cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3296
Views
0
Helpful
5
Replies
Arsen Gharibyan
Beginner

Can't get Internet working on ASA 5525X

Hello

i have a ASA 5525x

im in testing proccess and cant make internet routing working

im routing between 2 private ip cuz outside interface is connected to the lab switch.

im able to ping anything from ASDM als i tried packet tracer using the ip that assigned to the end-user and it is working fro asa but not on the win7 machine .

after enabing logging on asa i got asa teardown the icmp connection (when trying to ping 8.8.8.8)

any ideas why  ?

ASA Version 9.0(2)

!

hostname MIKUNI-LA-ASA1

enable password nsi9HaIu8epX9MzI encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.30.200.100 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

banner motd

banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!

boot system disk0:/asa902-smp-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

same-security-traffic permit intra-interface

object network internet

host 172.30.200.100

pager lines 24

logging enable

logging trap errors

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,inside) source dynamic any interface dns

route outside 0.0.0.0 0.0.0.0 172.30.200.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1

username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15

username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15

!

class-map inside-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

policy-map inside-policy

class inside-class

  inspect dns

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect icmp

  inspect ip-options

  inspect ipsec-pass-thru

!

service-policy global_policy global

service-policy inside-policy interface inside

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e8f3db05e9bce814811bac225d27ded8

: end

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

You have the following configuration

nat (inside,inside) source dynamic any interface dns

This does Dynamic PAT from "inside" to "inside"

The typical Dynamic PAT for outbound traffic would be

nat (inside,outside) source dynamic any interface dns

Your connections from "inside" to "outside" are now going through WITHOUT NAT. So I presume that if you have some other NATing device in front of the ASA that it doesnt have the route for the LAN network behind ASA and is NOT providing NAT to a public IP address for that network.

Provided that everything else is configured correctly, just changing the interface in the above NAT configuration might correct the situation for you.

- Jouni

View solution in original post