Solved: ASA 5510 no internet access

sandman42 · ‎08-26-2013

Hi,

I've this configuration on a brand new 5510 with software 8.4.1:

ASA Version 8.4(4)1

!

hostname ciscoasa

!

interface Ethernet0/0

nameif outside

security-level 0

ip address <PUBLIC_IP_ROUTER+2> 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.3.251 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit intra-interface

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list global_access extended permit tcp 192.168.3.0 255.255.255.0 any eq https

access-list global_access extended permit tcp 192.168.3.0 255.255.255.0 any eq www

access-list global_access extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain

access-list inside_access_in extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain

access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any eq www

access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any eq https

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

access-group global_access global

route inside 0.0.0.0 0.0.0.0 <PUBLIC_IP_ROUTER> 1

My problem is that I cannot go to internet (i.e. surf a web site). I have 8 public IPs, from <PUBLIC_IP_ROUTER> -1 to <PUBLIC_IP_ROUTER> +7: with a firewall with 8.2 version on the same public IP I can access internet, but with this one no way.

I suspect a NAT problem, since it's changed a lot, but I don't know how to debug it / what's wrong.

Can you help me please?

Thanks in advance.

Ciao

Jouni Forss · ‎08-26-2013

Hi,

You have the wrong interface specified in the Default Route

no route inside 0.0.0.0 0.0.0.0 1

Use this instead

route outside 0.0.0.0 0.0.0.0 1

- Jouni

View solution in original post

Jouni Forss · ‎08-26-2013

Hi,

You have the wrong interface specified in the Default Route

no route inside 0.0.0.0 0.0.0.0 1

Use this instead

route outside 0.0.0.0 0.0.0.0 1

- Jouni

sandman42 · ‎08-26-2013

You're right (I'm a chump!) but still now way.

Any hint?

BTW

I have a 8.2 nat that says (and works):

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

This should translate in a 8.4.1:

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic OBJ_GENERIC_ALL

but this give me an error with the caret pointing to the "d" of "dynamic".

What's worng???

Ciao and thanks

Jouni Forss · ‎08-26-2013

Hi,

You basically already had a Dynamic PAT configuration in the above configuration

nat (inside,outside) after-auto source dynamic any interface

This should do Dynamic PAT for "any" source address behind "inside" interface.

There is also a problem with your above example

You are trying to use the "object" you just created as the "object" that defines the NAT IP address.

I would suggest using the allready existing NAT configuration

nat (inside,outside) after-auto source dynamic any interface

One other thing comes to mind though. Are you saying that you have an older firewall that you have replaced with this one OR are we talking about the same device with never software?

If we are talking about a different device completely THEN you should take into consideration that while your public IP address stays the same, the change in the actual physical device holding the public IP address causes change to the ARP (IP paired to the device MAC address) and it might be that the upstream router still has the old devices MAC address in its ARP table.

If this is the case, you do have the option to actually configure the old firewalls WAN ports MAC address (shown with "show interface" command) to the new firewalls WAN port and this way avoid any problems with ARP.

- Jouni

sandman42 · ‎08-26-2013

My mistake. It works.

Thanks!!!!