02-07-2015 08:14 AM - edited 03-11-2019 10:28 PM
Working with an ASA 5505 that is not allowing me to connect to the internet.
I am able to ping desktop PC inside interface but from the firewall not able to ping outside to 8.8.8.8.
Ive troubleshooted with outside interface ip DHCP routeset, icmp session,
Any help to correct this would be appreciated.
[Internet - virgin modem mode sh2 - Firewall - Switch - PC]
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
description -OUTSIDE CONNECTION TO ISP-
switchport access vlan 2
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Ethernet0/1
switchport access vlan 200
switchport protected
shutdown
!
interface Ethernet0/2
switchport access vlan 200
shutdown
!
interface Ethernet0/3
switchport access vlan 200
shutdown
!
interface Ethernet0/4
switchport access vlan 200
shutdown
!
interface Ethernet0/5
switchport access vlan 200
shutdown
!
interface Ethernet0/6
switchport access vlan 200
shutdown
!
interface Ethernet0/7
description -INSIDE CONNNECTION TO SWITCH-
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa923-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_in extended permit icmp any any echo
access-list outside_in extended deny ip any any log
access-list inside_in extended permit ip any any
access-list inside_in extended deny ip any any log
pager lines 24
logging enable
logging monitor warnings
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 240
no arp permit-nonconnected
nat (inside,outside) source dynamic obj_any interface
access-group inside_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.XX.XX.239 1 <ip outside interface>
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside
!
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username larias password I8668T9sKGdWDfCW encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2c757df828bc16b3dd0d4d74e28a6917
: end
DEBUG - Ping 8.8.8.8 from FW
6|Feb 08 2015 03:03:46|305011: Built dynamic UDP translation from inside:192.168.0.2/50432 to outside:74.XX.XX.239 /50432
6|Feb 08 2015 03:03:46|302015: Built outbound UDP connection 126 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/50432 (74.XX.XX.239 /50432)
6|Feb 08 2015 03:04:00|305012: Teardown dynamic UDP translation from inside:192.168.0.2/57818 to outside:74.XX.XX.239 /57818 duration 0:02:39
6|Feb 08 2015 03:04:23|302016: Teardown UDP connection 124 for outside:8.8.8.8/53 to inside:192.168.0.2/52833 duration 0:02:08 bytes 215
6|Feb 08 2015 03:04:36|305011: Built dynamic UDP translation from inside:192.168.0.2/50290 to outside:74.XX.XX.239 /50290
6|Feb 08 2015 03:04:36|302015: Built outbound UDP connection 127 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/50290 (74.XX.XX.239 /50290)
6|Feb 08 2015 03:04:39|305011: Built dynamic UDP translation from inside:192.168.0.2/51985 to outside:74.XX.XX.239 /51985
6|Feb 08 2015 03:04:39|302015: Built outbound UDP connection 128 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/51985 (74.XX.XX.239 /51985)
6|Feb 08 2015 03:04:53|302010: 4 in use, 19 most used
6|Feb 08 2015 03:04:54|305012: Teardown dynamic UDP translation from inside:192.168.0.2/52833 to outside:74.XX.XX.239 /52833 duration 0:02:39
6|Feb 08 2015 03:05:10|302016: Teardown UDP connection 125 for outside:8.8.8.8/53 to inside:192.168.0.2/50272 duration 0:02:08 bytes 215
6|Feb 08 2015 03:05:33|305011: Built dynamic UDP translation from inside:192.168.0.2/49447 to outside:74.XX.XX.239 /49447
6|Feb 08 2015 03:05:33|302015: Built outbound UDP connection 129 for outside:8.8.8.8/53 (8.8.8.8/53) to inside:192.168.0.2/49447 (74.XX.XX.239 /49447)
6|Feb 08 2015 03:05:41|305012: Teardown dynamic UDP translation from inside:192.168.0.2/50272 to outside:74.XX.XX.239 /50272 duration 0:02:39
6|Feb 08 2015 03:05:54|302016: Teardown UDP connection 126 for outside:8.8.8.8/53 to inside:192.168.0.2/50432 duration 0:02:08 bytes 215
6|Feb 08 2015 03:06:25|305012: Teardown dynamic UDP translation from inside:192.168.0.2/50432 to outside:74.XX.XX.239 /50432 duration 0:02:39
02-08-2015 03:22 AM
Hi,
It looks like there is an issue with NAT. try the following.
1) remove the following statements with 'no' followed by the command
object network obj_any
subnet 0.0.0.0 0.0.0.0
and
nat (inside,outside) source dynamic obj_any interface
2) now add the following
object network 192.168.0.0_net
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic interface
Hope this will help.
regards
reddy
02-08-2015 06:28 AM
Thanks for the response.
I removed and added your recommendations and then had to add route outside 0.0.0.0 0.0.0.0 7.x.x.1 (default gw isp)
Still no outside ping!
02-08-2015 09:04 AM
object network NAT_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) source dynamic NAT_ALL interface
That will nat anything from inside to your asa's external interface IP...in asa 8.4, not sure how the wording is in 9.1
When you say you added a default route -- did you make that default route point to the next layer 3 hop?
Can you ping the next hop from your ASA? can you ping the external interface at that next hop device?
Can you do the following on your asa
access-list CAPNAME extended permit ip any any
capture CAPIN interface inside match access-list CAPNAME
capture CAPOUT interface outside match access-list CAPNAME
That would be nice to see the request going to the inside interface, being translated, and leaving the outside interface as the NAT'd ip address. Running those capture, then a ping from the host to 8.8.8.8 (just 4 is fine) then posting show cap CAPIN and show cap CAPOUT will probably solve our issue, or at least really narrow it down by telling us where to look.
02-08-2015 01:06 PM
The default route ip is the default gateway of my ISP. When I connect modem directly to PC I get connection and I can see DGW and assigned ip address. This has remained static as both FW and desktop have been assigned the same MAC.
Not able to ping anything at all after ASA
I have added capture.
Opened port dhcps port and seeing capture below.
home-fw-1# sh capture CAPOUT
14 packets captured
1: 11:03:57.960155 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
2: 11:04:02.960079 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
3: 11:04:08.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
4: 11:04:15.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
5: 11:04:23.960109 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
6: 11:04:32.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
7: 11:04:42.960079 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
8: 11:04:45.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
9: 11:04:49.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 11:04:54.960109 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 11:05:00.960079 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 11:05:07.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 11:05:15.960094 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 11:05:24.960079 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14 packets shown
home-fw-1# sh capture CAPIN
0 packet captured
0 packet shown
home-fw-1#
home-fw-1# sh route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 7.x.x.1 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via 7.x.x.1, outside
C 192.168.0.0 255.255.255.0 is directly connected, inside
L 192.168.0.254 255.255.255.255 is directly connected, inside
home-fw-1# sh run dhcpd
dhcpd dns 7.x.x.1
dhcpd auto_config outside
!
dhcpd address 192.168.0.2-192.168.0.33 inside. I'm using static ips
home-fw-1# sh dhcpd state
Context Not Configured for DHCP
Interface inside, Not Configured for DHCP
Interface outside, Configured for DHCP CLIENT
It seems no outbound connection is permitted.
Same output with NAT_ALL
Cheers
02-08-2015 02:04 PM
Hi,
Can you ping 8.8.8.8 from the FW itself?
Some ISP's bind the MAC address to devices and only those devices are allowed to communicate to outside world. If that is the case, you need to ask them to clear the arp and give them the ASA FW mac address to register. ( are you getting IP address for outside interface? looks like DHCP client is enabled on outside from the above)
If you manually configure primary DNS on the PC to 8.8.8.8, Can you reach internet from internet explorer?
Can you use packet trace from ASDM and select the interface as inside and protocol as tcp source port as 2005 ( or any random port) and destination ip : 216.58.208.46 and destination port as: 80 and post the result here?
Also please post the results of >
show xlate
show nat
show run nat
show run object
show conn
02-08-2015 02:40 PM
Hi,
I do have is ip address bound to my mac address, which has given me the same ip address and will continue to do so which is 7.x.x.239 (default gateway is .1 of this) but I have applied dhcp setroute because of ISP.
Outputs
home-fw-1# packet-tracer input inside tcp 192.168.0.254 2005 216.58.208.46 80 $
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9bca08, priority=1, domain=permit, deny=false
hits=0, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 7.x.x.1, outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc28f3d8, priority=500, domain=permit, deny=true
hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=192.168.0.254, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
home-fw-1# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_in; 2 elements; name hash: 0xc5896c24
access-list outside_in line 1 extended permit icmp any any echo (hitcnt=0) 0x80a148e1
access-list outside_in line 2 extended deny ip any any log informational interval 300 (hitcnt=0) 0x4cc7a6a3
access-list inside_in; 3 elements; name hash: 0xd3a8690b
access-list inside_in line 1 extended permit udp any any eq bootpc (hitcnt=0) 0x8352f743
access-list inside_in line 2 extended permit udp any any eq bootps (hitcnt=0) 0xa1bb4ef7
access-list inside_in line 3 extended deny ip any any log informational interval 300 (hitcnt=0) 0x14c87690
home-fw-1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from outside:0.0.0.0/0 to inside:0.0.0.0/0
flags sIT idle 0:03:53 timeout 0:00:00
home-fw-1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic NAT_ALL interface
translate_hits = 0, untranslate_hits = 0
home-fw-1# show run nat
nat (inside,outside) source dynamic NAT_ALL interface
home-fw-1# sh run object
object network NAT_ALL
subnet 0.0.0.0 0.0.0.0
home-fw-1# show conn
1 in use, 1 most used
02-08-2015 02:40 PM
Hi,
Can you not apply the inside ACL and see what happens?
also can you change
nat (inside,outside) source dynamic NAT_ALL interface
to
nat (inside,outside) source dynamic interface
you don't need to say NAT_ALL in nat statement.
02-08-2015 08:22 PM
So you're showing NO ip traffic entering your ASA.
And you're showing ip traffic leaving your ASA from 0.0.0.0 destined to 255.255.255.255.
Clearly your NAT is not working.
02-10-2015 09:11 AM
Ive troubleshooted the following -
Erase all / fresh config
ACL any4. You now have to specify ipv4 or ipv6 for any
inspect traffic dns, http
Reapplying DHCPD config for inside
Permiting ICMP traffic [echo, unreachable, time]
Recommended nat statements
object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
Cisco recommends the above.
I have attached latest config.
When I do a packet trace for internal source ip to isp default gateway with dhcp ports it says ok- same for internal to google.com OK again
home-fw-1# packet-tracer input inside udp 192.168.0.2 68 7.X.X.1 67 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 7.X.X.239, outside
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_in in interface inside
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
object-group network ALL-SUBNET-INT
network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
network-object 0.0.0.0 0.0.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc4920b8, priority=13, domain=permit, deny=false
hits=184, user_data=0xca9962c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.0.0_net
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.0.2/68 to 0.0.0.0/306
Forward Flow based lookup yields rule:
in id=0xcc5fee38, priority=6, domain=nat, deny=false
hits=107, user_data=0xcca768b8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
hits=268, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc9c2650, priority=0, domain=inspect-ip-options, deny=true
hits=201, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcca0ded8, priority=0, domain=host-limit, deny=false
hits=1, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc350dd8, priority=0, domain=nat-per-session, deny=true
hits=270, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc9eca40, priority=0, domain=inspect-ip-options, deny=true
hits=189, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 212, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
When I ping to either 8.8.8.8 or default gw it fails and capture gives this output.
home-fw-1# sh capture CAPIN
0 packet captured
0 packet shown
home-fw-1# sh capture CAPOUT
17 packets captured
1: 15:01:08.320036 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
2: 15:01:18.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
3: 15:01:21.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
4: 15:01:25.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
5: 15:01:30.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
6: 15:01:36.319990 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
7: 15:01:43.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
8: 15:01:51.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
9: 15:02:00.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 15:02:10.319990 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 15:02:13.319929 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 15:02:17.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 15:02:22.319990 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 15:02:28.319990 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
15: 15:02:35.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
16: 15:02:43.320006 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
17: 15:02:52.319975 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
Im going to leave the firewall on in the mean time and leave it on for 24 hours. ISP clear their ARP in the early hours
My mac address is bound to the same ip, which i have assigned both to FW and PC.
I also bypass the switch and the computer can king default gateway but nothing on the isp interface or default gateway.
Any other ideas?
02-10-2015 09:11 AM
It's still not natting. You have packets leaving from 0.0.0.0 to 255.255.255.255
--
object network 192.168.0.0_net nat (inside,outside) dynamic interface
You need to define what is INCLUDED in the object network NAMED 192.168.0.0_net
so
object-group network 192.168.0.0_net
network-object 192.168.0.0 255.255.255.0 !or whatever your subnet is
nat (inside,outside) source dynamic 192.168.0.0_net interface
That WILL nat your traffic to the external interface.
I know you think you created a range, and you did with your range statement but you never called it with:
network-object object NAMEHERE
02-10-2015 10:29 AM
I have tried that nat statement (quite a few times) and its still not working.
Object group contains 192.168.0.0 / 24 and 0.0.0.0 0.0.0.0
When I connect desktop I have been assigned the correct 192.168.x.x internal ip with gateway but cannot ping or surf web. From computer I can ping inside default gateway and nothing else.
02-10-2015 10:35 AM
I won't be back until tonight. Can you post:
1) Your updated, newest, current configuration?
2) clear cap capin
3) clear cap capout
4) Ping from an inside device to 8.8.8.8.
5) and then also put up your newest captures (capin and capout)
If you change your config between posting and tonight, back it up so that any changes I can help you make can be put in.
Thanks!
02-10-2015 11:30 AM
:
ASA Version 9.2(3)
!
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
description -OUTSIDE CONNECTION TO ISP-
switchport access vlan 2
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Ethernet0/1
switchport access vlan 2
switchport protected
shutdown
!
interface Ethernet0/2
switchport access vlan 200
shutdown
!
interface Ethernet0/3
switchport access vlan 200
shutdown
!
interface Ethernet0/4
switchport access vlan 200
shutdown
!
interface Ethernet0/5
switchport access vlan 200
shutdown
!
interface Ethernet0/6
switchport access vlan 200
shutdown
!
interface Ethernet0/7
description -INSIDE CONNNECTION TO SWITCH-
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
delay 10
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
delay 10
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
delay 10
!
!
boot system disk0:/asa923-k8.bin
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name home-fw-1.com
object-group network ALL-SUBNET-INT
network-object 0.0.0.0 0.0.0.0
object-group network ALL-SUBNET-EXT
network-object 0.0.0.0 0.0.0.0
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
object-group network INSIDE_NET
network-object 192.168.0.0 255.255.255.0
access-list outside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list outside_in extended deny ip object-group ALL-SUBNET-EXT object-group ALL-SUBNET-INT
access-list inside_in extended permit icmp any4 any4 object-group DefaultICMP
access-list inside_in extended permit ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list inside_in extended deny ip object-group ALL-SUBNET-INT object-group ALL-SUBNET-EXT
access-list CAPNAME extended permit ip any4 any4
pager lines 24
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 240
no arp permit-nonconnected
nat (inside,outside) source dynamic INSIDE_NET interface
access-group inside_in in interface inside
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.X.X.1 1 <default gw of ISP>
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 7.X.X.1 <default gw of ISP>
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain XXXX.com
!
dhcpd address 192.168.0.2-192.168.0.33 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:5ebe606760ff455d1efc1e486c33e687
: end
From computer. I am assigned 192.168.X.X ip address with correct default gw but not able to ping 7.X.X.1 (ISP Default GW) or 7.X.X.239 (FW outside interface ip).
home-fw-1# sh capture CAPIN
38 packets captured
1: 19:27:44.698389 802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
2: 19:27:45.686640 802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
3: 19:27:46.686381 802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
4: 19:27:47.695352 802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
5: 19:27:48.687830 802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
6: 19:27:48.687906 802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
7: 19:27:50.687342 802.1Q vlan#1 P0 192.168.0.2.62864 > 86.27.251.1.53: udp 36
8: 19:27:52.689951 802.1Q vlan#1 P0 192.168.0.2.54818 > 86.27.251.1.53: udp 35
9: 19:27:54.990305 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
10: 19:27:55.739417 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
11: 19:27:56.488805 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
12: 19:27:56.781530 802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
13: 19:27:57.250383 802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
14: 19:27:57.771551 802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
15: 19:27:58.241381 802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
16: 19:27:59.241152 802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
17: 19:27:59.770742 802.1Q vlan#1 P0 192.168.0.2.56883 > 86.27.251.1.53: udp 36
18: 19:28:01.240618 802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
19: 19:28:04.073986 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
20: 19:28:04.823047 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
21: 19:28:05.242632 802.1Q vlan#1 P0 192.168.0.2.59240 > 86.27.251.1.53: udp 42
22: 19:28:05.572464 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
23: 19:28:06.416085 802.1Q vlan#1 P0 192.168.0.2.68 > 255.255.255.255.67: udp 300
24: 19:28:06.416375 802.1Q vlan#1 P0 192.168.0.254.67 > 192.168.0.2.68: udp 286
25: 19:28:06.440239 802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
26: 19:28:07.432030 802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
27: 19:28:09.440330 802.1Q vlan#1 P0 192.168.0.2.64070 > 86.27.251.1.53: udp 36
28: 19:28:13.743537 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
29: 19:28:14.492299 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
30: 19:28:14.498875 802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
31: 19:28:15.241976 802.1Q vlan#1 P0 192.168.0.2.137 > 192.168.0.255.137: udp 50
32: 19:28:16.005584 802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
33: 19:28:16.991495 802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
34: 19:28:17.994196 802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
35: 19:28:19.064724 802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
36: 19:28:19.993494 802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
37: 19:28:23.994623 802.1Q vlan#1 P0 192.168.0.2.58142 > 86.27.251.1.53: udp 35
38: 19:28:24.065456 802.1Q vlan#1 P0 192.168.0.2 > 86.27.251.53: icmp: echo request
38 packets shown
home-fw-1# sh capture CAPout
14 packets captured
1: 19:27:14.940060 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
2: 19:27:17.940060 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
3: 19:27:21.941510 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
4: 19:27:26.941479 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
5: 19:27:32.940075 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
6: 19:27:39.940075 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
7: 19:27:47.940045 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
8: 19:27:56.940060 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
9: 19:28:06.940045 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
10: 19:28:09.940045 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
11: 19:28:13.940060 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
12: 19:28:18.940045 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
13: 19:28:24.940045 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14: 19:28:31.940075 802.1Q vlan#2 P0 0.0.0.0.68 > 255.255.255.255.67: udp 548
14 packets shown
02-10-2015 03:19 PM
Hi,
again you got the NAT statement wrong
>>>nat (inside,outside) source dynamic INSIDE_NET interface
this should be
nat (inside,outside) source dynamic interface
and the above should be with in the object group/object as shown below, please add them one below the other, but remove the old one's before you put the following
object-group network INSIDE_NET
network-object 192.168.0.0 255.255.255.0
nat (inside,outside) source dynamic interface
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide