Varun

We used PPPoE for internet connect and script configured as below:

# interface Vlan2

# nameif outside

# security-level 0

# pppoe client vpdn group PCCW

# ip address pppoe setroute

For some staff can access internet but some cannot.This is a tricky point for me

Hugo

Hi,

is it consistent, the users that are not able to access the internet, or is it intermittent issue for them??? Is it always the same inside users who are not able to access the internet?

Add the following command:

icmp permit any inisde

and check when there is no internet access for these users, are they able to ping the firewall inside interface.

Next step would be to collect captures and logs from the firewall and check whether firewall drops the requests from these internal users???

https://supportforums.cisco.com/docs/DOC-1222

Thanks,

-Varun

Varun

1. It is a consistent, it is not able access internet for same inside users

2. I submitted "icmp permit any inisde" and wait for firewall replacement and i will try to capture all log

Hugo

Thats sounds good,

The idea is to collect as much info from the firewall, when the users are not able to connect.

-Varun

Varun

We tried to test the firewall this morning again, the same issue for some colleagues cannot access internet but not the same inside users this time (It should be the others inside staff). I am sorry that I have not enough time to do log capture this morning. Is there any configuration we missed in running config?

Varun

Do you think that related to the license issue?

Absolutely....Bingo!!! that was going to be my next question to you, because the internal hosts not ale to access internet is always changing and random, which means that the first 10 hosts would only be able to access the internet and any 11th connection on the firewall would be dropped by firewall. You have a 10 user license, whicvh means only 10 concurrent hosts would be able to access internet. You might need to upgrade your  firewall to unlimited or more users. Follow this licensing doc for more help:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/license/license82.html#wp190062

This hosuld definitely help you out. Check the license features for ASA 5505.

Thanks,

Varun

Varun

I am not able to access the link you provided

Hugo

Here's the PDF for it.

-Varun

Varun

Can you explain following message?

Hugo

Its just that if you have a 10 users license then you can configure only 32 dhcp clients in your network, if ASA is acting as a dhcp server or relay.

-Varun

Varun

If we configure ASA firewall as a DHCP server, upto 32 DHCP hosts can access internet. If we use other DHCP server, it justs 10 hosts for internet connection. Is that what you meant?

No, it means only a pool of 32 clients can be configured on the ASA, but still only 10 users would be able to access internet at a time. The license is for connections which are initiated from the inside clients to the outside internet. This can only be 210, whether you have DHCP configured or not.

Hope this helps,

Thanks,

Varun