Thanks for your comment, Marvin.

I did use the wizard, and also followed this video tutorial on youtube, although it is about 5505: http://www.youtube.com/watch?v=vFnXd3ttRk8

But no success. There seems to be something preventing traffic from the inside LAN reach the public network.

I'm attaching the output of "show run" in case it helps.

Thanks again

100% right.

I'm embarrassed. I did reach the internet! I didn't even try to browse, only ping and ping and ping …

After running that commands I can do both.

Thank you so much.

You're welcome. Glad it's working.

I often remind my colleagues that inability to get responses when pinging only indicates that icmp echo requests are not getting icmp echo replies.

While it's a common "test", it is not a definitive indicator of end to end connectivity.

Hey Marvin,

Can you help me with this basic configuration. I cannot reach the internet with my current setup of access-list, NAT, and static command.

The configuration are as follows:

SFRA(config)# sh run | i access                               

access-list inside extended permit icmp any any 

access-list inside extended permit tcp any any 

access-list xyz extended permit ip 192.168.1.0 255.255.255.0 any 

dynamic-access-policy-record DfltAccessPolicy

threat-detection statistics access-list

SFRA(config)# sh run nat  

nat (inside,outside) after-auto source dynamic any interface

SFRA(config)# sh run | i route                                                

route outside 0.0.0.0 0.0.0.0 172.17.5.254 1

SFRA(config)# sh run interface 

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 172.17.5.93 255.255.255.0 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

SFRA(config)# packet-tracer input inside icmp 192.168.1.1 0 0 8.8.8.8 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: ACCESS-LIST

Subtype: 

Result: DROP

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7fff2960c520, priority=500, domain=permit, deny=true

        hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thanks,

-Vinita

Vinita,

Try adding the icmp inspection as I noted earlier in the thread response to the original poster.

Also, you don't need access-lists on the inside since by default the higher security interface is allowed any-any to lower security interfaces.

I'm having a similar issue. I have set this up more than once and still can't get online. I've googled and tried all kinds of things - and nothing.

ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service internet
 service tcp source eq www destination eq www
object network obj-any
 subnet 0.0.0.0 0.0.0.0
access-list global_access extended permit ip any any
access-list from_outside extended permit icmp any any echo
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any unidirectional no-proxy-arp
!
object network obj-any
 nat (inside,outside) dynamic interface
<--- More --->
              
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route inside 0.0.0.0 0.0.0.0 192.168.16.1 1
route inside 10.9.0.0 255.255.248.0 192.168.16.1 1
route inside 10.9.10.0 255.255.255.0 192.168.16.1 1
route inside 172.16.30.0 255.255.255.0 192.168.16.1 1
route inside 192.168.10.0 255.255.255.0 192.168.16.1 1
route inside 192.168.71.0 255.255.255.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
              
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
<--- More --->
              
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a46b6f52772908dc97f10d276d2d250c
: end

Joel,

Your routing is a bit askew:

route inside 0.0.0.0 0.0.0.0 192.168.16.1 1
route inside 10.9.0.0 255.255.248.0 192.168.16.1 1
route inside 10.9.10.0 255.255.255.0 192.168.16.1 1
route inside 172.16.30.0 255.255.255.0 192.168.16.1 1
route inside 192.168.10.0 255.255.255.0 192.168.16.1 1
route inside 192.168.71.0 255.255.255.0 192.168.16.1 1

I don't know about all the ones you have in there, but your default route should be on the outside interface.

I assume you have some upstream device doing NAT also since your outside interface is a private address. Also, I'm not quite sure what your intention is with:

nat (inside,outside) source static any any unidirectional no-proxy-arp

Also, you don't need access-lists on the inside since by default the higher security interface is allowed any-any to lower security interfaces.

Marvin, how about this?

Still can't get to the internet from a laptop connected to ASA but I now CAN ping google from firewall cli

And I'm trying to give this a base config to send somewhere else and they'll put the ACL's they need there (and change the OUTSIDE interface information). Right now it's just at my workstation between a laptop and a switch on my network. I am using Tutty from my work PC via console cable, then I have ASDM 7.1 connected via my personal laptop, and a third laptop connected to int 0/1 (IP 10.9.250.99.)

hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
              
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
<--- More --->
              
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
<--- More --->
              
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:c1a9113b4c0fb58b0ed39f7eb2d6d72a
: end

I can now ping google from the ASA but still can't get internet from laptop. I ran packet tracer command (modified) that you provided earlier and got this:

ciscoasa# packet-tracer input inside icmp 10.9.250.20  0.0.0.      0 8.8.83 .8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff217fc8d0, priority=500, domain=permit, deny=true
    hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=10.9.250.2, mask=255.255.255.255, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
<--- More --->
              
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I fixed the static routes - deleted all but one and made it for the Outside interface and disabled NAT. All that's left are ACL's and they're implicit - I didn't draw them up.

Joel,

I think you went one step too far by taking out your NAT statement. Please re-add:

object network obj-any
 nat (inside,outside) dynamic interface

Ok, now what did I do wrong? And Marvin - thanks so much for your help in this, my Cisco is pretty rusty and I haven't been on an ASA in quite some time.

ciscoasa# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-any
 nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
              
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
<--- More --->
              
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
<--- More --->
              
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:44985f4b7c40271888ff6dee5072dd95
: end

ciscoasa#

Is this problem resolved? If so, please rate and mark it answered.

If not, please re-run the same packet-tracer you did earlier and share the results.