cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4856
Views
0
Helpful
6
Replies

ASA 5512x No Internet Connectivity

gonzalez.ge.1
Level 1
Level 1

All,

I am updating my 8.2(3) code for my new ASA5512 that is running 8.6(1) and am unable to get on the internet with my current configuration from the inside interface.

Information:

Outside: ***.***.33.11

Gateway: ***.***.32.9

Inside: 192.168.215.0 /24

dhcp 215.100 - 150

This should be VERY SIMPLE, yet the new NATting is killing me. PLEASE HELP.

Thanks,

Greg

: Saved

:

ASA Version 8.6(1)

!

hostname ny2firewall

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name ***.***.***.11 ny5_ext_ip

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address ny5_ext_ip 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.215.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

object network ny2_net

subnet 192.168.215.0 255.255.255.0

object network ny2_ext_net

host ***.***.33.11

object network any_net

subnet 0.0.0.0 0.0.0.0

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp object ny2_net any

access-list outside_access_in extended permit icmp object ny2_net any

access-list outside_access_in extended permit ip object ny2_net any

access-list outside_access_in extended permit icmp any any echo-reply

access-list global_access extended permit ip any any

access-list inside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

no asdm history enable

arp timeout 14400

!

object network any_net

nat (inside,outside) dynamic interface

!

access-group outside_access_in in interface outside

access-group inside_access_out in interface inside

access-group global_access global

route outside 0.0.0.0 0.0.0.0 ***.***.32.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.215.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8

dhcpd lease 691200

dhcpd ping_timeout 750

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 192.168.215.100-192.168.215.150 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8236e2edc179e205969fb9f5205b154d

: end

6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Can you ping 4.2.2.2 from the ASA?

Add the following:

     object network any_net

          no  nat (inside,outside) dynamic interface

          exit

      nat (inside,outside) source dynamic any interface

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I added the code without success.

No, I have tried a ping to 8.8.8.8 as well as the gateway.

Greg

Gonzalo,

Hola, The fact that you cannot ping is probably because of this:

icmp permit any inside

There is an implicit deny under that, meaning it will block any icmp messages on the outside interface.

Do the following,

Clear config icmp

Show ARP (make sure that the Next hop mac address is ther)

Remove this (not because it is necessary, because it bugs me a lot)

-access-group inside_access_out in interface inside

-access-group global_access global

Try to ping the next hop again

Gather show xlate

After that is done, run a packet tracer like:

packet-tracer input inside tcp 192.168.214.2 1025 4.2.2.2 eq 80

And give us the result.

Mike

Mike

I am still unale to get outside/inside.

Here are the results:

ny2firewall(config)# show arp

        inside 192.168.215.25 001a.a0d6.cbc6 512

**NOTE** I do not see "outside ***.***.32.9" in the arp table.

ny2firewall(config)# show xlate

6 in use, 19 most used

Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice

UDP PAT from inside:192.168.215.25/59850 to outside:ny5_ext_ip/26037 flags ri idle 0:00:12 timeout 0:00:30

UDP PAT from inside:192.168.215.25/60122 to outside:ny5_ext_ip/64136 flags ri idle 0:00:53 timeout 0:00:30

UDP PAT from inside:192.168.215.25/64096 to outside:ny5_ext_ip/15047 flags ri idle 0:01:08 timeout 0:00:30

UDP PAT from inside:192.168.215.25/64493 to outside:ny5_ext_ip/59554 flags ri idle 0:01:21 timeout 0:00:30

UDP PAT from inside:192.168.215.25/64512 to outside:ny5_ext_ip/64777 flags ri idle 0:01:23 timeout 0:00:30

UDP PAT from inside:192.168.215.25/59848 to outside:ny5_ext_ip/59052 flags ri idle 0:00:22 timeout 0:00:30

ny2firewall(config)# packet-tracer input inside tcp 192.168.215.2 1024 4.2.2.2 80

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source dynamic any interface

Additional Information:

Dynamic translate 192.168.215.2/1024 to ny5_ext_ip/14703

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 1314, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

My current running-config:

ASA Version 8.6(1)

!

hostname ny2firewall

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name xxx.xxx.33.12 ny5_ext_ip

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address ny5_ext_ip 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.215.254 255.255.255.0

!

interface GigabitEthernet0/2

nameif registers

security-level 50

ip address 10.10.20.254 255.255.255.0

!

interface GigabitEthernet0/3

nameif touchscreens

security-level 50

ip address 10.10.21.254 255.255.255.0

!

interface GigabitEthernet0/4

nameif reservations

security-level 50

ip address 10.10.22.254 255.255.255.0

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif manage

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

object network ny2_net

subnet 192.168.215.0 255.255.255.0

object network ny2_ext_net

host xxx.xxx.33.11

object network any_net

subnet 0.0.0.0 0.0.0.0

object-group icmp-type DefaultICMP

description Default ICMP Types permitted

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp object ny2_net any

access-list outside_access_in extended permit icmp object ny2_net any

access-list outside_access_in extended permit ip object ny2_net any

access-list outside_access_in extended permit icmp any any echo-reply

access-list global_access extended permit ip any any

access-list inside_access_out extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu registers 1500

mtu touchscreens 1500

mtu reservations 1500

mtu manage 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.32.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 manage

http 192.168.215.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8

dhcpd lease 691200

dhcpd ping_timeout 750

!

dhcpd address 192.168.215.100-192.168.215.150 inside

dhcpd dns 8.8.8.8 interface inside

dhcpd enable inside

!

dhcpd address 10.10.20.100-10.10.20.150 registers

dhcpd dns 192.168.215.25 interface registers

dhcpd enable registers

!

dhcpd address 10.10.21.100-10.10.21.150 touchscreens

dhcpd dns 192.168.215.50 interface touchscreens

dhcpd enable touchscreens

!

dhcpd address 10.10.22.100-10.10.22.150 reservations

dhcpd dns 192.168.215.25 interface reservations

dhcpd enable reservations

!

dhcpd address 192.168.1.2-192.168.1.254 manage

dhcpd enable manage

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8dd4091e0e87fc4a0508430098cc7ef8

: end

Have you tried to plug a computer directly to the ISP?

Mike

Mike
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: