Cisco Asa 5520 no internet.Please help.

antrikos_kal · ‎10-16-2024

ciscoasa# show run
: Saved
:
ASA Version 8.0(5)
!
hostname ciscoasa
domain-name wonderland
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
duplex full
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet0/1
duplex full
nameif inside
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif manage
security-level 0
no ip address
!
boot config disk0:/startup.cfg
ftp mode passive
dns server-group DefaultDNS
domain-name wonderland
object-group network inside
object-group network inside-subnet
pager lines 24
mtu outside 1500
mtu inside 1500
mtu manage 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.1.1.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 10.1.1.32-10.1.1.63 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username whiterabbit password HNOnJ3mP3F2wbi2O encrypted
!
!
prompt hostname context
Cryptochecksum:19c704489de6a0d92207d9d87c33f164
: end
ciscoasa#

Flavio Miranda · ‎10-16-2024

@antrikos_kal

You need route and you probably need NAT

route outside 0.0.0.0 0.0.0.0 gateway_ip

nat (inside,outside) source dynamic any outside

antrikos_kal · ‎10-16-2024

ciscoasa(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

Flavio Miranda · ‎10-16-2024

Yes, I could see on the running-config that you have no route and that´s what I am suggesting.You need to identify which is your gateway and add the default route

You can try to identify the gateway by running the command "show arp" and "show ip arp"

route outside 0.0.0.0 0.0.0.0 gateway_ip

The NAT may be required may not, it will depend on how the ISP is handling this. They can be doing NAT for you already.

But, you need to have route.

Aref Alsouqi · ‎10-16-2024

You should get the default route from the ISP via DHCP, however, please check if that is the case with the command "sh route" or by pinging a public IP on the internet such as 8.8.8.8 or similar. If the default route is not getting injected by the ISP then as @Flavio Miranda suggested please add the default route manually.

Regarding NAT, you would need to create a dynamic PAT similar to this:

object network LAN
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface

antrikos_kal · ‎10-16-2024

ciscoasa(config-if)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

it doesnt accept nat(inside,outside) dynamic interface wrong cmnd.

Aref Alsouqi · ‎10-16-2024

The NAT command I shared must be issued under the object network, not in global config.

Configuring PAT on an ASA (youtube.com)

But as @Flavio Miranda mentioned, you might not need it if the ISP is doing NAT for you although I don't think they do because they wouldn't have any visibility of your internal network. Also, if the ISP is doing NAT for your inside network when you add extra networks behind the firewall you either need to ask the ISP to NAT those ones as well or apply NAT on the firewall which I recommend.

antrikos_kal · ‎10-16-2024

if someone can connect via teamviewer i'd appreciate it.

Rob Ingram · ‎10-16-2024

@antrikos_kal you appear to be running ASA Version 8.0(5) which has completely different NAT syntax to the modern ASA. Refer to the Dynamic PAT example https://community.cisco.com/t5/security-knowledge-base/asa-pre-8-3-to-8-3-nat-configuration-examples/ta-p/3116375

Your outside interface is configured to receive an IP address and the default route via DHCP, I assume you get a DHCP address on the outside interface? You haven't received the default route (via setroute command), so you'd still need the static default route as already mentioned.

Aref Alsouqi · ‎10-16-2024

Very good spot @Rob Ingram.

antrikos_kal · ‎10-18-2024

Hi thank you all you guys my greetings from Greece, i recently lost my dad who was electronic engineer and was working in the national tv and the antennas.unfortunately he got cancer, but thank god he didn't have on bones or brain he died peacefuly on his sleep by cardiac arrest.When i will get better pshycologicaly i will try all the notes you gave me.God bless you all and away the sicknessess from you and your families.

Aref Alsouqi · ‎10-18-2024

Hi @antrikos_kal, sorry to hear this, and my deepest condolences for you and your family's loss.