Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1897
Views
0
Helpful
3
Replies

SOLVED: ASA 5506 - No internet from internal network after change to static IP

rfzt
Level 1
Level 1

‎07-03-2019 04:21 AM - edited ‎07-09-2019 01:44 AM

Hi, 

 

we are currently facing an issue with our internet connection.

Everything was working fine until we tried switching our "externalSub" to use a static IP address. 

 

This switch must have deleted some route or rule.

We swapped back to the PPPoE configuration and we have internet connection on the firewall.

So, we can ping any host (by IP and hostname) from the PING-Tool of the firewall if we select the outsideSub interface.

However, using the "internal" interface, ping times out and also none of our hosts in the internal subnet have internet connection.

 

This is the configuration:

: Saved

:
: Serial Number: [REDACTED]
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by admin at 12:22:56.889 CEDT Wed Jul 3 2019
!
ASA Version 9.6(1)
!
hostname firewall
enable password [REDACTED] encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
no ip address
!
interface GigabitEthernet1/1.100
nve-only
vlan 7
nameif outsideSub
security-level 0
pppoe client vpdn group telekom
ip address pppoe
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address dhcp
!
interface GigabitEthernet1/3
nameif DMZ
security-level 50
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/4
nameif guest
security-level 1
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
ip address dhcp
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outsideSub
dns server-group DefaultDNS
name-server 217.69.169.25 outsideSub
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network insideSub
object network WWW-EXT
host 87.140.26.169
object network WWW-INT
host 192.168.3.2
object service https
service tcp source range 0 1024 destination eq https
object network internal-webserver
host 192.168.3.2
object network dect-gateway
host 192.168.178.15
object service http
service tcp source eq www destination eq www
description http
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq sip
service-object tcp destination eq www
service-object tcp destination eq https
object-group service DM_INLINE_SERVICE_2
service-object udp
service-object tcp destination eq sip
service-object udp destination eq sip
service-object tcp destination eq 5090
service-object tcp destination eq https
service-object tcp destination eq www
service-object udp destination range 30000 31000
service-object udp destination eq 3478
service-object udp destination eq 3479
service-object udp destination range 40000 41000
object-group service DM_INLINE_SERVICE_3
service-object udp
service-object tcp destination eq sip
service-object udp destination eq sip
service-object tcp destination eq https
service-object tcp destination eq 5090
service-object udp destination range 30000 30900
service-object udp destination range 40000 40900
service-object udp destination eq 5070
service-object udp destination eq 5080
object-group service DM_INLINE_SERVICE_6
service-object tcp destination eq https
service-object tcp-udp destination eq domain
service-object tcp destination eq www
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list inside_access_in extended permit ip any any
access-list inbound extended permit tcp any object internal-webserver object-group DM_INLINE_TCP_2 log debugging
access-list inbound extended permit object-group DM_INLINE_SERVICE_2 any object dect-gateway log debugging inactive
access-list DMZ_access_in extended permit tcp any object internal-webserver object-group DM_INLINE_TCP_1
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_6 object internal-webserver any
access-list DMZ_access_in extended permit ip any any inactive
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit object-group DM_INLINE_SERVICE_3 any object dect-gateway log debugging inactive
access-list guest_access_in extended permit ip any interface outsideSub
access-list telefon_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1492
mtu outsideSub 1492
mtu inside 1500
mtu DMZ 1500
mtu guest 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,outsideSub) dynamic interface
object network internal-webserver
nat (DMZ,outsideSub) static interface service tcp https https
!
nat (inside,outsideSub) after-auto source dynamic any interface
nat (DMZ,outsideSub) after-auto source dynamic any interface
nat (guest,outsideSub) after-auto source dynamic any interface
access-group inbound in interface outsideSub
access-group inside_access_in_1 in interface inside
access-group DMZ_access_in in interface DMZ
route outsideSub 0.0.0.0 0.0.0.0 87.140.26.169 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.178.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.178.1,CN=firewall
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 213f335c
[REDACTED]
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group14-sha1
console timeout 0
vpdn group telekom request dialout pppoe
vpdn group telekom ppp authentication pap

dhcpd dns 217.69.169.25
dhcpd auto_config inside
dhcpd option 3 ip 192.168.5.1
!
dhcpd address 192.168.5.2-192.168.5.254 guest
dhcpd dns 217.69.169.25 interface guest
dhcpd enable guest
!
ntp server 188.68.54.53 source outsideSub
ssl trust-point ASDM_Launcher_Access_TrustPoint_0
dynamic-access-policy-record DfltAccessPolicy
username admin password [REDACTED] encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3fa4cc9b5d0f197d37e4a51e2db4c255
: end

 

We can't figure out what route/rule is missing.

We'd be happy for help!

 

EDIT: The issue was that "VTEP source interface" was checked in the virtual interface settings.

Labels:
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎07-03-2019 05:31 AM

This switch must have deleted some route or rule.

Hi
Could you not check the show startup and diff the current running config to see what was removed ?
or is there no backup in flash stored , you can rad it with more flash:
0 Helpful

rfzt
Level 1
Level 1
In response to Mark Malone

‎07-03-2019 05:40 AM

Hi, unfortunately the new config was already written to flash :(
0 Helpful

rfzt
Level 1
Level 1

‎07-03-2019 06:51 AM - edited ‎07-03-2019 06:53 AM

The package tracer shows the following result:

 

Bildschirmfoto 2019-07-03 um 15.47.36.png

 

However, I believe the package should be allowed by the rule for the inside interface:

Bildschirmfoto 2019-07-03 um 15.53.04.png

 

Any ideas what could be wrong?

The rule worked before the reconfiguration of using a static IP, as the hit counter indicates...

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card