Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
5
Helpful
2
Replies

ASA 5515-X Can't browse/ping

Go to solution
Kevin Martin
Level 1
Level 1

‎06-21-2013 02:15 PM - edited ‎03-11-2019 07:01 PM

I'm new to ASA's and I am trying to configure two new ASA's.  Right now, I can't ping/browse to any URL's from the inside networks/interface.  I can ping from the external though.  I have verified that the traffic is allowed.  I'm getting a SYN Timeout in Syslog.  Below is my config.  Please let me know your thoughts:

ASA Version 9.1(2)

!

hostname ASA

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

!

interface GigabitEthernet0/0

nameif External

security-level 0

ip address xx.xx.xx.xx 255.255.255.xxx

!      

interface GigabitEthernet0/1

description Inside Interface

nameif Inside

security-level 100

ip address xx.xx.xx.xx 255.255.255.xxx

!

interface Management0/0

management-only

nameif Management

security-level 100

ip address xx.xx.xx.xx 255.255.255.xxx

!

boot system disk0:/asa912-smp-k8.bin

ftp mode passive

clock timezone CDT -5

dns domain-lookup Inside

dns domain-lookup Management

dns server-group DefaultDNS

domain-name XXXX.com

dns server-group DNS

name-server xx.xx.xx.xx

name-server xx.xx.xx.xx

domain-name XXXX.com

dns-group DNS

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

!

pager lines 24

mtu External 1500

mtu Inside 1500

mtu Management 1500

ip verify reverse-path interface External

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx

!

nat (External,External) after-auto source dynamic VPN-POOL interface

access-group External_access_in in interface External

access-group Inside_access_in in interface Inside

route External 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route Inside xx.xx.xx.xx 255.0.0.0 xx.xx.xx.xx 1

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

***Please Mark and Rate helpful posts***
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-21-2013 02:23 PM

Hi,

I guess if the connections are allowed through the firewall and end with SYN Timeout and this happens for all connections with a browser for example and you are still able to ping from the ASA itself to the Internet then theres probably something wrong with NAT.

I guess you could try changing the NAT configuration a bit and then testing again

no nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx

nat (Inside,Extermal) after-auto source dynamic any interface

If you are using multiple public subnets with the ASA then you should use

arp permit-nonconnected

- Jouni

View solution in original post

2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-21-2013 02:23 PM

Hi,

I guess if the connections are allowed through the firewall and end with SYN Timeout and this happens for all connections with a browser for example and you are still able to ping from the ASA itself to the Internet then theres probably something wrong with NAT.

I guess you could try changing the NAT configuration a bit and then testing again

no nat (Inside,External) source dynamic any pat-pool obj-xx.xx.xx.xx

nat (Inside,Extermal) after-auto source dynamic any interface

If you are using multiple public subnets with the ASA then you should use

arp permit-nonconnected

- Jouni

Go to solution
Kevin Martin
Level 1
Level 1
In response to Jouni Forss

‎06-21-2013 02:33 PM

Thanks JouniForss.  That solved my problem.

***Please Mark and Rate helpful posts***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card