cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5333
Views
0
Helpful
14
Replies

ASA 5520 cannot access Internet

stavroskalamat
Level 1
Level 1

A few months ago I wasn't able to spell Cisco's name and here I am trying to configure an ASA 5520 on a small network I was tasked to put together. I saw this as a great learning opportunity, especially becoming familiar with Cisco's networking philosophy, so I went for it. I'm at a point though I need an expert's eye to give me a lead on the following issue:

Have VLANs 201, 202 and 203 physical and virtual machines on inside and dmz access the internet.

The guest network router has already configured with static routes to go from the non-routable 192.168.132.y to a public ip address. The laptop on the guest network (please see network.jpg) has internet access to confirm the aforementioned.

Also, the ASA 5520, with its config as shown on the log attached, can ping the laptop on 192.168.132.32, all 10.0.x.y interfaces (10.0.201.1, 10.0.202.1 and the 10.0.200.1), the outside FW interface (currently at 192.168.132.105) and the guest network router's public ip address. That, and a lot of packet tracing, led me to believe I'm missing something on my ACLs or my config is wrong somewhere I can't see.

Although the CLI is more convenient to me I attached a few screen-shots for clarification purposes.

The files attached carry self-explanatory names, however, if they miss pieces of info that'll expedite your assistance comments I'll be glad to follow up.

By the way, can somebody recommend a book (or books) on switching & routing that  gradually introduce the concepts, (it's more than intutive that design exercises and hands-on experience are an absolute MUST to gain further knowledge) so a novice in the field will work slowly on building a theoretical foundation as a start?

Appreciate your help.

sk

2 Accepted Solutions

Accepted Solutions

Hi,

You have tested with the "packet-tracer" connection from network 192.168.132.0/24 to one of the 10-networks.

This is not possible with teh current configurations are you are doing Dynamic PAT from the LAN/DMZ interfaces to the "outside" interface.

To be able to access the 10-network from the 192.168.132.0/24 network directly you would need NAT0 configuration.

Notice that you CANT test return traffic with "packet-tracer". The "packet-tracer" always tests a incoming first packet for some connection. So if no Dynamic PAT translation is active at the moment on the firewall then you wont be able to test any return traffic for a non existing connection.

I can't see anything wrong with the firewall configuration at the moment.

I guess you can try the "packet-tracer" command from the CLI to simulate outbound Internet connection

packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80

packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80

Use the exact above commands and post the output from CLI

- Jouni

View solution in original post

Hi,

You dont have ACL on the INS_SRV interface allowing that traffic. To allow all traffic from INS_SRV you would need the following ACL rule

access-list ins_srv_access_in extended permit ip 10.0.201.0 255.255.255.0 any

- Jouni

View solution in original post

14 Replies 14

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?

Whit what are you trying to test Internet connectivity?

Incase you are trying to test with ICMP try adding these configurations

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Then try ICMP again.

I would suggest doing the following changes.

Remove all the interface ACLs that are attached in the Outbound direction (out)

no access-group outout out interface outside

no access-group ins_srv_access_out out interface ins_srv

Its usually best to control the traffic entering an interface of the ASA and not the traffic leaving it.

To clarify

  • access-group out interface
    • This would attach an ACL to an interface in the outbound direction. It would control traffic heading out from this interface. In other words, the traffic has already come from behind some other ASA interface and is now heading out of this interface.
  • access-group in interface
    • This would attach an ACL to an inteface in the inbound direction. It would control traffic heading towards this interface. In other words, the traffic would just be entering the ASA through this interface

This is why using Inbound interface ACL would make the most sense. You very rarely need to apply Outbound ACLs. Most of the time they cause more problems and add complexity to the setup.

With regards to the NAT configurations, you seem to have a basic Dynamic PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address seems to be from the network 192.168.132.0/24 which is directly connected to the Internet router also. This should already mean that there should be no problem with routing between the ASA and the Internet router. I would presume also that the Internet router is doing NAT for the ASAs "outside" interface IP address.

Can you clarify a bit what the situation is at the moment?

Hope this helps

- Jouni

Hello Jouni,

First of all I appreciate your prompt resourceful response.

Answers to your Qs follow:

Q>

So are you saying that you cant reach the Internet from the networks that are located behind the ASA firewall?

Answer: That is correct. In other words all machines (phys. & virtual) in 10.0.0.0/16 (covering 10.0.201.0, 10.0.202.0, and 10.0.200.0) can NOT access the internet.

Q>

what are you trying to test Internet connectivity?

Incase you are trying to test with ICMP try adding these configurations

Answer: My attempt to go out was by using icmp packets (ping), if I'm using the right terms. So, I go to various machines in 10.0.0.0/16 and try to ping beyond the gateway. For example, from machine with ip 10.0.201.215 I ping 10.0.201.1 successfully BUT when i try to ping 192.168.132.105 (outside interf. on the ASA5520) I get a "request timed out".

Also, from 10.0.201.215 machine, after a changing the ACL Rules (see latest copy of ASA5520 config) based upon the advice of your response, I can successfully ping the following in the guest network.

192.168.132.32 (laptop)

192.168.132.1 (gateway)

192.168.132.11 (switch)

From an ssh session on ASA5520 I can successfully ping all the above and more:

10.0.201.1

192.168.132.105 (outside interf. of ASA5520)

192.168.132.1

192.168.132.32

192.168.132.11

and the routable ip address on the outside interf. of the guest network router

Q>

Trying

policy-map global_policy

class inspection_default

  inspect icmp

  inspect icmp error

Answer: the above 4 icmp lines and the ACL Rule changes you recommended together, I presume, changed the response from the machines in the 10.0.0.0/16, in other words I can ping IP address in the 192.168.132.0/24 from 10.0.201.215 for example, as mentioned up above.

Still can NOT ping ASA's outside interf. from a machine located in a inside VLAN but according to the following thread

http://www.sadikhov.com/forum/index.php?/topic/150887-cant-ping-from-inside-to-outside-interface-with-asa5505/

I am not supposed to.

Q>

Remove all the interface ACLs that are attached in the Outbound direction (out)

no access-group outout out interface outside

no access-group ins_srv_access_out out interface ins_srv

Answer:

This comment makes absolute sense.

This is why using Inbound interface ACL would make the most sense. You  very rarely need to apply Outbound ACLs. Most of the time they cause  more problems and add complexity to the setup.

I should have thought of that.

Q>

With regards to the NAT configurations, you seem to have a basic Dynamic  PAT configuration for all the 3 LAN/DMZ networks. The PAT IP address  seems to be from the network 192.168.132.0/24 which is directly  connected to the Internet router also.

Answer: the above statement is correct

Q>

This should already mean that  there should be no problem with routing between the ASA and the Internet  router. I would presume also that the Internet router is doing NAT for  the ASAs "outside" interface IP address.

Answer: You are correct there's no problem routing between the ASA and the guest network router since I can ping the outside routable IP on the router from an ssh session on the ASA.

Indeed, the internet route is doing NAT for the ASAs outside interf. IP address.

I'm attaching the latest & greatest ASA5520 config.

Please ask me more Qs that'll clarify the env'nt and will expedite troubleshooting. Meanwhile, I'm thinking about this day and night and I am reading about Staic.Dynamic NAT/PAT, etc on cisco's web site continuously to educate myself so I figure out I'm doing wrong.

Thanks in advance,

Stavros

I cannot attach a doc so I'm copying & pasting the latest (Aug. 9th) ASA's config down below

ASA Version 8.2(1)

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.132.105 255.255.255.0

!

interface GigabitEthernet0/1

nameif ins_srv

security-level 100

ip address 10.0.201.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif ins_cli

security-level 100

ip address 10.0.202.1 255.255.255.0

!

interface GigabitEthernet0/3

nameif dmz

security-level 50

ip address 10.0.200.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 90

ip address 10.0.203.10 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns domain-lookup ins_srv

dns domain-lookup ins_cli

dns domain-lookup dmz

dns domain-lookup management

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service IBM_TivoliEndPointMngr tcp-udp

description Patch Mngt SW

port-object eq 52311

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service KiwiSyslog

description Solarwinds Kiwi

service-object udp eq syslog

object-group service TeredoPackets udp

description Blocks UDP port 3544 traffic inbound and outbound

port-object eq 3544

object-group service DM_INLINE_SERVICE_2

service-object ip

service-object tcp eq echo

service-object tcp eq www

service-object udp eq www

service-object icmp

service-object icmp6

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object udp

protocol-object tcp

access-list ins_srv_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 any

access-list ins_srv_nat0_outbound extended permit ip 10.0.200.0 255.255.255.0 any

access-list outside_nat_outbound extended permit tcp 192.168.132.0 255.255.255.0 eq www 10.0.201.0 255.255.255.0 eq www

access-list ins_cli_access_in extended permit ip 10.0.202.0 255.255.255.0 any

access-list dmz_access_in extended permit ip any any

access-list ins_cli_nat0_outbound extended permit ip 10.0.202.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.202.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 10.0.200.0 255.255.255.0

access-list ins_srv_access_in extended permit object-group DM_INLINE_PROTOCOL_2 10.0.201.0 255.255.255.0 192.168.132.0 255.255.255.0

access-list dmz extended permit object-group KiwiSyslog host 10.0.200.100 host 10.0.201.215

access-list dmz extended permit object-group TCPUDP host 10.0.200.100 host 10.0.201.215 object-group IBM_TivoliEndPointMngr

access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list dmz extended deny ip 10.0.200.0 255.255.255.0 10.0.202.0 255.255.255.0

access-list dmz extended permit ip 10.0.200.0 255.255.255.0 any

access-list ins_srv_mpc extended permit ip any any

access-list outside_mpc extended permit ip any any

access-list ins_cli_mpc extended permit ip any any

access-list dmz_mpc extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 192.168.132.0 255.255.255.0 10.0.201.0 255.255.255.0

access-list ins_srvnat0_outbound extended permit ip 10.0.201.0 255.255.255.0 10.0.201.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap debugging

logging asdm informational

logging mail emergencies

logging host ins_srv 10.0.201.215

mtu outside 1500

mtu ins_srv 1500

mtu ins_cli 1500

mtu dmz 1500

mtu management 1500

no failover

icmp unreachable rate-limit 10 burst-size 5

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (ins_srv) 0 access-list ins_srv_nat0_outbound

nat (ins_srv) 1 10.0.201.0 255.255.255.0

nat (ins_cli) 0 access-list ins_cli_nat0_outbound

nat (ins_cli) 1 10.0.202.0 255.255.255.0

nat (dmz) 1 10.0.200.0 255.255.255.0

access-group outside_access_in in interface outside

access-group ins_srv_access_in in interface ins_srv

access-group ins_cli_access_in in interface ins_cli

access-group dmz in interface dmz

route outside 0.0.0.0 0.0.0.0 192.168.132.105 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa local authentication attempts max-fail 3

aaa authorization exec authentication-server

filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

http server enable

http 0.0.0.0 0.0.0.0 management

http 10.0.201.0 255.255.255.0 ins_srv

no snmp-server location

no snmp-server contact

telnet timeout 5

ssh 10.0.201.0 255.255.255.0 ins_srv

ssh timeout 30

ssh version 2

console timeout 5

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp authentication-key 1 md5 *

ntp authenticate

ntp trusted-key 1

ntp server 64.90.182.55 key 1 source outside

ntp server 96.47.67.105 key 1 source outside

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec webvpn

vpn-tunnel-protocol svc webvpn

webvpn

url-list value OtherLinks

svc ask enable default webvpn

class-map ins_cli-class

match access-list ins_cli_mpc

class-map ins_srv-class

match access-list ins_srv_mpc

class-map inspection_default

match default-inspection-traffic

class-map dmz-class

match access-list dmz_mpc

class-map outside-class

match access-list outside_mpc

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

class class-default

set connection decrement-ttl

policy-map outside-policy

class outside-class

ips inline fail-open

policy-map dmz-policy

class dmz-class

ips inline fail-open

policy-map ins_cli-policy

class ins_cli-class

ips inline fail-open

policy-map ins_srv-policy

class ins_srv-class

ips inline fail-open

!

service-policy global_policy global

service-policy outside-policy interface outside

service-policy ins_srv-policy interface ins_srv

service-policy ins_cli-policy interface ins_cli

service-policy dmz-policy interface dmz

smtp-server 173.194.76.108

prompt hostname context

Hi,

Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?

As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.

Only hosts located behind an interface can ICMP that interface and receive a reply. Sending ICMP from a host to an ASA interface IP address that is NOT where the host is located at will always fail.

- Jouni

Hello Jouni,

Can you clarify if you are still having problems with ICMP from the LAN/DMZ networks to the Internet?

Answer: I cannot ICMP from the LAN/DMZ networks to the Internet. The way I try to do that is by opening a command prompt on

Windows of an internal host (10.0.201.215 in this case) and try to ping the outside IP address of the guest network router or ping yahoo.com for example. The response I get is "Request timed out".

As you said in the above post already, you are NOT able to ICMP an ASA interface behind another interface.

Answer:  You're correct. I cannot ping 192.168.132.105 (ASA outside interf. IP address) from a windows prompt of an internal host, such as 10.0.201.215

Only hosts located behind an interface can ICMP that interface and  receive a reply. Sending ICMP from a host to an ASA interface IP address  that is NOT where the host is located at will always fail.

Answer: That's correct.

I also attached 3 images that show an ASA packet tracer image for IP packets travelling from 10.0.201.215 to 192.168.132.32 (guest network laptop) and back. The forward traffic stops at a NAT Rule and the reverse traffic stops at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.

However, a packet tracer monitoring TCP packets from the same source (10.0.201.215) to the same destination (192.168.132.32) goes all the way w/o a problem. The reverse traffic of TCP packets stops also at the impicit Deny any any Rule of the incoming ACL rules of the ins_srv internal.

I hope I answered your Qs.

Thanks in advance for your time and consultation.

Hi,

You have tested with the "packet-tracer" connection from network 192.168.132.0/24 to one of the 10-networks.

This is not possible with teh current configurations are you are doing Dynamic PAT from the LAN/DMZ interfaces to the "outside" interface.

To be able to access the 10-network from the 192.168.132.0/24 network directly you would need NAT0 configuration.

Notice that you CANT test return traffic with "packet-tracer". The "packet-tracer" always tests a incoming first packet for some connection. So if no Dynamic PAT translation is active at the moment on the firewall then you wont be able to test any return traffic for a non existing connection.

I can't see anything wrong with the firewall configuration at the moment.

I guess you can try the "packet-tracer" command from the CLI to simulate outbound Internet connection

packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80

packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80

Use the exact above commands and post the output from CLI

- Jouni

Thanks Jouni.

Q>

are you are doing Dynamic PAT from the LAN/DMZ interfaces to the

"outside" interface.

I had switched the ASA config to Static PAT. I have assigned the ASA's outside's interf. IP to play that role.

Static PAT mya not be the best choice here so I'll switch the ASA to Dynamic PAT.

I'm reading on NAT0 to familiarize more.

Here's the ASA's response

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.09 15:14:46 =~=~=~=~=~=~=~=~=~=~=~=

PC2ZFW#

PC2ZFW# packet-tracer input ins_cli tcp 10.0.201.100 12345 8.8.8.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: ins_cli

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

PC2ZFW#    packet-tracer input ins_srv tcp 10.0.202.100 12345 8.8.8.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: ins_srv

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

PC2ZFW# exit

Logoff

Hi,

Sorry, I misstyped the IP address of the "packet-tracer" commands

packet-tracer input ins_cli tcp 10.0.202.100 12345 8.8.8.8 80

packet-tracer input ins_srv tcp 10.0.201.100 12345 8.8.8.8 80

I had the address spaces wrong

- Jouni

No worries Jouni. 

The 10.0.201.x can't hit 8.8.8.8 whereas 10.0.202.y can. I am trying to find out why this is happening.

Here you go:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.08.09 15:53:37 =~=~=~=~=~=~=~=~=~=~=~=

PC2ZFW#

PC2ZFW# packet-tracer input ins_cli tcp 10.0.202.100 12345 8.8.8.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ins_cli_access_in in interface ins_cli

access-list ins_cli_access_in extended permit ip 10.0.202.0 255.255.255.0 any

Additional Information:

<--- More --->

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: FILTER

Subtype: filter-java

<--- More --->

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: FILTER

Subtype: filter-activex

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (ins_cli) 1 10.0.202.0 255.255.255.0

nat-control

match ip ins_cli 10.0.202.0 255.255.255.0 outside any

   dynamic translation to pool 1 (192.168.132.105 [Interface PAT])

   translate_hits = 134750, untranslate_hits = 0

Additional Information:

Dynamic translate 10.0.202.100/12345 to 192.168.132.105/34539 using netmask 255.255.255.255

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (ins_cli) 1 10.0.202.0 255.255.255.0

nat-control

match ip ins_cli 10.0.202.0 255.255.255.0 outside any

   dynamic translation to pool 1 (192.168.132.105 [Interface PAT])

   translate_hits = 134750, untranslate_hits = 0

Additional Information:

Phase: 11

Type: IDS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 12

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 13

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 3844340, packet dispatched to next module

Result:

input-interface: ins_cli

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

PC2ZFW#

PC2ZFW# packet-tracer input ins_srv tcp 10.0.201.100 12345 8.8.8.8 80

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: ins_srv

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

PC2ZFW# exit

Logoff

Confirming I'm hitting google.com from the 10.202 machine.

Hi,

You dont have ACL on the INS_SRV interface allowing that traffic. To allow all traffic from INS_SRV you would need the following ACL rule

access-list ins_srv_access_in extended permit ip 10.0.201.0 255.255.255.0 any

- Jouni

just added another ACL from ins_srv to any on incoming rules of ins_srv and I'm hitting google's 8.8.8.8

see how educational was your input,

I just done that and I'm on the web (our responses came in at exactly the same time)

Now, I need to sit down and understand what I did wrong and learn from this mistake so I won't do it again.

Any recoemmdations for books. Cisco's a great resource but I need to start with a more digestable recommendation.

I really appreciate your input and the valuable help you provide to all of us.

Hi,

So is everything working now?

If so, please remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more though.

And if you run into some other problems dont hesitate to post here on the CSC

- Jouni

Yes everything is working fine. I'll pick your reply-recommendation that came closer to solve this issue.

Please feel free to leave me some book/web site recommendations for learning to go.

Thanks again.

The network config items I changed to resolve the issue were in a nutshell:

1) Static NAT -> Dynamic NAT

2) Removed all outgoing ACLs

3) Added ACL for internal ins_srv -> any

Review Cisco Networking for a $25 gift card