Re: Advice Request: Unable to connect to the Internet with ASA 5

emmanuel777 · ‎03-14-2011

Dear All,

I am looking for an advice about my ASA 5505 firewall configuration.

Recently, I have bought an ASA 5505 firewall which I have tried to connect to my ADSL router (Modem).It is now more than a week that I am trying to get internet connection through the firewall but I still can't succeed. I have tried many advices I get from this community but I still don't know what is wrong with my ASA Firewall configuration. From inside I am able to ping the inside and outside interface with a great success. and from my laptop which is connected to the firewall, I am able to ping the both interfaces (inside and outside) but still I can't access the internet.

As I don't have a static IP address from my ISP, I have configured the outside interface to pick up the ip address dynamically. Most of the time, the outside interface get the 192.168.1.2 ip address.

The following is my Firewall configuration:

ASA Version 8.2(4)
!
hostname Chicago
domain-name mydomain.co.uk
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd THhmkA16CcYff8.G encrypted
names
!
interface Ethernet0/0
switchport access vlan2
speed 100
duplex full
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
boot system disk0:/asa-824-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
domain-name talktalk.co.uk
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list inside_access_out extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1492
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username voyageur password 9Th/C2TvKMv6gY/M encrypted
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
policy-map global-policy
!
service-policy global-policy global
prompt hostname context
Cryptochecksum:d5bda595f4ab1a5d85b24fc35e562492
: end
Chicago#

I would appreciate if any one can assist me in this issue and I am happy to provide any additional information if requested.

Thanks

PAUL GILBERT ARIAS · ‎03-14-2011

if you have access to the command line interface can you check if the outside interface is getting an IP from your ISP?

use the command "show ip" that show tell you the inside and outside IP. If no IP is on the outside interface can you check if the interface e0/0 is fine? Use the command " show interface"

If possible please send us the output.

emmanuel777 · ‎03-14-2011

Hi Paul,

Thanks to respond to my request.

Below is the show command output of show ip, show interface e0/0, show xlate, show conn and show localhost

Chicago(config)# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 10.1.1.1        255.255.255.0
CONFIG
Vlan2                    outside                192.168.1.3     255.255.255.0
DHCP
Current IP Addresses:
Interface                Name                   IP address      Subnet mask
Method
Vlan1                    inside                 10.1.1.1        255.255.255.0
CONFIG
Vlan2                    outside                192.168.1.3     255.255.255.0
DHCP
Chicago(config)# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        Input flow control is unsupported, output flow control is unsupported
        Available but not configured via nameif
        MAC address 0023.33ce.20b4, MTU not set
        IP address unassigned
        53 packets input, 8450 bytes, 0 no buffer
        Received 45 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        0 L2 decode drops
        0 switch ingress policy drops
        11 packets output, 2227 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 rate limit drops
        0 switch egress policy drops
        0 input reset drops, 0 output reset drops

Chicago(config)# sh xlate
0 in use, 0 most used

Chicago(config)# sh conn
0 in use, 2 most used

Chicago(config)# sh local-host
Detected interface 'outside' as the Internet interface. Host limit applies to al
l other interfaces.
Current host count: 0, towards licensed host limit of: 50

Interface dmz: 0 active, 0 maximum active, 0 denied
Interface outside: 0 active, 2 maximum active, 0 denied
Interface inside: 0 active, 1 maximum active, 0 denied
Interface _internal_loopback: 0 active, 0 maximum active, 0 denied

Please to have a look on the result of ping command output: 10.1.1.10 is the ip address of my host connecting to the firewall

hicago(config)# ping 192.168.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Chicago(config)# ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Chicago(config)# ping 10.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

PAUL GILBERT ARIAS · ‎03-14-2011

from the ASA can you ping 4.2.2.2 ?

It seems that you are getting a private IP from your ISP.

If you can ping that IP then please navigate to 198.133.219.25 on your browser. IF that works then the issue is with name resolution.

emmanuel777 · ‎03-15-2011

Hi Paul,

Thanks very much for your support. I hope that the answer is not too far

The following is the command output of the ping 4.2.2.2

Chicago# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 50/56/60 ms
Chicago#

Also I would like to provide the output of the command show int vlan1 and vlan2:

Chicago# sh int vlan1
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 0023.33ce.20bc, MTU 1500
        IP address 10.1.1.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
        427 packets input, 43999 bytes
        17 packets output, 1324 bytes
        341 packets dropped
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 5 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec

Chicago# sh interface vlan2
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
        MAC address 0023.33ce.20bc, MTU 1492
        IP address 192.168.1.3, subnet mask 255.255.255.0
Traffic Statistics for "outside":
        362 packets input, 42389 bytes
        72 packets output, 6900 bytes
        263 packets dropped
      1 minute input rate 0 pkts/sec, 0 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 26 bytes/sec
      5 minute output rate 0 pkts/sec, 6 bytes/sec
      5 minute drop rate, 0 pkts/sec

I have tried to access the web with the IP address:198.133.219.25 and I am still failing. Do you think any thing else which may be forbidding me to access the internet?

Thanks for your support.

Kind Regards.

PAUL GILBERT ARIAS · ‎03-15-2011

The ping to 4.2.2.2 was succesful that mean you have internet connectivity. Since you were not able to browse to 198.133.219.25 (cisco.com) i suspect there is something blocking port 80. Have tried connecting a pc insteaf of the ASA just to test internet? Your ISP you be able to assist knowing the recent tests.

Sent from Cisco Technical Support iPhone App

Advice Request: Unable to connect to the Internet with ASA 5505