Solved: Can't reach internet through ASA

lukasmuzik · ‎02-11-2014

Hi everyone,

I'm trying set up ASA in test lab and have issue witch internet connectivity. Since it's my first experience with this device I've followed documentation and think everything is configured correctly. I can reach internet from ASA's outside interface, but not from inside interface or client which is connected to inside interface. After some research about access-list rules I'am even able ping trough ASA from client device, but still can't find out where's a catch about other traffic like http. In case of http, similiar acces-list like with ping didn't work. Maybe i'm overlooking something obvious, but don't see it.

I've followed for initial configuration this guide http://www.firewall.cx/cisco-technical-knowledgebase/cisco-firewalls/964-cisco-asa5500-startup.html and everything worked fine with exception I can't reach internet. Bellow is my running-config file and i would be really glad for some help cause I'm stuck at this few days.

: Saved

:

ASA Version 8.4(7)

!

hostname ASA-test

enable password xxx encrypted

passwd xxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

description PRIVATE-INT

nameif inside

security-level 100

ip address 10.0.2.1 255.255.255.0

!

interface Vlan2

description PUBLIC-INT

nameif outside

security-level 0

ip address 10.0.1.250 255.0.0.0

!

boot system disk0:/asa847-k8.bin

ftp mode passive

object network INSIDE-NET

subnet 10.0.2.0 255.255.255.0

access-list 10 extended permit icmp any any echo-reply

access-list 10 extended permit icmp any any source-quench

access-list 10 extended permit icmp any any unreachable

access-list 10 extended permit icmp any any time-exceeded

access-list 10 extended permit tcp any any eq www

access-list 10 extended permit tcp any any eq 433

access-list 10 extended permit tcp any any eq ftp

access-list 10 extended permit tcp any any eq ftp-data

access-list in-to-out extended permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

!

object network INSIDE-NET

nat (inside,outside) dynamic interface

access-group 10 in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.1.138 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 10.0.2.0 255.255.255.0 inside

http 10.0.0.0 255.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 outside

ssh 10.0.2.0 255.255.255.0 inside

ssh timeout 15

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd address 10.0.2.11-10.0.2.42 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username admin password xxx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4bf95663b6dfcf18d3972af9864ce138

: end

no asdm history enable

Marius Gunnerud · ‎02-18-2014

If you issue an nslookup google.com what output do you get?

if you issue the command ipconfig /all what values do you see for DNS server?

I suggest adding the following command and then test again:

dhcpd dns 4.2.2.2

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎02-15-2014

Your outside interface subnet also includes the subnet that is assigned to your inside interface. Since this is a lab I would assume you can change this outside interface subnet mask? since your default route points to 10.0.1.138 I am assuming that this IP also has a subnet of /8? This will cause both the ASA and router connected to the ASA to believe they are directly connected to the 10.0.2.0/24 network on the outside interface and this traffic will never be routed by the ASA. Change it to a /24 and then test.

If that doesn't work, which interface are you connecting the PC to? As of right now only interface Eth0/1 is active.

Have you checked that your PC is getting the correct IP from the DHCP on the ASA?

Normally I would tell you to remove these commands, but since you say this is a lab setup...up to you

http 10.0.0.0 255.0.0.0 outside

ssh 10.0.0.0 255.0.0.0 outside

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

lukasmuzik · ‎02-18-2014

Hi Marius,

thank you for response. I tried your advice and changed outside interface subnet to /24 but it doesn´t help. Interface is fine, I keep just that one up and test one PC pluged in. DHCP is corret too. As I mentioned I can ping to internet but can´t reach other services. I assume if it would be problem with routing I couldn´t even ping. I think it must be something with default access-list setting what is denying packets. Any other ideas? I´m already mad with this issue:-)

Marius Gunnerud · ‎02-18-2014

If you issue an nslookup google.com what output do you get?

if you issue the command ipconfig /all what values do you see for DNS server?

I suggest adding the following command and then test again:

dhcpd dns 4.2.2.2

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

lukasmuzik · ‎02-18-2014

Well, that was easy. I haven't configured dns server from dhcp server. Thank you for help:-)

Marius Gunnerud · ‎02-18-2014

Any time

Glad I could help

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts