Solved: Re: ASA 5516-X Internet Connectivity

chunter7414 · ‎11-08-2018

Hi Everyone,
New to ASA-5516 and I'm having difficulties establishing an internet connection.

I have my ASA temporarily connected to a standalone 2811 to simulate the connection to my ISP.

FE0/0 on the 2811 is configured with the ISP gateway address.

From the 2811, I can ping the gateway address (FE0/0) as well as the outside interface on the ASA.

From the ASA, I can ping the inside ip address, the outside ip address, and FE0/0 on the 2811.

However, when I place the ASA into the production network, I'm unable to access the internet.

Would someone take a look at the attached cfg and tell me what I'm doing wrong or missing?

Thanks,

Cliff

k.nandakumar · ‎11-08-2018

Step 1:

policy-map global_policy

class inspection_default

Inspect icmp

Step 2:

I would prefer to configure ACL after all connectivity are OK. Until then either have rule to allow all or allow all services from specific Host from which I would be testing.

Step 3:

Is this IP ( 207.55.99.1) configured on Router or ISP Gateway ?

If its ISP Gateway, please change below CLI with Inside IP address of your route 2811

route outside 0.0.0.0 0.0.0.0 { 2811 inside IP address } 1

Verification:

1: When you do the ping test, try pinging 207.55.99.1 or ISP GW or DNS provided by ISP

2: When you do trace route, Source IP, don’t use ASA Interface IP, use some of Inside PC IP

Destination, use ISP GW, DNS, something outside of your network.

packet-tracer input inside tcp { Inside PC IP 10.0.0.x } 13 207.55.99.2 443

View solution in original post

AndreaTornaghi · ‎11-08-2018

Are you able to run a packet tracer test?

In this way you could understand where the problem is. More probably in on NAT configuration.

From CLI:

ASA# packet-tracer input inside tcp 201.1.1.1 13 8.8.8.8 443

chunter7414 · ‎11-08-2018

This is the packet trace from the ASA inside_if to FE0/0 on the 2811.

casper# packet-tracer input inside tcp 10.0.0.254 13 207.55.99.2 443

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 207.55.99.2 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate 10.0.0.254/13 to 207.55.99.240/13

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1075, packet dispatched to next module

Phase: 9
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 207.55.99.2 using egress ifc outside

Phase: 10
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0014.1c27.0af8 hits 1 reference 1

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

casper#

mkazam001 · ‎11-08-2018

try any random public destination IP in the trace, not your next hop:)

AndreaTornaghi · ‎11-08-2018

So from PacketTracer the configuration seems to be ok. I'm supposing that maybe your subnet mask on WAN is not /24 but something else.

try to change your nat from:

object network obj_any
nat (any,outside) dynamic interface

to:

object network obj_any
nat (any,outside) dynamic 207.55.99.10

and re-do a packet tracer with destination 8.8.8.8, just to be sure that you are using the new NAT rule.

mkazam001 · ‎11-08-2018

from your packet tracer output - 207.55.99.240/13

could change subnet mask on outside interface & leave nat rule as it is

regards, mk

mkazam001 · ‎11-08-2018

the correct syntax for the packet trace is as follows, you can also access the CLI from the ASDM, under tools perhaps:

packet tracer input inside-cfcaa tcp 10.0.0.10 12345 8.8.8.8 53 det

remove the access-group cmd to rule out any issues with ACL

not sure what this cmd does - dhcpd auto_config outside you've configured a static ip yourself -

perhaps someone can advise

remove icmp permit restrictions at least for testing- instead use the below:
policy-map global_policy
class inspection_default
inspect icmp

regards, mk

please rate if helpful or solved :)

k.nandakumar · ‎11-08-2018

Step 1:

policy-map global_policy

class inspection_default

Inspect icmp

Step 2:

I would prefer to configure ACL after all connectivity are OK. Until then either have rule to allow all or allow all services from specific Host from which I would be testing.

Step 3:

Is this IP ( 207.55.99.1) configured on Router or ISP Gateway ?

If its ISP Gateway, please change below CLI with Inside IP address of your route 2811

route outside 0.0.0.0 0.0.0.0 { 2811 inside IP address } 1

Verification:

1: When you do the ping test, try pinging 207.55.99.1 or ISP GW or DNS provided by ISP

2: When you do trace route, Source IP, don’t use ASA Interface IP, use some of Inside PC IP

Destination, use ISP GW, DNS, something outside of your network.

packet-tracer input inside tcp { Inside PC IP 10.0.0.x } 13 207.55.99.2 443

chunter7414 · ‎12-18-2018

k.nandakumar Thanks for your reply.

The steps you described were exactly the steps I took to resolve the issue.

Apparently nothing was wrong with the config. I opened the outside interface to allow all traffic then tested connectivity using one of our additional addresses from the ISP. Traffic flow was as expected both in and out. Closed the outside inbound traffic and everything continued to work.

The only real difference was the outside IP address I was using. Initially, I was attempting to config the ASA to use the same address as the fw it was replacing. I later decided to use one of our other addresses so I could put both online.

I don't see where this should have made a difference though.

AndreaTornaghi · ‎12-19-2018

Probably your problem was caused by arp table. You have replaced the old firewall with the new one without clearing arp cache on router. So firewalls had the same ip address but different MAC.