Solved: Inside hosts cannot connect to internet through ASA 5510

adewale.ojo · ‎12-05-2011

Hi All,

I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,

I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.

Find my config below to know what i ahave omitted or committed.

ASA Version 8.3(1)

!

hostname Firewall

domain-name host.com

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1.25 255.255.255.0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 192.168.168.1 255.255.255.0

!

interface Ethernet0/3

nameif outside

security-level 0

ip address 11.11.11.14 255.255.255.248

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 11.11.10.19

domain-name host.com

same-security-traffic permit intra-interface

object network LAN_NETWORK

range 192.168.1.1 192.168.1.254

description Local Network

object network OUT_NETWORK

host 11.11.11.14

object-group icmp-type ping

description Ping Group

icmp-object echo

icmp-object echo-reply

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list INBOUND extended permit icmp any any echo

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic LAN_NETWORK interface

access-group INSIDE in interface inside

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 11.11.11.9 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3000

!

dhcpd address 192.168.168.10-192.168.168.100 DMZ

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:bc3f8e6d1659a2f108b5e44d625c623a

: end

Thanks All

vipinrajrc · ‎12-06-2011

Hi,

For the internet access you need only 1.default route to next hop, 2. PAT rule.

by default all traffic from inside to outside is permitted. so there is no need for the ACL to permit traffic.

What i am suggesting is

remove the followings.

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list INBOUND extended permit icmp any any echo

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

access-group INSIDE in interface inside

access-group INBOUND in interface outside

nat (inside,outside) source dynamic LAN_NETWORK interface

and add the foloowing

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

and default route which you already created

thanks

vipin

please update the status

Thanks and Regards, Vipin

View solution in original post

Julio Carvajal · ‎12-05-2011

Hello Adewale,

The problem you are facing is that you have applied an ACL on the inside interface so only those two lines (traffic) are going to be accepted by the ASA.

So if you want the inside users to be able to acces the internet please do the following:

access-list INSIDE permit tcp any any eq 80

access-list INSIDE permit tcp any any eq 443

access-list INSIDE permit udp any any eq 53

Please rate helpful posts.

Have a good one.

Julio!!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

adewale.ojo · ‎12-06-2011

Hi Julio,

I have applied the configs you posted, but unfortunately clients on the inside cant still get to the outside.

Inside hosts can ping the outside gateway but cant go beyond that.

I'll appreciate more input or idea as regards this.

Thanks for your input.

vipinrajrc · ‎12-06-2011

Hi,

For the internet access you need only 1.default route to next hop, 2. PAT rule.

by default all traffic from inside to outside is permitted. so there is no need for the ACL to permit traffic.

What i am suggesting is

remove the followings.

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248

access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

access-list INBOUND extended permit icmp any any echo

access-list INBOUND extended permit icmp any any echo-reply

access-list INBOUND extended permit icmp any any time-exceeded

access-group INSIDE in interface inside

access-group INBOUND in interface outside

nat (inside,outside) source dynamic LAN_NETWORK interface

and add the foloowing

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

and default route which you already created

thanks

vipin

please update the status

Thanks and Regards, Vipin

adewale.ojo · ‎12-06-2011

Hi,

Thanks for the input.

ASA version 8.3(1) does not support global commands anymore. So i had to stay with my nat command.

Your advice on the removal of the access-lists worked.

I had to remove the INSIDE acces-lists but left the acls for icmp so that i can be able to perform some ping to the outside network.

Its working fine now.

Thanks for the input.I appreciate you all.

svaish · ‎12-06-2011

So you mean to say that the inside users can ping your default gateway?

if that is true traffic through the firewall is working fine?

are your inside users are not able to ping 4.2.2.2?

Are you able to ping 4.2.2.2 from your ASA and the default gateway?

Can you powerdown and power on youor default gateway?

It could be an arp issue if this is a new implementation.

Thanks,

Sachin