cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1313
Views
0
Helpful
5
Replies

ASA - LAN dont recieve internet - possible NAT issue

Maurizio Caloro
Level 1
Level 1

Hello

Please here iam running with my ASA5606-x Firepower. Unfortunatly me LAN side arnt possible to reach the (ISP) Internet. Ping inside the LAN are possible also ping the firewall are ok.

 

i think the configuration are mede simple g1/1 WAN - Outside, other ports are inside LAN attached on BVI Group INSIDE and DHCP Range (setup with internal own DNS Server 168.1.9 ) for all ports so that all clients are possible to work in the same Subnet. Please on the ASA iam new..... so frendly asking to show me ASA cofig file.

 

For any help how i can change this so that i can access to the internet iam happy.

1 Accepted Solution

Accepted Solutions

in order to traceroute to work you have to configured these commands

unlike most network devices the cisco ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection.

 

 

access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit icmp any any unreachable
access-group inbound in interface outside
!
policy-map global_policy
class class-default
set connection decrement-ttl
exit
please do not forget to rate.

View solution in original post

5 Replies 5

you need default route toward WAN. 
try config default route and check again

johnd2310
Level 8
Level 8

Hi,

 

Can you configure your outside interface as follows "ip address dhcp setroute"

 

Thanks

John

**Please rate posts you find helpful**

Hi John

Thanks for your solution that was running, Enabled the Feature "ip address dhcp setroute" now from LAN the Internet are reachable.

Please one thing, Ping nslookup running also fine but if try to make one Tracert i have the following.

 

C:\Users\MC>tracert www.bmw.de

Routenverfolgung zu e12267.dscb.akamaiedge.net [23.0.174.139]
über maximal 30 Hops:

1 * * * Zeitüberschreitung der Anforderung.
2 * * * Zeitüberschreitung der Anforderung.
3 * * * Zeitüberschreitung der Anforderung.
4 * * * Zeitüberschreitung der Anforderung.
5 * * * Zeitüberschreitung der Anforderung.
6 10 ms 8 ms 8 ms a23-0-174-139.deploy.static.akamaitechnologies.com [23.0.174.139]

Ablaufverfolgung beendet.

 

ok, for information, every ask will answer .168.1.9

C:\Users\Maurizio>nslookup www.bmw.de
Server: ad
Address: 192.168.1.9

Nicht autorisierende Antwort:
Name: e12267.dscb.akamaiedge.net
Addresses: 2a02:26f0:3000::1700:ae8b
2a02:26f0:3000::1700:ae5b
23.0.174.91
23.0.174.139
Aliases: www.bmw.de
bmwprod.edgekey.net

 

and was thinjing that i need enable the following setting.

access-list 101 permit icmp host 192.168.1.9 host 192.168.1.1
access-group 101 in interface outside control-plane

 

thanks for any possible answer
Regards

Mauri

 

in order to traceroute to work you have to configured these commands

unlike most network devices the cisco ASA does not decrease the ‘hop count’ as traffic passes through it, to rectify this we need to make a small change to the global inspection.

 

 

access-list inbound extended permit icmp any any time-exceeded
access-list inbound extended permit icmp any any unreachable
access-group inbound in interface outside
!
policy-map global_policy
class class-default
set connection decrement-ttl
exit
please do not forget to rate.

thanks to everyone, iam happy now it's running fine! i see and learn also meny steps now!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: