Can your Servers and PC's browse?

In order for you to ping outside you must enable ICMP inspection on your ASA under the global service policy.

I have these enabled:

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
  inspect icmp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
 

So sorry for all the trouble I am putting you through. I really appreciate your valuable time

You need to add "inspect icmp" as well in order to allow return pings.

Can you browse the Internet from your servers yet?

PCs and Servers cannot browse yet.

Please see config attached.

%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per sec                                                                              ond, max configured rate is 10; Current average rate is 6 per second, max config                                                                              ured rate is 5; Cumulative total count is 3600
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per sec                                                                              ond, max configured rate is 10; Current average rate is 6 per second, max config                                                                              ured rate is 5; Cumulative total count is 3636
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per sec                                                                              ond, max configured rate is 10; Current average rate is 6 per second, max config                                                                              ured rate is 5; Cumulative total count is 3691
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per sec                                                                              ond, max configured rate is 10; Current average rate is 6 per second, max config                                                                              ured rate is 5; Cumulative total count is 3722
%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 1 per sec                                                                              ond, max configured rate is 10; Current average rate is 6 per second, max config                                                                              ured rate is 5; Cumulative total count is 3750
 

You need to create a vlan and an SVI on the switch ie.

switch(config)# vlan 220
switch(config-vlan)# name v220
switch(config-vlan)# exit

then on the switch put the port connecting to the ASA into that vlan -

switch(config)# int <x/y>    <--- this connects to ASA
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 220
Switch(config-if)# spanning-tree portfast

switch(config)# int vlan 220
switch(config)# ip address 172.16.220.253 255.255.255.252
switch(config-if)# no shut

Jon

Still no internet.

In ASA5510, do I need to add 172.16.220.254 /252 somewhere?

Please see new SW1 config attached

Firstly can you check the interface is up on the switch ie. "sh ip int brief".

You have added 172.16.220.254 on the ASA according to your last configuration.

Also not sure about these -

object network obj-172.16.200.0
 nat (inSIDE,outside) static 104.183.194.198
object network obj-172.16.100.0
 nat (inSIDE,outside) static 104.183.194.198

what are they doing ?

Jon

int fa0/24 is up up

I can delete the object network nat...

I was brand new when I set up this firewall and it took me very long and tried a lot, so in the end it was just a miracle it worked but NOT sure what made it worked really, I just left all config there

I can ping the ASA from the Switch and vise versa.

Only that Switch cannot ping the internet (8.8.8.8)

Can you do a "show route" on the asa? Can you ping 8.8.8.8 from the switch with a source ip of any oc the vlan100,150, or 200?

ASA5510  and SW1 "ip route"

Switch#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.220.254 to network 0.0.0.0

     172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
C       172.16.150.0/24 is directly connected, Vlan150
C       172.16.144.0/24 is directly connected, Vlan144
C       172.16.133.0/24 is directly connected, Vlan133
C       172.16.200.0/24 is directly connected, Vlan200
C       172.16.201.0/24 is directly connected, Vlan201
C       172.16.202.0/24 is directly connected, Vlan202
C       172.16.203.0/24 is directly connected, Vlan203
C       172.16.220.252/30 is directly connected, Vlan220
C       172.16.100.0/24 is directly connected, Vlan100
S*   0.0.0.0/0 [1/0] via 172.16.220.254
Switch#ping 172.16.100.101

Edge5510# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 104.183.194.198 to network 0.0.0.0

S    172.16.150.0 255.255.255.0 [1/0] via 172.16.220.253, inSIDE
S    172.16.200.0 255.255.255.0 [1/0] via 172.16.220.253, inSIDE
C    172.16.220.252 255.255.255.252 is directly connected, inSIDE
S    172.16.100.0 255.255.255.0 [1/0] via 172.16.220.253, inSIDE
C    104.183.194.192 255.255.255.248 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 104.183.194.198, outside

_____________________________

Switch#ping 172.16.100.101

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Switch#ping 8.8.8.8 source 172.16.100.101

% Invalid source address- IP address not on any of our up interfaces
Switch#ping 8.8.8.8 source 172.16.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.1
.....
Success rate is 0 percent (0/5)
Switch#

_____________________

Switch#ping 8.8.8.8 source 172.16.100.1 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.100.1
..........
Success rate is 0 percent (0/10)

___________________________

Switch#ping 8.8.8.8 source 172.16.200.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 172.16.200.1
.....
Success rate is 0 percent (0/5)
Switch#

what is this for?

icmp unreachable rate-limit 1 burst-size 1

______________________________

ASA5510 new config attached

You already have it o  your asa interface eth0/1. Can you ping the asa interface from the switch and any server host? What platform is the switch? Can you not make fa 0/24  a routed port?