Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
219
Views
0
Helpful
2
Replies

ASA 5505 internet access

nsalaam01
Level 1
Level 1

‎06-11-2015 08:26 AM - edited ‎03-11-2019 11:05 PM

I have a Cisco ASA 5505 8.2.  I just wanted to do a straight forward configuration for now to allow the internal network to access the internet.  I have no rules in place, only the basic configuration and nat.  I have nat_control turned off and here are the nat statements I have in place:

global (outside) 1 12.163.xx.xx netmask 255.255.255.248     (the ip address is the ip on the outside interface of the ASA)

nat (inside) 1 10.0.0.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 1 0.0.0.0 0.0.0.0 12.163.xx.xx 1             (the IP address is the IP on the next hop router going out to the internet.  Directly connected to ASA outside interface.

 

Other than that no other rules or access list.  My internal network on the inside interface is 10.0.0.0/24.  From the ASA, I can trace and ping out to  any address or website on the internet and can ping into the internal network.  However, internal PC's can't browse the internet, like there is not connectivity out.  Here is the results of a 'sh nat' command:

NAT policies on Interface inside:

  match ip inside 10.0.0.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.0.0.0 255.255.255.0 outside any

    dynamic translation to pool 1 (12.163.xx.xx)

    translate_hits = 2061, untranslate_hits = 0

  match ip inside 10.0.0.0 255.255.255.0 dmz any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 10.0.0.0 255.255.255.0 _internal_loopb

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside any inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 3, untranslate_hits = 0

  match ip inside any outside any

    dynamic translation to pool 1 (12.163.xx.xx)

    translate_hits = 188, untranslate_hits = 0

  match ip inside any dmz any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside any _internal_loopback any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside any outside any

    no translation group, implicit deny

    policy_hits = 30

  match ip inside any dmz any

    no translation group, implicit deny

    policy_hits = 0

 

NAT policies on Interface dmz:

  match ip dmz any outside any

    no translation group, implicit deny

    policy_hits = 0

 

 Any assistance would be appreciated!

Labels:
0 Helpful
2 Replies 2

Vibhor Amrodia
Cisco Employee
Cisco Employee

‎06-13-2015 10:53 PM

Hi,

Try replacing this :-

global (outside) 1 12.163.xx.xx netmask 255.255.255.248

To:-

global (outside) 1 interface

Thanks and Regards,

Vibhor Amrodia

0 Helpful

nsalaam01
Level 1
Level 1
In response to Vibhor Amrodia

‎06-14-2015 03:56 PM

Hello Vibhor,

     That actually was the original config statement I had and it did not work either.  I tried that and I tried using a statement to use multiple public address in the global (outside) statement for NAT.  I'm wondering if I also need a rule or access list to go along with it.  I thought that I would not need that on a straight forward config to allow internet access. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card