cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
717
Views
0
Helpful
5
Replies

Internet connection issues with 5510

cgossett
Level 1
Level 1

Hello,

I am setting up an ASA 5510 using the ASDM interface.  It's a basic config with outside, inside, and management interfaces.  The problem I'm having is that my PC on the inside interface will not browse or ping anything outside of the interface.  I do have dynamic NAT established and have verified that the address is translating correctly.  In fact, I can run the packet tracer in the ASDM from the inside to an outside address and it is successful.  Here is my config.  Any help would be appreciated.

ASA Version 8.4(4)1

!

hostname

domain-name

enable password knNonXPFJemAfUMd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address **.***.80.210 255.255.255.252

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

dns domain-lookup Outside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server **.***.**.*

name-server ***.***.***.*

domain-name

object network **.***.80.32

range **.***.80.33 **.***.80.61

description Range for NAT

object network Yoda_gigabitethernet

host **.***.80.209

description Gateway for Vader

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

!

nat (Inside,Outside) after-auto source dynamic any **.***.80.32

route Outside 0.0.0.0 0.0.0.0 **.***.80.209 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 Inside

ssh 192.168.2.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.20-192.168.1.30 Inside

dhcpd dns **.***.80.1 ***.***.144.1 interface Inside

dhcpd lease 28800 interface Inside

dhcpd domain  interface Inside

dhcpd enable Inside

!

dhcpd address 192.168.2.2-192.168.2.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:100669a085c1ceaa91f3c0a34abf13a8

: end

1 Accepted Solution

Accepted Solutions

Hello Chase,

I think you do not understand what my co-worker tried to explain.

Please check the following:

interface Ethernet0/0

nameif Outside

security-level 0

ip address **.***.80.210 255.255.255.252

So you can see it's a /30 netmask

Here is the route statement you have

route Outside 0.0.0.0 0.0.0.0 **.***.80.209 1

That route is covered on the /30 netmask so we are good on that

Now check the following:

nat (Inside,Outside) after-auto source dynamic any **.***.80.32

80.32 is not on the scope of the /30 netmask so you cannot use it, even though if you have bought a bigger range you have not applied it yet to the outside interface and since on 8.4.3 you cannot proxy arp ip addresses out of the scope of the outside interface then you will need to assing an IP address on the same range for the NAT to work.

Do the following and let us know man:

no nat (Inside,Outside) after-auto source dynamic any **.***.80.32

no route Outside **.***.80.32 255.255.255.224 64.130.80.209 1

nat (inside,outside) after-auto source dynamic any interface

Just remember to rate the helpful posts, that is also taken as a thank you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

5 Replies 5

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Chase,

First of all enable the stateful inspection for the ICMP protocol to make the ICMP work across the firewal

     -Fixup protocol ICMP

Second , from the ASA can you ping  **.***.80.209

if the answer is YES, then from the ASA ping 4.2.2.2

Let me know those 3 resulst

Regards,

Remember to rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

lcambron
Level 3
Level 3

Hello Chase,

I can see you are NATing the traffic to **.***.80.32

It doesn't look like that is one of available IP addresses.

interface Ethernet0/0

ip address **.***.80.210 255.255.255.252

Can you change it to .80.210

Regards,

Felipe

cgossett
Level 1
Level 1

Julio,

First of all, thanks for the help.  I enabled ICMP; however, I still can't ping outside the interface.

Felipe,

I added a static route for the NATed addresses to the outside interface with no luck.  Here is an updated config:

ASA Version 8.4(4)1

!

hostname

domain-name

enable password knNonXPFJemAfUMd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address **.***.80.210 255.255.255.252

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.2.1 255.255.255.0

management-only

!

boot system disk0:/asa844-1-k8.bin

ftp mode passive

dns domain-lookup Outside

dns domain-lookup Inside

dns server-group DefaultDNS

name-server **.***.**.*

name-server ***.***.***.*

domain-name

object network **.***.80.32

range **.***.80.33 **.***.80.61

description Range for NAT

object network Yoda_gigabitethernet

host **.***.80.209

description Gateway for Vader

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649-103.bin

no asdm history enable

arp timeout 14400

!

nat (Inside,Outside) after-auto source dynamic any **.***.80.32

route Outside 0.0.0.0 0.0.0.0 **.***.80.209 1

route Outside **.***.80.32 255.255.255.224 64.130.80.209 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.2.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 Inside

ssh 192.168.2.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 192.168.1.20-192.168.1.30 Inside

dhcpd dns **.***.80.1 ***.***.144.1 interface Inside

dhcpd lease 28800 interface Inside

dhcpd domain  interface Inside

dhcpd enable Inside

!

dhcpd address 192.168.2.2-192.168.2.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:100669a085c1ceaa91f3c0a34abf13a8

: end

Hello Chase,

I think you do not understand what my co-worker tried to explain.

Please check the following:

interface Ethernet0/0

nameif Outside

security-level 0

ip address **.***.80.210 255.255.255.252

So you can see it's a /30 netmask

Here is the route statement you have

route Outside 0.0.0.0 0.0.0.0 **.***.80.209 1

That route is covered on the /30 netmask so we are good on that

Now check the following:

nat (Inside,Outside) after-auto source dynamic any **.***.80.32

80.32 is not on the scope of the /30 netmask so you cannot use it, even though if you have bought a bigger range you have not applied it yet to the outside interface and since on 8.4.3 you cannot proxy arp ip addresses out of the scope of the outside interface then you will need to assing an IP address on the same range for the NAT to work.

Do the following and let us know man:

no nat (Inside,Outside) after-auto source dynamic any **.***.80.32

no route Outside **.***.80.32 255.255.255.224 64.130.80.209 1

nat (inside,outside) after-auto source dynamic any interface

Just remember to rate the helpful posts, that is also taken as a thank you

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok,

I changed some things around so that everything should be in the same range:

interface Ethernet0/0

nameif Outside

security-level 0

ip address **.***.80.33 255.255.255.224

object network **.***.80.32

range **.***.80.35 **.***.80.60

description Range for NAT

nat (Inside,Outside) after-auto source dynamic any **.***.80.32

route Outside 0.0.0.0 0.0.0.0 **.***.80.62 1

Moving everything into the same subnet fixed my problem!  We are replacing an old PIX where you could use addresses outside of the scope for NATing.  Thanks again for your help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: