07-22-2016 09:34 AM - edited 03-12-2019 01:03 AM
Hello guys,
I have a ASA 5540 that I'd like to configure for my brand office. Below my network topology:
Comcast---->Cisco ASA 5540 ----> L3 switch----> PC.
The ASA 5540 is reset to factory default setting. The goal is that I'd like to get my PCs online from this brand office.
The ASA has code version 9.1(5). Here is what I've configured so far:
interface GigabitEthernet0/0
speed 1000
duplex full
nameif outside
security-level 0
ip address 12.3.4.5 255.255.255.0
!
interface GigabitEthernet0/1
speed 1000
duplex full
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
object network net-192.168.1
subnet 192.168.1.0 255.255.255.0
object network net-192.168.1
nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 12.3.4.1 1
I connected my PC to the L3 switch, I can ping the 192.168.1.1 (ASA inside) but unable to ping the outside and also can't get online while using google DNS 8.8.8.8 for my PC.
Any ideas why it doesn't work? Thanks.
07-23-2016 06:54 AM
To get ping working you'll probably need to add something like:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect pptp
inspect dns preset_dns_map
07-29-2016 06:11 PM
Hi Guys,
Sorry I was out of town and just got back today.
Below are the results which you guys asked me to run on the ASA
ASA-Lab01# packet-tracer input inside tcp 12.3.4.5 80 8.8.8.8 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 57580, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
ASA-Lab01#
========================
ASA-Lab01# sh int ip br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 12.3.4.5 YES manual up up
GigabitEthernet0/1 192.168.1.1 YES manual up up
GigabitEthernet0/2 unassigned YES unset administratively down up
GigabitEthernet0/3 unassigned YES unset administratively down down
Management0/0 172.20.16.10 YES manual up up
ASA-Lab01#
=========================
Ping 8.8.8.8
ASA-Lab01# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA-Lab01#
========================
Ping ISP's gateway:
ASA-Lab01# ping 12.3.4.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.3.4.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA-Lab01#
I still can't get to the internet and also can't ping any public IP either.
Thanks.
07-29-2016 06:11 PM
Hi;
What is you ISP gateway is 12.3.4.9 or 12.3.4.1?
If its 12.3.4.9 then please modify you static route (route Outside 0 0 12.3.4.9) and verify.
If not can you also share the output of show nat & show xlate command.
Thanks & Best regards;
07-29-2016 07:57 PM
Ditto to what ahmed suggested.
Packet-tracer confirms the ASA setup is OK. You have an issue with / getting past the upstream gateway (Comcast router).
07-29-2016 09:13 PM
Hi Ahmed, the ISP's default gateway is 12.3.4.1.
ASA-Lab01# sh nat
Auto NAT Policies (Section 2)
1 (Inside) to (Outside) source dynamic net-192.168.1 interface
translate_hits = 106, untranslate_hits = 87
ASA-Lab01#
ASA-Lab01# sh xlate
0 in use, 101 most used
ASA-Lab01#
Hi Marvin, I thought the Comcast router was having issue early today too so I setup a router with IP 12.3.4.9 as its outside interface, the route is working fine with the internet. My router can ping the ISP gateway and 8.8.8.8 and I can ping the ASA 12.3.4.5 and vice versa. I think I'm going to reboot the comcast router to see if it would help. I'll update you guys later. thanks.
07-30-2016 12:51 AM
Hi,
You see the both output packet tracer and show nat both shows that its not a nat issue.
Mostprobably it's router issue.
Thanks
07-23-2016 07:21 AM
Philip is correct regarding ping.
I would also advise that ping is a poor tool for troubleshooting. More useful would be packet-tracer. It has both a GUI (ASDM) and cli version.
For instance:
packet-tracer input inside <tcp or udp> <source ip> <source port> <destination ip> <destination port>
...will show you the logic the ASA uses for a given packet with the specified 5-tuple (protocol, source ip, source port, destination ip, destination port).
07-24-2016 11:40 PM
hi,
is there a typo? make sure the NAT statements coincides with the nameif given.
nat (Inside,outside) dynamic interface
could you post show int ip brief and ping 8.8.8.8 from the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide