cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2393
Views
5
Helpful
11
Replies

ASA 5512 Internet connection issue

OneNinja
Level 1
Level 1
Hello everyone,

I am new into networking and I am trying to setup a home lab but I am having a problem with a basic ASA 5512 firewall configuration. The problem is that I cannot setup internet connection inside my network.

I have created two interfaces : Outside with automatic IP address from ISP (security level 0) , and Inside with the IP of 192.168.5.1, security level 100. I setup automatic route with setroute. I connected a PC (192.168.5.2/30)  to the inside interface  to test the internet connection. When I ping Google DNS server from my PC, I was getting a reply below from private IP (192.168.1.251) 

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 192.168.1.251: Destination host unreachable.
Reply from 192.168.1.251: Destination host unreachable..

I would appreciate any help.

 

!
ASA Version 9.12(4)18
!
hostname CISCOASA
domain-name lab.local
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
service-module ips keepalive-timeout 4
service-module ips keepalive-counter 6
service-module cxsc keepalive-timeout 4
service-module cxsc keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.252
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name lab.local
object network obj_192.168.5.0
subnet 192.168.5.0 255.255.255.252
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
object network obj_192.168.5.0
nat (inside,outside) dynamic interface
object network obj_192.168.10.0
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
ssh 192.168.2.0 255.255.255.0 management
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0bfddcfea00f103405b2365a85bc669f

 

 

========================================

CISCOASA# packet-tracer input inside icmp 192.168.5.2 8 0 8.8.8.8

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.231.50.1 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_192.168.5.0
nat (inside,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.5.2/0 to 96.231.50.24/19598

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 151, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 96.231.50.1 using egress ifc outside

Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address de38.e1cf.8345 hits 10 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

2 Accepted Solutions

Accepted Solutions

You need to set up the gateway as .1 and also DNS config to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

So the issue is clear , Please add 192.168.5.1 as the default gateway to your machine. then the issue should be resolved.

View solution in original post

11 Replies 11

MohammadKayed
Level 1
Level 1

According to the packet tracer the traffic show be allowed.

 

What I would suggest :

1. Try to ping the inside interface of the ASA from your machine.

2. Try to ping 8.8.8.8 from the firewall itself.

3. Your issue is only with the reachability to 8.8.8.8 ? can you try 8.8.4.4.

4. Collect the below captures and try to ping again:

cap capin interface inside match icmp host 192.168.5.2 host 8.8.8.8

cap capout interface outside match icmp host 96.231.50.24 host 8.8.8.8

 

Then show the captures and share it with me as below :

show cap capin

show cap capout

 

Make sure to remove the captures once finished by :

no cap capin

no cap capout

I ping the inside interface from my machine, it was successful. I also ping 8.8.8.8 from firewall it was successful. However, when I ping 8.8.8.8 or 8.8.4.4 I received the following:

Reply from 10.0.0.9: Destination host unreachable.
Reply from 10.0.0.9: Destination host unreachable.
Reply from 10.0.0.9: Destination host unreachable.

 

Below are the show output requested

ISCOASA# show cap capin

0 packet captured

0 packet shown
CISCOASA# show cap capout

0 packet captured

0 packet shown

There is no traffic is shown in the captures , Hence the traffic never arrived the ASA.

 

I would suggest to check the default gateway in your machine.

 

If it is windows can you check ipconfig from the cmd

The is no gateway on my machine

See output of ipconfig below

C:\Users\bchak>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::a424:19e4:5321:388b%11
IPv4 Address. . . . . . . . . . . : 192.168.5.2
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

Unknown adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Local Area Connection* 1:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter VMware Network Adapter VMnet1:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::6d89:619c:db2a:682d%12
IPv4 Address. . . . . . . . . . . : 192.168.184.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d93:74d2:db9e:d104%4
IPv4 Address. . . . . . . . . . . : 192.168.222.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

There is no default gateway in my machine. 

See ipconfig output below 

C:\Users\bchak>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::a424:19e4:5321:388b%11
IPv4 Address. . . . . . . . . . . : 192.168.5.2
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :

Unknown adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Local Area Connection* 1:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter VMware Network Adapter VMnet1:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::6d89:619c:db2a:682d%12
IPv4 Address. . . . . . . . . . . : 192.168.184.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Ethernet adapter VMware Network Adapter VMnet8:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d93:74d2:db9e:d104%4
IPv4 Address. . . . . . . . . . . : 192.168.222.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :

Wireless LAN adapter Wi-Fi:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

You need to set up the gateway as .1 and also DNS config to work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

So the issue is clear , Please add 192.168.5.1 as the default gateway to your machine. then the issue should be resolved.

balaji.bandi
Hall of Fame
Hall of Fame

As per ASA concern, i do not see any config issue here.

 

try in ASA  enable DNS 

 

dns domain-lookup outside

name-server x.x.x.x 

 

make sure the end device able to reach the DNS to resolve the domain name.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

OneNinja
Level 1
Level 1

Thank you all for your input. I truthly appreciated it. The issue was with my default gateway. I was trying to go out without a gateway. 

sietecFAST
Level 1
Level 1

EDIT. I just looked at your entire configuration and realized that my post below is completely in accurate regarding your configuration, not completely but you obviously have a separate subnet set up. But I think I'll leave it just in case somebody else does not read through your configuration output and assumes that a small subnet mask is acceptable for an entire network, I have seen that countless times. Anyone who wishes to delete this or ask me to, please feel free. 

Original post:

 

I am just asking for clarity and to make sure I know your intent with regards to your home network.

 

When I saw you are using a /30 subnet mask, I thought it was either a mistake in your copy and paste, you are using dynamic routing protocols and setting up a subnet for that, but I don't see any indication of that, or you're simply trying to test one host and it's access to the Internet.

 

However with a subnet so small you will only be able to have one host with access to the Internet because of the very limited number of addresses. for a subnet of 192.168.5.0/30, you cannot use the address 192.168.5.252 (in that case, that would be the subnet or the network ID and the gateway would be at.253 and broadcast would still be at.255 but the only host would be able to be located at.254 - in this case, only the gateway (.1) and (.2) will be able to use the network... anything at or above 192.168.5.4, for that matter, is on a completely different broadcast domain since it is the next /30 available in this example or broadcast domain I mean. thus, the solutions given are spot on correct in that the gateway should be 192.168.5.1, however, that only gives you your test toast and one other host and then you're out of addresses, I would highly suggest that you expand your network to a standard /24 (255.255.255.0 for a range of 192.168.5.0 (not really, but it is called the "network" address) through 192.168.5.255 (again, not typically usable since it is usually used as the standard broadcast address...it is the highest address in this network, and in the case of a /24, the gateway is at hex 0x0 [zero of course] and the broadcast address is at 0xFF [255] subnet because almost all devices expect broadcast to be at.255 and the gateway to be at that one, that's just the way things evolved unfortunately in the IPv4 realm, at least.


Granted I did read this and your post fairly rapidly and did not follow your work out the configuration as well as I normally do, you may have already known all of this but I figured somebody looking at this for an example might be able to use this little tidbit of information to help when they try to add more devices. In other words, I don't want you to think I am assuming you don't know anything about what you're doing because obviously you do.


if you do change to a "standard" Class-C network, you'll have room for around 250 endpoint devices, leaving you room for a few management and other infrastructure such as DHCP, DNS, AD/LDAP, SNMP, Nagios/Your favorite monitoring tool, etc. 

 

I hope this helps and add to your solution, I don't want to add superfluous information to an already answered question but then it struck me as odd when I saw the subnet prefix length. 

 

take care and enjoy your 5512, I use an ASA-5525-x  at home re-images with fire power and I've never had better performance, actually getting 970 Mb per second and 500 with SSL inspection and full snort inspection, network discovery, malware inspection, DNS and advanced inspection and preprocessor options (!), with a one gig plan with Cox, I can't believe they actually delivered on their promise but only a box like these can handle that type of bandwidth. Believe me, I've tried making my own router is on a stick with several thousand dollar HP enterprise blade servers and 10 Gb network cards but could never get the stack to work the way Cisco has gotten it to work so efficiently especially with all of the inspection enabled and traffic decryption and transparent inspection enabled as well as span ports and mirroring of all traffic, it truly is an amazing device and I hope that you enjoy experimenting with it as much as I have, my home device allows me much more room for experimentation than does production obviously LOL. 

Thanks. the subnet 192.168.5.0 was created to make a point to point connection between inside interface  of my ASA and GigabitEthernet1/0/23 port of my switch. I actually have 4 subnets on 4 different VLANs (VLAN10 : 192.168.10.0 , VLAN20:192.168.20.0, VLAN30: 192.168.30.0 and VLAN40: 192.168.40.0). My issue now is how to get the hosts on different VLAN talk each other and also go on internet. I used OSPF as a routing protocol. Below is my switch config :

 

Current configuration : 5843 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCOSWITCH
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$YXFk$b1lVZlsY72jh4JIa9zdft1
enable password 
!
username admin password 
!
!
no aaa new-model
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing


ip dhcp excluded-address 192.168.10.1 192.168.10.5
ip dhcp excluded-address 192.168.20.1 192.168.20.5
ip dhcp excluded-address 192.168.30.1 192.168.30.5
ip dhcp excluded-address 192.168.40.1 192.168.40.5
!
ip dhcp pool Vlan10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 8.8.8.8
!
ip dhcp pool vlan20
network 192.168.20.0 255.255.255.0
!
ip dhcp pool vlan30
network 192.168.30.0 255.255.255.0
!
ip dhcp pool vlan40
network 192.168.40.0 255.255.255.0
!
ip dhcp pool vlan10
default-router 192.168.5.1
!
ip dhcp pool Vlan20
dns-server 8.8.8.8
default-router 192.168.20.1
!
ip dhcp pool Vlan30
default-router 192.168.30.1
dns-server 8.8.8.8
!
ip dhcp pool Vlan40
dns-server 8.8.8.8
default-router 192.168.40.1
!
!
ip domain-name lab.local
ip name-server 8.8.8.8
!
!
crypto pki trustpoint TP-self-signed-3857111040
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3857111040
revocation-check none
rsakeypair TP-self-signed-3857111040
!
!

quit
license boot level ipservices
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
interface FastEthernet0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 30
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 40
switchport mode access
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
no switchport
ip address 192.168.5.2 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 cisco
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
ip helper-address 192.168.10.0
ip helper-address 192.168.10.3
!
interface Vlan20
ip address 192.168.20.2 255.255.255.0
ip helper-address 192.168.20.0
ip helper-address 192.168.20.3
!
interface Vlan30
ip address 192.168.30.2 255.255.255.0
ip helper-address 192.168.30.0
ip helper-address 192.168.30.3
!
interface Vlan40
ip address 192.168.40.2 255.255.255.0
ip helper-address 192.168.40.0
ip helper-address 192.168.40.3
!
router ospf 1
log-adjacency-changes
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.40.0 0.0.0.255 area 0
!
ip classless
!
ip http server
ip http secure-server
!
ip sla enable reaction-alerts
!
!
!
line con 0
line vty 0 4
password 
login local
transport input ssh
line vty 5 15
password cisco
login local
transport input ssh
!
end

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: