cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2228
Views
0
Helpful
10
Replies

Can't Connect to Internet through ASA 5510

roppong77
Level 1
Level 1

Hi all,

I have a Cisco ASA 5510 with BASIC Configurations but I can't access internet from the inside interface.

I can ping internet servers from Outside interface but can't ping or browse from the inside.

Below is the basic configuration

Please Urgent help is needed.

It looks like an access-list is required but where?

ASA Version 7.0(8)
!
hostname ZEPASA
domain-name zep-re.com
enable password UF9SYkZdBRjBresV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.49.37 255.255.255.0
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level

no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400

global (Outside) 10 interface
nat (Inside) 10 192.168.1.0 255.255.255.0
route Outside 0.0.0.0 0.0.0.0 x.x.49.33 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

2 Accepted Solutions

Accepted Solutions

As advised earlier, please enable ICMP inspection.

Assuming that you already have global_policy assigned to service-policy:

policy-map global_policy
class inspection_default

     inspect icmp

View solution in original post

You have not applied the global_policy to the service-policy yet.

Please kindly configure the following:

service-policy global_policy global

View solution in original post

10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

If you don't have any ACL applied to inside interface, you do not need to have any as by default traffic from high security level to low security level is allowed by default.

Just making sure that your inside host is in the same subnet as the ASA inside interface 192.168.1.0/24, and default gateway is 192.168.1.1.


DNS resolution works fine from the inside?

And for ping, please configure "inspect icmp" on your global policy map.

You might want to perform packet capture to see where the traffic is failing.

Hi Jennifer

Thanks for the response. DNS works fine from the inside, on the inside PC am using google's DNS server 8.8.8.8..

The default GW of the inside network is 192.168.1.1 and they are on the same subnet which is the inside of the ASA

If you are using Google DNS server, that means that you have connectivity to the Internet through the ASA.

What is not working at the moment?

DNS settings is on the NIC of the pc that am using to browse.I can't browse and can't ping through the ASA.

Below is the packet capture.

Even though it says the icmp request was denied by an ACL, i don't have any access-list configured on the ASA

\

ZEPASA# packet-tracer input inside icmp  192.168.1.1 0 0 1025 4.2.2.2 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7355a68, priority=500, domain=permit, deny=true
        hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ZEPASA# sh acc
ZEPASA# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
ZEPASA# packet-tracer input inside icmp  192.168.1.1 0 0 1025 4.2.2.2 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7355a68, priority=500, domain=permit, deny=true
        hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=192.168.1.1, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

As advised earlier, please enable ICMP inspection.

Assuming that you already have global_policy assigned to service-policy:

policy-map global_policy
class inspection_default

     inspect icmp

Hi

The traffic is still been droped after enabling icmp inspection

ZEPASA# packet-tracer input inside icmp 192.168.1.2 0 0 1025 4.2.2.2

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 10 0.0.0.0 0.0.0.0
  match ip Inside any Outside any
    dynamic translation to pool 10 (41.206.49.37 [Interface PAT])
    translate_hits = 2, untranslate_hits = 0
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Can you please perform "clear xlate", seems that you have changed the NAT configuration, and didn't clear xlate after the changes.

I have just done that but still unable to ping or browse

Does anybody has any idea why i can't ping ,telnet or browse through the ASA with the simple configuration?

Please kindly help.

No traffic from inside is passing to outside.

Below is my current running config

ASA Version 8.0(4)
!
hostname ZEPASA
domain-name zep-re.com
enable password UF9SYkZdBRjBresV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address xx.xx.49.37 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.10.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name zep-re.com
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
nat (Inside) 10 0.0.0.0 0.0.0.0
route Outside 0.0.0.0 0.0.0.0 xx.xx.49.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet xx.xxx.xxx.xxx 255.255.255.255 Outside
telnet timeout 10
ssh xxx.xxx.xxx.xxx 255.255.255.255 Outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username password gbRIHmn1dUfWvHUp encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!

prompt hostname context
Cryptochecksum:4e1b73290ca0598c2170c852d5a9d4cb
: end
ZEPASA#

Packet-trace Output

ZEPASA# packet-tracer input inside icmp 192.168.1.4 0 8 3000 8.8.8.8 detailed

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa7348eb8, priority=0, domain=permit-ip-option, deny=true
        hits=6, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa779e938, priority=70, domain=inspect-icmp, deny=false
        hits=3, user_data=0xa779e3c8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa73481c8, priority=66, domain=inspect-icmp-error, deny=false
        hits=3, user_data=0xa73480f8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 10 0.0.0.0 0.0.0.0
  match ip Inside any Outside any
    dynamic translation to pool 10 (xx.xx.49.37 [Interface PAT])
    translate_hits = 7, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in  id=0xa738cf38, priority=1, domain=nat, deny=false
        hits=6, user_data=0xa736f650, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks

Message was edited by: Randy Oppong

You have not applied the global_policy to the service-policy yet.

Please kindly configure the following:

service-policy global_policy global

Review Cisco Networking for a $25 gift card