Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
3
Replies

asa not able to use internet

milan_ver
Level 1
Level 1

‎12-12-2012 12:01 AM - edited ‎03-11-2019 05:36 PM

Hi,

I am using ASA 5505.

Below are my sh run.

I am not able to ping my gatway i.e 182.73.131.89

Please help

------------------------------------------

interface Ethernet0/0

description Internet Interface

switchport access vlan 61

!

interface Ethernet0/1

description office Internet

switchport access vlan 50

<--- More --->

!

interface Ethernet0/2

description LAN Failover Interface

switchport access vlan 999

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan50

nameif office

security-level 100

ip address 10.54.9.1 255.255.255.192

!

interface Vlan61

nameif Internet

security-level 0

ip address 182.73.131.90 255.255.255.248

!

interface Vlan999

description LAN Failover Interface

!

ftp mode passive

dns server-group DefaultDNS

domain-name rcad.net

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network RC_NETWORK_CORPORATE

network-object WAN_MARS_Global 255.0.0.0

network-object RC_NETWORK_AIMARGUES_1 255.255.0.0

object-group network RC_NETWORK_AMERICA

network-object RC_NETWORK_AMERICA 255.255.0.0

object-group network RC_NETWORK_ASIAPAC

network-object RC_NETWORK_ASIAPAC 255.255.0.0

object-group network RC_NETWORK_INDIA-RBN

network-object INTERNAL_INDIA-RBN 255.255.255.0

access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended deny ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_AMERICA

access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended deny ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_ASIAPAC

access-list INDIA-RBN_EUR-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_CORPORATE

access-list office_nat0_outbound extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_CORPORATE

access-list office_nat0_outbound extended permit ip any object-group RC_NETWORK_INDIA-RBN log

access-list office_access_in extended permit ip object-group RC_NETWORK_INDIA-RBN any log

access-list office_access_in extended permit icmp object-group RC_NETWORK_INDIA-RBN any log

access-list INDIA-RBN_ASIA-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_ASIAPAC

access-list INDIA-RBN_AMERICA-DATACENTER_cryptomap extended permit ip object-group RC_NETWORK_INDIA-RBN object-group RC_NETWORK_AMERICA

pager lines 24

logging enable

logging timestamp

logging buffer-size 65536

logging asdm-buffer-size 512

logging console notifications

logging buffered notifications

logging trap notifications

logging history notifications

logging asdm notifications

mtu inside 1500

mtu outside 1500

mtu office 1500

mtu Internet 1500

no failover

failover lan unit primary

failover lan interface FAILOVER Vlan999

failover key *****

failover interface ip FAILOVER 172.16.255.1 255.255.255.0 standby 172.16.255.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any office

icmp permit any Internet

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (Internet) 1 interface

nat (office) 0 access-list office_nat0_outbound

route Internet 0.0.0.0 0.0.0.0 182.73.131.89 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable 8443

http 83.206.102.64 255.255.255.224 Internet

http 10.24.0.0 255.255.0.0 office

http authentication-certificate outside

snmp-server host office 10.24.0.112 poll community ***** version 2c

snmp-server host office 10.24.0.249 poll community ***** version 2c

snmp-server host office 10.24.1.245 poll community ***** version 2c

snmp-server location ROYAL CANIN - Bhiwandi - India

snmp-server contact WORLDWIDE IT OPERATION (itop-network@royal-canin.fr)

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 Internet

ssh 83.206.102.64 255.255.255.224 Internet

ssh timeout 60

ssh version 2

console timeout 0

management-access office

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

RBN-ASA-01# $

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎12-12-2012 01:03 AM

Hi,

Are you saying that hosts from behinf ASA cant use Internet or the ASA itself?

You atleast done have any "nat" source address configurations for your "global" configurations. Only the NAT Exemption/NAT0 configuration.

If you issue "show arp" command can you see anything for the interface "Internet"?

- Jouni

0 Helpful

milan_ver
Level 1
Level 1
In response to Jouni Forss

‎12-12-2012 04:18 AM

Hi,

Below is the output of sh arp

RBN-ASA-01# sh arp

        office 10.54.9.2 20aa.4b0a.acba 5394

        office 10.54.9.10 0013.726d.02ef 6152

        office 169.254.7.201 0013.726d.02ef 6501

        Internet 182.73.131.89 0019.a99d.a2c0 202

        Internet 182.73.131.92 0013.726d.02ef 790

        Internet 182.73.131.93 5067.f034.639e 5241

RBN-ASA-01#

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to milan_ver

‎12-12-2012 05:15 AM

Hi,

To my understanding permitting the ICMP with either

"permit icmp host "

or

"permit icmp "

should be enough to permit ICMP so you can ping those networks and receive replys from them. Though I'm not sure should connected network ICMP work wihtout that.

Could you also issue "clear arp" and try ICMP/PING after that? Also get "show arp" output after "clear arp"

Why do you have INSIDE and OUTSIDE interface configured even though they dont have anything behind them. (Provided the above "show arp" output was complete.

Also why dont you have any NAT source address configuration for your LAN hosts behind "office"?

For example

nat (office) 1 10.54.9.0 255.255.255.192

Is this a new ASA setup or has this worked at some point already? Is there a possibility that the ISP router/core just doesnt reply to ICMP? Have you tried connections with actual LAN hosts through the ASA to the Internet?

Have you tried to ping any other known public IP address other than the default gateway of your ASA. ICMP/Trace isnt always the best way to test connections.

EDIT: Edited some typos with the commands provided

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card