Solved: ASA 5505 wouldn't let some internal PC's see outside

jima · ‎01-10-2011

I have a new 5505 connected to a SF300 cisco switch and to my SBS 2008 internal server. My server and my PC are configured Statically and they were both able to access the internet without issue. When I tried to connect other PC's (same config, W7pro) the would sometimes connect but mostly not connect. Worked with Dell to review server config and all looks okay now but the issue was still occurring. It was recommended that we pull the ASA and install another router for testing.

This was done (cheap router) and all is working fine now. I need to troubleshoot the problem and get it back into place. I suspect the config (ACL or lack thereof) but don't understand why it mattters since DHCP is from SBS and turned off on the ASA.

Thanks

Maykol Rojas · ‎01-11-2011

Ok, let me know the results !!

Cheers

Mike

View solution in original post

mirober2 · ‎01-10-2011

Hi Jim,

It's hard to say what the problem is without seeing the ASA config, but in general you'll need a few basic items:

1. Interface config:

interface Ethernet0/0
switchport access vlan 10

no shut
interface Ethernet0/1
switchport access vlan 20

no shut

!

interface Vlan10
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
nameif inside
security-level 100
ip address 192.168.100.254 255.255.255.0

2. NAT config:

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

There are 2 other general requirements that you would need: permissions (i.e. access lists) and routes. However, the above config will allow all outbound access by default, and a default gateway should be set by your ISP's DHCP server.

With this basic config, you should be able to get out to the Internet through the ASA. For other issues, we would need to see a sanitized copy of the config and know what the source and destination hosts are.

Hope that helps.

-Mike

jima · ‎01-10-2011

Hi Mike,

Here is a copy of my config. There are no ACL's defined but my server and PC, that were statis accessed the internet ok. just need to understand why and what needs to be done to get up and running.

Thanks

Maykol Rojas · ‎01-10-2011

Hi,

Would you please add the following line ?

global (outside) 1 interface

Let us know.

Mike

jima · ‎01-10-2011

Should I replace "global (outside) 1 x.x.x.x-y.y.y.y netmask 255.255.255.248" with that command or in addition to?

Maykol Rojas · ‎01-10-2011

Hello Jim

Yes, but the problem is that the ASA does not do gratuitous arp for the NAT addresses, I just want to rule out that this may be a layer 2 problem. Please remove that global command that you have and put that line and check if you have internet from the rest of the machines on the inside.

Cheers

Mike

jima · ‎01-10-2011

Thanks, will do when able to take net down. just noticed that my config has http enabled. I'm only doing SBS with email and no web serving. Should I turn off or is it harmless? Do I need ACL's?

Thanks

Maykol Rojas · ‎01-10-2011

Hi Jim,

Http server is for traffic to the box (to open ASDM) it should not affect any services going across the FW.

Cheers

Mike

jima · ‎01-11-2011

So just to reiterrate, the config looks okay to you and just the one change you recommended should be needed to get it connecting to the desktops?

I will be testing in awhile and just want to verify.

Thanks

Maykol Rojas · ‎01-11-2011

Ok, let me know the results !!

Cheers

Mike

jima · ‎01-12-2011

Swapped the ASA 5505 back in and the issue is resolved. All PC's connect to the internet. Thanks for your help!!