Hi Jennifer

Thanks for the response. DNS works fine from the inside, on the inside PC am using google's DNS server 8.8.8.8..

The default GW of the inside network is 192.168.1.1 and they are on the same subnet which is the inside of the ASA

If you are using Google DNS server, that means that you have connectivity to the Internet through the ASA.

What is not working at the moment?

DNS settings is on the NIC of the pc that am using to browse.I can't browse and can't ping through the ASA.

Below is the packet capture.

Even though it says the icmp request was denied by an ACL, i don't have any access-list configured on the ASA

\

ZEPASA# packet-tracer input inside icmp  192.168.1.1 0 0 1025 4.2.2.2 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7355a68, priority=500, domain=permit, deny=true
        hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ZEPASA# sh acc
ZEPASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
ZEPASA# packet-tracer input inside icmp  192.168.1.1 0 0 1025 4.2.2.2 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7355a68, priority=500, domain=permit, deny=true
        hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi

The traffic is still been droped after enabling icmp inspection

ZEPASA# packet-tracer input inside icmp 192.168.1.2 0 0 1025 4.2.2.2

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 10 0.0.0.0 0.0.0.0
  match ip Inside any Outside any
    dynamic translation to pool 10 (41.206.49.37 [Interface PAT])
    translate_hits = 2, untranslate_hits = 0
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Can you please perform "clear xlate", seems that you have changed the NAT configuration, and didn't clear xlate after the changes.

I have just done that but still unable to ping or browse

Does anybody has any idea why i can't ping ,telnet or browse through the ASA with the simple configuration?

Please kindly help.

No traffic from inside is passing to outside.

Below is my current running config

ASA Version 8.0(4)
!
hostname ZEPASA
domain-name zep-re.com
enable password UF9SYkZdBRjBresV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xx.xx.49.37 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name zep-re.com
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 10 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 xx.xx.49.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet xx.xxx.xxx.xxx 255.255.255.255 Outside
telnet timeout 10
ssh xxx.xxx.xxx.xxx 255.255.255.255 Outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username password gbRIHmn1dUfWvHUp encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!

prompt hostname context
Cryptochecksum:4e1b73290ca0598c2170c852d5a9d4cb
: end
ZEPASA#

Packet-trace Output

ZEPASA# packet-tracer input inside icmp 192.168.1.4 0 8 3000 8.8.8.8 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7348eb8, priority=0, domain=permit-ip-option, deny=true
        hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa779e938, priority=70, domain=inspect-icmp, deny=false
        hits=3, user_data=0xa779e3c8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa73481c8, priority=66, domain=inspect-icmp-error, deny=false
        hits=3, user_data=0xa73480f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 10 0.0.0.0 0.0.0.0
  match ip Inside any Outside any
    dynamic translation to pool 10 (xx.xx.49.37 [Interface PAT])
    translate_hits = 7, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa738cf38, priority=1, domain=nat, deny=false
        hits=6, user_data=0xa736f650, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

Message was edited by: Randy Oppong