Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1466
Views
5
Helpful
8
Replies

Cisco ASA 5505 can ping gateway but can't ping internet

Go to solution
nwdls8725
Level 1
Level 1

‎04-11-2016 12:56 PM - edited ‎03-12-2019 12:36 AM

I just got a new ISP and they have their Gateway versus our other ISP which is just basically a modem connected to our firewall. Well we got new Static IPs and i thought if i simply changed all my current static IPs to the new one the switch would be seamless. Boy was I wrong. Well when i changed the statics I could ping the new gateway but couldn't ping any other public sites. I just now setup a new interface with the new Static IP but unfortunately i'm getting the same issue. Can someone please help me figure out what I need to do to get my new static IP to work with my current configuration. Luckily We still have the old ISP in service so we aren't down at the moment. Any who, thanks for you help!


!
hostname ciscoasa
domain-name nwdls.com
enable password qpQ5myeZ6SQpH8vX encrypted
passwd HUeZALO3Fgqs0XMf encrypted
names
name 192.168.120.30 dvr
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.120.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 207.70.142.9 255.255.255.0
ospf cost 10
!
interface Vlan5
nameif dmz
security-level 50
ip address 192.168.121.1 255.255.255.0
ospf cost 10
!
interface Vlan15
nameif Comcast-Outside
security-level 0
ip address 96.85.6.217 255.255.255.248
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.120.25
name-server 75.75.75.75
name-server 75.75.75.76
domain-name nwdls.com
object network obj-192.168.120.248
subnet 192.168.120.248 255.255.255.248
object network obj-192.168.120.245
host 192.168.120.245
object network obj-192.168.120.0
subnet 192.168.120.0 255.255.255.128
object network obj-192.168.120.233
host 192.168.120.233
object network obj-192.168.120.233-01
host 192.168.120.233
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.121.2
host 192.168.121.2
object network obj-192.168.121.2-01
host 192.168.121.2
object network obj-192.168.121.2-02
host 192.168.121.2
object network NETWORK_OBJ_192.168.120.248_29
subnet 192.168.120.248 255.255.255.248
object network nwdls-dc
host 192.168.120.25
description Windows Server 2008 RC2
object network DVR
host 192.168.120.30
object service IPCAMS
service tcp source eq 5550 destination eq 5550
object network newfirewall
host 192.168.120.108
object service ssh
service tcp source eq ssh destination eq ssh
description ssh
object network john
host 71.11.173.163
object network SVN-HTTP-INTERNET
host 192.168.120.25
description access to svn on nwdls-dc
object network JOSHUA9-PORT
host 192.168.120.209
object network JOSHUA2-PORT
host 192.168.120.202
object network DVR-PORT
object network DVR-PORT2
object network obj-pool
subnet 192.168.120.240 255.255.255.240
object network NVR
host 192.168.120.30
description NVR
object network NVR1
host 192.168.120.30
object network NVR2
host 192.168.120.30
object network NVR3
host 192.168.120.30
object network NVR4
host 192.168.120.30
object network NVR5
host 192.168.120.30
object network NVR6
host 192.168.120.30
description NVR6
object service Field
service tcp destination eq www
object service Field2
service tcp destination eq https
object network WebserverPublic
host 207.70.142.9
object network Webserver
host 207.70.142.9
object network WEb
host 192.168.120.25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service dvr-http tcp
port-object eq 10554
port-object eq 8000
object-group service dvr-remote tcp
port-object eq 5550
object-group service IPCAM tcp-udp
port-object eq 5550
object-group service svn-http tcp
description SVN Server access
port-object eq 8080
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
group-object svn-http
object-group service DM_INLINE_TCP_3 tcp
group-object svn-http
port-object eq www
port-object eq https
object-group service NVRPORTS tcp
description NVRPORTS
port-object eq 10554
port-object eq 8000
port-object eq rtsp
object-group service field tcp
port-object eq 10443
port-object eq 8180
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8080
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 8080
port-object eq 9150
access-list nwdls_splitTunnelAcl standard permit 192.168.120.0 255.255.255.0
access-list wendy_acl standard permit 192.168.120.0 255.255.255.0
access-list outside_access_in extended permit tcp any host 192.168.120.30
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit udp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq rtsp
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10554
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 8000
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp-data
access-list outside_access_in extended permit tcp any host 192.168.120.202 eq ftp
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq www
access-list outside_access_in extended permit udp any host 192.168.120.233 range 10001 19999
access-list outside_access_in remark Whitney
access-list outside_access_in extended permit udp host 99.16.64.231 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.225.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 4.79.212.236 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.203 host 192.168.120.233 eq sip
access-list outside_access_in extended permit udp host 216.82.224.202 host 192.168.120.233 eq sip
access-list outside_access_in extended permit 21 any host 192.168.121.2
access-list outside_access_in extended permit icmp any host 207.70.142.9
access-list outside_access_in extended permit icmp any host 207.70.142.10 inactive
access-list outside_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any host 192.168.120.30 object-group IPCAM
access-list outside_access_in extended permit tcp any interface outside eq 8080
access-list outside_access_in extended permit tcp any host 192.168.120.25 object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any interface outside eq 9150
access-list outside_access_in remark node access
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9150
access-list outside_access_in extended permit tcp any host 192.168.120.209 eq 9418
access-list outside_access_in extended permit tcp any interface outside object-group dvr-http
access-list outside_access_in extended permit tcp any object DVR object-group dvr-http
access-list outside_access_in extended permit tcp any object-group NVRPORTS any object-group NVRPORTS
access-list outside_access_in extended permit tcp any host 192.168.120.30 eq 10080
access-list outside_access_in extended permit tcp any host 207.70.142.9 eq https
access-list outside_access_in extended permit tcp any host 192.168.120.25 eq https
access-list inside_access_in extended permit ip 192.168.120.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 192.168.120.0 255.255.255.0 any
access-list inside_access_out extended permit ip any any
access-list dmz_access_in extended permit tcp any host 192.168.121.2 object-group DM_INLINE_TCP_3
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list Comcast-Outside_access_in extended permit ip any any
pager lines 45
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap debugging
logging asdm debugging
logging mail critical
logging from-address ciscoasa@nwdls.com
logging host inside 192.168.120.203
logging class auth trap debugging asdm debugging
logging class session trap errors
logging class vpn trap debugging asdm debugging
logging class vpnc trap debugging
logging class vpnfo trap debugging
logging class webvpn trap debugging
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 305012
no logging message 305011
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu Comcast-Outside 1500
ip local pool vpnpool2 192.168.120.249-192.168.120.254 mask 255.255.255.0
ip local pool vpnpool3 192.168.120.241-192.168.120.248 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 access-list dmz_access_ipv6_in deny ip any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-pool obj-pool no-proxy-arp route-lookup
nat (inside,any) source static any any destination static obj-192.168.120.248 obj-192.168.120.248 no-proxy-arp
nat (inside,any) source static any any destination static obj-192.168.120.245 obj-192.168.120.245 no-proxy-arp
nat (outside,inside) source static any any destination static interface DVR service IPCAMS IPCAMS
!
object network obj-192.168.120.0
nat (inside,dmz) static 192.168.120.0
object network obj-192.168.120.233
nat (inside,outside) static 207.70.142.8
object network obj-192.168.120.233-01
nat (inside,outside) dynamic 207.70.142.8
object network obj-192.168.121.2
nat (dmz,outside) static interface service tcp www www
object network obj-192.168.121.2-01
nat (dmz,outside) static interface service tcp ssh ssh
object network obj-192.168.121.2-02
nat (dmz,outside) dynamic interface
object network nwdls-dc
nat (inside,outside) static interface service tcp https https
object network JOSHUA9-PORT
nat (inside,outside) static interface service tcp 9150 9150
object network JOSHUA2-PORT
nat (inside,outside) static interface service tcp ftp-data ftp-data
object network NVR
nat (inside,outside) static interface service tcp 8000 8000
object network NVR1
nat (inside,outside) static interface service tcp 10554 10554
object network NVR2
nat (inside,outside) static interface service tcp rtsp rtsp
object network NVR3
nat (inside,outside) static interface service udp 8000 8000
object network NVR4
nat (inside,outside) static interface service udp 10554 10554
object network NVR5
nat (inside,outside) static interface service udp 554 554
object network NVR6
nat (inside,outside) static interface service tcp 10080 10080
!
nat (inside,outside) after-auto source dynamic obj_any interface
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group dmz_access_ipv6_in in interface dmz
access-group Comcast-Outside_access_in in interface Comcast-Outside
route outside 0.0.0.0 0.0.0.0 192.168.120.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable 8080
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 8080
crypto ikev2 enable outside client-services port 8080
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 192.168.120.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside

dhcpd dns 192.168.120.25 208.67.222.222
dhcpd wins 192.168.120.25
dhcpd lease 86400
dhcpd domain nwdls.com
dhcpd auto_config inside
dhcpd update dns
dhcpd option 3 ip 192.168.120.1
dhcpd option 66 ip 192.168.120.233
!
dhcpd address 192.168.120.50-192.168.120.119 inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to nwdls8725

‎04-11-2016 06:02 PM

Hi,

You do not need this route.

Your default route should point to the next hop in the 96.85.6.217 subnet.

route Comcast-Outside 0 0 96.85.6.x----this would be your default gateway or the next hop IP.

You need to remove the previous route statement route outside 0.0.0.0 0.0.0.0 192.168.120.1 1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

8 Replies 8

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-11-2016 05:43 PM

Hi,

May I know why we have configured this route statement :

route outside 0.0.0.0 0.0.0.0 192.168.120.1 1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
nwdls8725
Level 1
Level 1
In response to Aditya Ganjoo

‎04-11-2016 05:52 PM

Thanks for your reply. I believe to route anything inside to the outside.  That's the only static route in there and has been functioning with it.  This firewall was programmed by a previous employee.  I just basically need to change my previous static ip of 207.70.142.9 to the new one 96.85.6.217.

Thanks for your help. 

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to nwdls8725

‎04-11-2016 06:02 PM

Hi,

You do not need this route.

Your default route should point to the next hop in the 96.85.6.217 subnet.

route Comcast-Outside 0 0 96.85.6.x----this would be your default gateway or the next hop IP.

You need to remove the previous route statement route outside 0.0.0.0 0.0.0.0 192.168.120.1 1

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Go to solution
nwdls8725
Level 1
Level 1
In response to Aditya Ganjoo

‎04-11-2016 06:07 PM

The 192.168.120.1 is the firewall ip. I have the new isp gateway in bypass mode and it has the static ip of 96.86.6.117. I will try to replace that with the default gateway  and let you know.  Thank you!

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to nwdls8725

‎04-11-2016 06:11 PM

Hi,

Are you sure that the static IP is 96.86.6.117 ?

As per the Comcast interface your gateway should be in this range 96.85.6.217 255.255.255.248.

Let me know if i am missing something.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
nwdls8725
Level 1
Level 1
In response to Aditya Ganjoo

‎04-11-2016 06:15 PM

I'm sorry i mistyped from my cell phone. The correct static ip that was given from the ISP is 96.85.6.217 with netmask 255.255.255.248. I will update that route you gave me. 

0 Helpful

Go to solution
nwdls8725
Level 1
Level 1
In response to Aditya Ganjoo

‎04-12-2016 03:49 PM

That worked! Thank you so much for your help!

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to nwdls8725

‎04-12-2016 07:34 PM

Hi,

Glad to assist you.

Please mark the post as resolved.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card