06-21-2013 02:15 PM - edited 03-11-2019 07:01 PM
I'm new to ASA's and I am trying to configure two new ASA's. Right now, I can't ping/browse to any URL's from the inside networks/interface. I can ping from the external though. I have verified that the traffic is allowed. I'm getting a SYN Timeout in Syslog. Below is my config. Please let me know your thoughts:
ASA Version 9.1(2)
!
hostname ASA
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif External
security-level 0
ip address xx.xx.xx.xx 255.255.255.xxx
!
interface GigabitEthernet0/1
description Inside Interface
nameif Inside
security-level 100
ip address xx.xx.xx.xx 255.255.255.xxx
!
interface Management0/0
management-only
nameif Management
security-level 100
ip address xx.xx.xx.xx 255.255.255.xxx
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CDT -5
dns domain-lookup Inside
dns domain-lookup Management
dns server-group DefaultDNS
domain-name XXXX.com
dns server-group DNS
name-server xx.xx.xx.xx
name-server xx.xx.xx.xx
domain-name XXXX.com
dns-group DNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
pager lines 24
mtu External 1500
mtu Inside 1500
mtu Management 1500
ip verify reverse-path interface External
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx
!
nat (External,External) after-auto source dynamic VPN-POOL interface
access-group External_access_in in interface External
access-group Inside_access_in in interface Inside
route External 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route Inside xx.xx.xx.xx 255.0.0.0 xx.xx.xx.xx 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Solved! Go to Solution.
06-21-2013 02:23 PM
Hi,
I guess if the connections are allowed through the firewall and end with SYN Timeout and this happens for all connections with a browser for example and you are still able to ping from the ASA itself to the Internet then theres probably something wrong with NAT.
I guess you could try changing the NAT configuration a bit and then testing again
no nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx
nat (Inside,Extermal) after-auto source dynamic any interface
If you are using multiple public subnets with the ASA then you should use
arp permit-nonconnected
- Jouni
06-21-2013 02:23 PM
Hi,
I guess if the connections are allowed through the firewall and end with SYN Timeout and this happens for all connections with a browser for example and you are still able to ping from the ASA itself to the Internet then theres probably something wrong with NAT.
I guess you could try changing the NAT configuration a bit and then testing again
no nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx
nat (Inside,Extermal) after-auto source dynamic any interface
If you are using multiple public subnets with the ASA then you should use
arp permit-nonconnected
- Jouni
06-21-2013 02:33 PM
Thanks JouniForss. That solved my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide