRsCCdfr7Oc5YO encrypted</P><P>username netmagic attributes</P><P>service-type nas-prompt</P><P>!</P><P>class-map inspection_default</P><P>match default-inspection-traffic</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P>parameters</P><P>message-length maximum 512</P><P>policy-map global_policy</P><P>class inspection_default</P><P>inspect dns preset_dns_map </P><P>inspect ftp </P><P>inspect h323 h225 </P><P>inspect h323 ras </P><P>inspect netbios </P><P>inspect rsh </P><P>inspect rtsp </P><P>inspect skinny </P><P>inspect esmtp </P><P>inspect sqlnet </P><P>inspect sunrpc </P><P>inspect tftp </P><P>inspect sip </P><P>inspect xdmcp </P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context </P><P>Cryptochecksum:a08cd5d128fc909a8122b6d52a9cb19a</P><P>: end</P></BODY></HTML> Wed, 16 Nov 2011 09:06:44 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808210#M493156 naushad_khan 2011-11-16T09:06:44Z https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808211#M493157 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>1) why use policy NAT ?&nbsp;&nbsp;&nbsp; <EM>nat (Inside) 1 access-list octopusepat_82_54</EM></P><P> You're not permitting web traffic and dns traffic in this ACL so you won't be able to browse. you don't even permit icmp so you can't ping outside hosts.</P><P> 2) if you do just simple nat: nat(inside) 10.100.1.0 255.255.255.0&nbsp;&nbsp; in addition to policy NAT then you'll have to</P><P>&nbsp; -enable icmp inspection or</P><P>&nbsp; -apply an ACL inbound on outside to permit icmp replies</P><P>Cisco recommends doing the first one like this:</P><P></P><P><EM>policy-map global_policy</EM></P><P><EM>class inspection_default</EM></P><P><EM>inspect icmp </EM></P><P></P><P>Regards.</P><P></P><P>Alain</P></BODY></HTML> Wed, 16 Nov 2011 09:31:11 GMT https://community.cisco.com/t5/network-security/network-systems-cannot-access-internet/m-p/1808211#M493157 cadet alain 2011-11-16T09:31:11Z