Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
0
Helpful
2
Replies

5505 - no Internet access from inside interface [resolved]

tbrendle
Level 1
Level 1

‎06-25-2013 03:30 PM - edited ‎03-11-2019 07:02 PM

I can't believe this is stumping me and I know the answer will result in a major face-palm, but I'm getting dizzy from running in circles...  This is as basic as it gets and from everything I've read, this config should work as is (without requiring access-list to surf from inside vlan).  Packet-tracer shows DROP from implicit rule, but I can't figure out why since it's traffic from a low to high security level....

Issue: 

Unable to route from inside vlan to outside/internet

Physical Setup (from LANs to Internet):

ASA5505 Eth0/0 to Soho Router(w/ wireless).

Soho Router to ISP modem.

Logical:

Soho Router: 

Wan IP: x.x.x.x

LAN IP:  192.168.2.x /24 [dhcp range 1-128].

ASA Config:

ASA Version 8.4(6)
!
hostname HOME-LAB
enable password QgAPCjD3jLFbKB5Z encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
switchport access vlan 20
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan10
nameif outside
security-level 0
ip address 192.168.2.254 255.255.255.0
!
interface Vlan20
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
!
ftp mode passive
object network inside-net
subnet 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside-net
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1

! ----- output ommitted -----!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global

============

Packet-tracer:

HOME-LAB# packet-tracer input inside icmp 10.2.2.1 0 0 1 192.168.2.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.2.0     255.255.255.0   outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

=======================

Thanks in advance for your time!

Labels:
0 Helpful
2 Replies 2

tbrendle
Level 1
Level 1

‎06-25-2013 03:42 PM

Added notes:  outside route works fine, and NAT appears to be properly configured...

---- output -----

HOME-LAB# sh nat trans int outside det

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic inside-net interface

    translate_hits = 1366, untranslate_hits = 0

    Source - Origin: 10.2.2.0/24, Translated: 192.168.2.254/24

HOME-LAB# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms

0 Helpful

tbrendle
Level 1
Level 1
In response to tbrendle

‎06-25-2013 06:28 PM

Config issue resolved....

For some reason it didn't like my nat statement:

Was within the object group 'inside-net': 

nat (inside,outside) dynamic interface

Changed to:

nat (inside,outside) source dynamic inside-net interface

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card