Solved: Re: Can't get Internet working on ASA 5525X

Arsen Gharibyan · ‎07-16-2013

Hello

i have a ASA 5525x

im in testing proccess and cant make internet routing working

im routing between 2 private ip cuz outside interface is connected to the lab switch.

im able to ping anything from ASDM als i tried packet tracer using the ip that assigned to the end-user and it is working fro asa but not on the win7 machine .

after enabing logging on asa i got asa teardown the icmp connection (when trying to ping 8.8.8.8)

any ideas why ?

ASA Version 9.0(2)

!

hostname MIKUNI-LA-ASA1

enable password nsi9HaIu8epX9MzI encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.30.200.100 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

banner motd

banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!

boot system disk0:/asa902-smp-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

same-security-traffic permit intra-interface

object network internet

host 172.30.200.100

pager lines 24

logging enable

logging trap errors

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,inside) source dynamic any interface dns

route outside 0.0.0.0 0.0.0.0 172.30.200.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1

username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15

username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15

!

class-map inside-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

policy-map inside-policy

class inside-class

inspect dns

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect icmp

inspect ip-options

inspect ipsec-pass-thru

!

service-policy global_policy global

service-policy inside-policy interface inside

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e8f3db05e9bce814811bac225d27ded8

: end

Jouni Forss · ‎07-17-2013

Hi,

You have the following configuration

nat (inside,inside) source dynamic any interface dns

This does Dynamic PAT from "inside" to "inside"

The typical Dynamic PAT for outbound traffic would be

nat (inside,outside) source dynamic any interface dns

Your connections from "inside" to "outside" are now going through WITHOUT NAT. So I presume that if you have some other NATing device in front of the ASA that it doesnt have the route for the LAN network behind ASA and is NOT providing NAT to a public IP address for that network.

Provided that everything else is configured correctly, just changing the interface in the above NAT configuration might correct the situation for you.

- Jouni

View solution in original post

Arsen Gharibyan · ‎07-16-2013

Here is the output from Syslog

6|Jul 16 2013 16:17:38|302014: Teardown TCP connection 2249 for outside:172.30.0.51/389 to inside:10.10.10.10/52510 duration 0:00:30 bytes 0 SYN Timeout

6|Jul 16 2013 16:17:41|302015: Built outbound UDP connection 2264 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/60812 (10.10.10.10/60812)

6|Jul 16 2013 16:17:41|302014: Teardown TCP connection 2251 for outside:172.30.0.51/389 to inside:10.10.10.10/52511 duration 0:00:30 bytes 0 SYN Timeout

6|Jul 16 2013 16:17:41|302014: Teardown TCP connection 2252 for outside:172.30.0.51/389 to inside:10.10.10.10/52512 duration 0:00:30 bytes 0 SYN Timeout

6|Jul 16 2013 16:17:42|302015: Built outbound UDP connection 2265 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/60450 (10.10.10.10/60450)

6|Jul 16 2013 16:17:42|302015: Built outbound UDP connection 2266 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/64728 (10.10.10.10/64728)

6|Jul 16 2013 16:17:45|302014: Teardown TCP connection 2254 for outside:172.30.0.51/389 to inside:10.10.10.10/52514 duration 0:00:30 bytes 0 SYN Timeout

6|Jul 16 2013 16:17:46|302016: Teardown UDP connection 2218 for outside:4.2.2.2/53 to inside:10.10.10.10/49480 duration 0:02:07 bytes 168

6|Jul 16 2013 16:17:53|302015: Built outbound UDP connection 2267 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/51968 (10.10.10.10/51968)

6|Jul 16 2013 16:17:54|302015: Built outbound UDP connection 2268 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/53056 (10.10.10.10/53056)

6|Jul 16 2013 16:17:57|302016: Teardown UDP connection 2220 for outside:4.2.2.2/53 to inside:10.10.10.10/60246 duration 0:02:01 bytes 33

6|Jul 16 2013 16:17:58|302016: Teardown UDP connection 2221 for outside:4.2.2.2/53 to inside:10.10.10.10/60709 duration 0:02:01 bytes 40

6|Jul 16 2013 16:17:58|302016: Teardown UDP connection 2219 for outside:4.2.2.2/53 to inside:10.10.10.10/53405 duration 0:02:08 bytes 144

6|Jul 16 2013 16:18:00|302016: Teardown UDP connection 2223 for outside:4.2.2.2/53 to inside:10.10.10.10/62396 duration 0:02:01 bytes 39

6|Jul 16 2013 16:18:02|302015: Built outbound UDP connection 2269 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/51802 (10.10.10.10/51802)

6|Jul 16 2013 16:18:07|302015: Built outbound UDP connection 2270 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/54162 (10.10.10.10/54162)

6|Jul 16 2013 16:18:07|302015: Built outbound UDP connection 2271 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/57981 (10.10.10.10/57981)

6|Jul 16 2013 16:18:10|302016: Teardown UDP connection 2224 for outside:4.2.2.2/53 to inside:10.10.10.10/51410 duration 0:02:08 bytes 168

6|Jul 16 2013 16:18:18|302015: Built outbound UDP connection 2272 for outside:4.2.2.2/53 (4.2.2.2/53) to inside:10.10.10.10/55192 (10.10.10.10/55192)

6|Jul 16 2013 16:18:22|302016: Teardown UDP connection 2225 for outside:4.2.2.2/53 to inside:10.10.10.10/49435 duration 0:02:08 bytes 200

6|Jul 16 2013 16:18:24|302016: Teardown UDP connection 2227 for outside:4.2.2.2/53 to inside:10.10.10.10/58601 duration 0:02:01 bytes 73

Jouni Forss · ‎07-17-2013

Hi,

You have the following configuration

nat (inside,inside) source dynamic any interface dns

This does Dynamic PAT from "inside" to "inside"

The typical Dynamic PAT for outbound traffic would be

nat (inside,outside) source dynamic any interface dns

Your connections from "inside" to "outside" are now going through WITHOUT NAT. So I presume that if you have some other NATing device in front of the ASA that it doesnt have the route for the LAN network behind ASA and is NOT providing NAT to a public IP address for that network.

Provided that everything else is configured correctly, just changing the interface in the above NAT configuration might correct the situation for you.

- Jouni

Arsen Gharibyan · ‎07-18-2013

oh thanks let me try and ill get back to you

Arsen Gharibyan

Network Engineer

http://www.neocomp.com

Arsen Gharibyan · ‎07-18-2013

didnt work

Itried clean configuration but its still same thing cant get to the internet thru firewall

from asa i can ping everything but from end-user side it show DNS is not responding and i can not ping the outside interface on ASA

ASA Version 9.0(2)

!

hostname MIKUNI-LA-ASA2

enable password 8Ry2YjIyt7RRXU24 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif OUTSIDE

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif INSIDE

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

banner motd !!!!!!!!!!!!!!!DO NOT LOGON!!!!!!!!!!!!!!!

boot system disk0:/asa902-smp-k8.bin

ftp mode passive

dns domain-lookup OUTSIDE

dns domain-lookup INSIDE

dns server-group DefaultDNS

name-server 8.8.8.8

object network Internet

subnet 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging console warnings

logging asdm informational

mtu management 1500

mtu OUTSIDE 1500

mtu INSIDE 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-712-102.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network Internet

nat (any,OUTSIDE) dynamic interface dns

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface OUTSIDE

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-sha1

username admin password y9JC1OmYlTqCYCh5 encrypted privilege 15

username neocomp password zEZJ79.tgPiYxCsz encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:8659ad01179820e90e68d3725961dc2c

Arsen Gharibyan · ‎07-18-2013

anY IDEAS ?