Solved: ASA 5505 - LAN no internet. TCP Teardown, Deny connection logs

Ravi · ‎10-03-2014

Hi

Please find attached my running config and system log

Request urgent help to correct any configuration errors

The ASA 5505 is behind ISP Cisco router 888

ISP router external address - 202.62.x.x

ISP internal address - 100.10.10.254

Is route (outside) 0.0.0.0 0.0.0.0 xxxx supposed to be a compatible address to the ISP external, or internal, address?

Would really appreciate if someone can please help

Thank you

Ravi

Marius Gunnerud · ‎10-05-2014

According to the running config you posted earlier you need to change the outside interface IP on the ASA to 100.10.10.252 (you don't mention what the subnetmask is for that IP).

interface Vlan2

nameif outside

security-level 0

ip address 202.x.x.92 255.255.255.0

And your default route should look like the following:

route outside 0.0.0.0 0.0.0.0 100.10.10.254

Make those changes and then test by fist pinging 100.10.10.254 from the ASA if that is successful ping 4.2.2.2 from the ASA. If both of those are successful try to browse the internet from an internal PC.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-03-2014

So the cisco 888 router is the ISP router?

So your route statement should point to the inside interface of the 888 router

route (outside) 0 0 <inside ip of 888 router>

Would help to see a network diagram with IP addresses.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ravi · ‎10-04-2014

Thank you for your prompt response

I did try with ISP internal address, but still no internet or ping success from LAN.

Get failed to find next hop, FIN back, reset-0, etc

Errors are in the attached log file

Will be posting a diagram shortly

Look forward to your assistance

Marius Gunnerud · ‎10-04-2014

I think your ASA interfaces could be wrongly configured. Your ASA outside interface should be on the same subnet as the ISP router inside interface (you should be able to ping the ISP inside IP). Your default route should also indicate the ISP inside IP as the next hop.

This will become more clear once you provide a diagram that indicates where all the IPs are configured.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ravi · ‎10-05-2014

Hi Marius,

Attached is the setup diagram

I had the route (outside) 0.0.0.0 0.0.0.0 100.10.10.254, but still got errors and there was no internet on LAN

When i do packet trace from within ASA 5505, i get success, both on INSIDE and OUTSIDE interfaces

But from LAN, no pinging, or tracert, or browsing works

I get same errors that are showing on the log file

Look forward to your assistance

Thanks

Vibhor Amrodia · ‎10-05-2014

Hi,

When you set the Next Hop as the router , are you able to ping that IP ? If yes , are you able to ping any Global IP:- 4.2.2.2 ?

If yes , I think you might need to apply captures on the ASA device to see the actual traffic flow through the ASA device.

Thanks and Regards,

Vibhor Amrodia

Ravi · ‎11-10-2014

Hi

Would you be able to help on this? Please refer to my comment above

Thank you

Marius Gunnerud · ‎10-05-2014

According to the running config you posted earlier you need to change the outside interface IP on the ASA to 100.10.10.252 (you don't mention what the subnetmask is for that IP).

interface Vlan2

nameif outside

security-level 0

ip address 202.x.x.92 255.255.255.0

And your default route should look like the following:

route outside 0.0.0.0 0.0.0.0 100.10.10.254

Make those changes and then test by fist pinging 100.10.10.254 from the ASA if that is successful ping 4.2.2.2 from the ASA. If both of those are successful try to browse the internet from an internal PC.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Ravi · ‎11-10-2014

Hi VPN wasn't working , hence Headquarters advised VPN can't work unless public IP is defined on outside interface of firewall, instead of ISP router ISP setup bridging between firewall and router, and set public address on outside interface of 5505 Since then, internet on LAN doesn't work, nor VPN Attached are config and diagram files Would really appreciate your urgent assistance, as deadline for VPN was today

route outside is changed to route outside 0.0.0.0 0.0.0.0 202.62.122.90 1

Thank you

Ravi · ‎11-10-2014

With my current setup, pinging success from ASA. But from LAN, pinging fails. No internet on LAN

But traffic from LAN to OUTSIDE INTERFACE, LAN to INTERNET, all works

Why wont internet work on LAN pc?

Attaching current config and my LAN setup on pc

Please help