cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


277
Views
0
Helpful
7
Replies
Highlighted
Beginner

ASA Config Help - No Internet Access

Am I missing something in my config to allow internet access? 

192.168.0.1 ---> my wireless router plugged into 0/1

Here is my current config:

ASA Version 9.0(2)

!

hostname ciscoasa

enable password DQucN59Njn0OjpJL encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.10.1 255.255.255.224

!

interface Vlan2

nameif outside

security-level 0

ip address 24.234.XXX.XXX 255.255.255.224

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network obj_any

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 24.234.118.193 1

route inside 192.168.0.0 255.255.255.0 10.0.10.0 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.0.10.5-10.0.10.25 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:71b1a15d94ea030715e1486f58e286d6

: end

7 REPLIES 7
Mentor

Re: ASA Config Help - No Internet Access

Hi,

I imagine that there is a problem with the "inside" route?

route inside 192.168.0.0 255.255.255.0 10.0.10.0

If you are testing with ICMP I would also suggest dropping this from the CLI

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

Beginner

ASA Config Help - No Internet Access

What would the problem be with my route? 

And I am tring to ping via my workstation, I know the ASA will not ping with the above command.

Mentor

ASA Config Help - No Internet Access

Hi,

Well it seems to me that the gateway for that route is the network address of the network 10.0.10.0 255.255.255.224 which should not be used in the same way as the broadcast address.

Is you actual LAN routers IP address 10.0.10.0?

- Jouni

Beginner

ASA Config Help - No Internet Access

Yes, the LAN is a 10.0.10.0/27

My ASA gives out and IP address to my wireless router

The wireless router IP Address is 192.168.0.1/24

Mentor

ASA Config Help - No Internet Access

Yep,

But your ASA is pointing out that the network 192.168.0.0/24 is found behind 10.0.10.0

And that 10.0.10.0 is a network address that should not be used. You could use for example the 10.0.10.1 for ASA and 10.0.10.2 for the wireless router interface facing ASA.

Is that truly the IP address (10.0.10.0) configured on the wireless router?

I cant see any other thing in the ASA configuration that could be a problem

- Jouni

Beginner

ASA Config Help - No Internet Access

Right the 192.168.0.0/24 network is behind the ASA (10.0.10.1) network.

Outside IP = 24.234.11X.XXX

ASA IP = 10.0.10.1

ASA DHCP Network = 10.0.10.0/27

D-Link Wireless Router IP = 192.168.0.1/24

D-Link Wireless Netowrk = 192.168.0.0/24

My D-Link router gets it IP from the ASA.  I just don't know why I can ping the  ASA or get internet access from the workstation on the 192.168.0.0/24 network.

I can not ping anything from the ASA...

Mentor

ASA Config Help - No Internet Access

Hi,

I guess if you router is getting the IP address from ASA with DHCP then your router is also doing NAT for the wireless hosts?

Have you monitored the situation on the ASA while you have tried to connected through the wireless router and ASA to the Internet? Can you see any connections on the ASA from your PC behind the wireless router?

- Jouni