Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
941
Views
0
Helpful
4
Replies

asa-5512-x no connectivity to internet

jbeadles888
Level 1
Level 1

‎05-01-2014 02:48 PM - edited ‎03-11-2019 09:09 PM

I am going from a pix-515e to asa-5512-x.   I used the wizard for the initial setup.  I then set the interfaces the same, objects, nat rules, routes, ACLs the same as in the 515e (except for the outside interface ACL where you use the inside address now, rather than the outside...and you have a global deny rule for all interfaces) . 

I take the cables from the inside / outside interface from the 515e, plug them into the 5512x and nada...

Computers on the inside can't get out.   I see egress failures on the ASDM monitor from the inside to outside.  I don't see any traffic coming in on the outside interface to the inside as I do on the ASDM of the 515e.  

 

ASA Version 9.1(5)  
!
hostname ASA-5512-X
domain-name mydomain.com
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 98.xxx.xxx.xxx 255.255.255.224  
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.0.1.242 255.255.252.0  
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0  
!
boot system disk0:/asa915-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.0.3.42
 domain-name mydomain.com
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any  
access-list outside_access_in extended permit tcp any object webserver-inside object-group web-ports  
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static webserver-inside webserver-outside unidirectional
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 98.xxx.xxx.xxx 2  
route inside 172.20.0.0 255.255.0.0 10.0.0.1 1  
route inside 172.21.0.0 255.255.0.0 10.0.0.1 1  
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.0.0.0 255.255.0.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map  
  inspect ftp  
  inspect h323 h225  
  inspect h323 ras  
  inspect rsh  
  inspect rtsp  
  inspect esmtp  
  inspect sqlnet  
  inspect skinny   
  inspect sunrpc  
  inspect xdmcp  
  inspect sip   
  inspect netbios  
  inspect tftp  
  inspect ip-options  
!
service-policy global_policy global
prompt hostname context  
call-home reporting anonymous

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-01-2014 03:49 PM

At a quick glance the config looks pretty clean (please do use ssh and not telnet though)

Since you replaced one box with another, have you checked that your upstream (Outside) device is reachable from the ASA itself? (i.e can you ping your default gateway at 98.xxx.xxx.xxx 2 )

I've sometimes seen cases where we had to ask the ISP to clear their ARP cache when changing out firewalls.

0 Helpful

jbeadles888
Level 1
Level 1
In response to Marvin Rhoads

‎05-02-2014 06:13 AM

It looked like it was the ISP.  It took a few minutes with the new ASA hooked up for computers to get internet activity.  I noticed the computers on the dynamic nat had internet connectivity first, but the servers on static nats did not.  I changed the nats to both directions (instead of unidirectional) and it started working.  Not sure if that fixed it for the statics or i needed to wait longer for the ISP to adjust.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jbeadles888

‎05-02-2014 06:27 AM

Glad to hear it's working for you. Cheers.

0 Helpful

kevin_giusti
Level 1
Level 1

‎05-02-2014 04:18 AM

I would make sure you have an ARP entry for your default gateway:

show arp

If so I would then run a packet tracer simulation to verify all is well.

packet-tracer input inside tcp 10.0.1.245 aol 8.8.8.8 aol

Finally I would change console timeout from 0 to 30.  Console timeout 0 means it will never timeout and stay logged in.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card