topic Re: Internet connectivity issue with firewall in Network Security

Internet connectivity issue with firewall

jlight80911 — Mon, 11 Mar 2019 15:30:21 GMT

We recently had a T1 put in by qwest with them providing static ip address's and a qwest basic router. We are currently running a ASA 5505 behind the router, and a Linksys wireless router behind the ASA 5505.

The issue at hand is I went through the wizard to setup our firewall with the static IP address. Pretty basic figuring we just wanted to test it.

From the Firewall ASDM software I can ping websites, but from my PC I am not able to get out to the web.

The error I get is as follows

portmap translation creation failed for udp src inside:192.168.1.2/49286 dst outside:205.xyz.2.65/53

The 205 address is the DNS servers qwest has provided to us. So I am a little confussed why its going there and not our outside IP.

Here is my config, file.

interface Vlan1

nameif inside

security-level 50

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 65.xyz.153.146 255.255.255.248

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.xyz.3.65

name-server 205.xyz.2.65

domain-name default.domain.invalid

access-list VPN standard permit 192.168.1.0 255.255.255.0

access-list VPN standard permit 10.10.10.0 255.255.255.0

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 65.xyz.153.145 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.2-192.168.1.10 inside

dhcpd dns 205.xyz.3.65 205.xyz.2.65 interface inside

dhcpd enable inside

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

service-policy global_policy global

prompt hostname context

Re: Internet connectivity issue with firewall

Jon Marshall — Mon, 11 May 2009 19:16:00 GMT

You are not translating your internal addresses to routable addresses on the Internet. You have this in your config -

nat (inside) 1 0.0.0.0 0.0.0.0

you need a corresponding global statement. Add this to your config -

global (outside) 1 interface

Jon

Re: Internet connectivity issue with firewall

John Blakley — Mon, 11 May 2009 19:16:01 GMT

Two things:

1.) You may want to check with the provider to make sure they bridged the router that's in front of your ASA. If they didn't, you won't be able to get out 🙂

2.) You're missing "global (outside) 1 interface"

What the last line does is match up with your nat statement. The nat statement tells the ASA that anyone who arrives on the inside interface gets natted, but it doesn't have anything to nat to because you're missing the global statement.

HTH,

John

Re: Internet connectivity issue with firewall

John Blakley — Mon, 11 May 2009 19:16:49 GMT

I missed you by "that much" Jon 🙂

John

Re: Internet connectivity issue with firewall

Jon Marshall — Mon, 11 May 2009 19:18:51 GMT

At least we both gave the same advice 🙂

Re: Internet connectivity issue with firewall

John Blakley — Mon, 11 May 2009 19:24:12 GMT

LOL! Yeah, that's a plus 🙂

Re: Internet connectivity issue with firewall

jlight80911 — Mon, 11 May 2009 19:25:30 GMT

I completly overlooked that. Thank you for the quick reply everyone, I will go test it right now!

Thanks again!

Re: Internet connectivity issue with firewall

jlight80911 — Mon, 11 May 2009 19:55:03 GMT

Worked !!!

Thanks everyone!