12-05-2011 09:22 AM - edited 03-11-2019 02:59 PM
Hi All,
I have an ASA 5510 which i've configured for internet access.I can connect to the internet from the ASA box,
I can ping public networks from the console of the ASA box,but cannot access public hosts from internal hosts connecting via the ASA box.
Find my config below to know what i ahave omitted or committed.
ASA Version 8.3(1)
!
hostname Firewall
domain-name host.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.25 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.168.1 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 11.11.11.14 255.255.255.248
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 11.11.10.19
domain-name host.com
same-security-traffic permit intra-interface
object network LAN_NETWORK
range 192.168.1.1 192.168.1.254
description Local Network
object network OUT_NETWORK
host 11.11.11.14
object-group icmp-type ping
description Ping Group
icmp-object echo
icmp-object echo-reply
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN_NETWORK interface
access-group INSIDE in interface inside
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 11.11.11.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd lease 3000
!
dhcpd address 192.168.168.10-192.168.168.100 DMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc3f8e6d1659a2f108b5e44d625c623a
: end
Thanks All
Solved! Go to Solution.
12-06-2011 02:45 AM
Hi,
For the internet access you need only 1.default route to next hop, 2. PAT rule.
by default all traffic from inside to outside is permitted. so there is no need for the ACL to permit traffic.
What i am suggesting is
remove the followings.
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-group INSIDE in interface inside
access-group INBOUND in interface outside
nat (inside,outside) source dynamic LAN_NETWORK interface
and add the foloowing
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
and default route which you already created
thanks
vipin
please update the status
12-05-2011 10:04 AM
Hello Adewale,
The problem you are facing is that you have applied an ACL on the inside interface so only those two lines (traffic) are going to be accepted by the ASA.
So if you want the inside users to be able to acces the internet please do the following:
access-list INSIDE permit tcp any any eq 80
access-list INSIDE permit tcp any any eq 443
access-list INSIDE permit udp any any eq 53
Please rate helpful posts.
Have a good one.
Julio!!!
12-06-2011 02:32 AM
Hi Julio,
I have applied the configs you posted, but unfortunately clients on the inside cant still get to the outside.
Inside hosts can ping the outside gateway but cant go beyond that.
I'll appreciate more input or idea as regards this.
Thanks for your input.
12-06-2011 02:45 AM
Hi,
For the internet access you need only 1.default route to next hop, 2. PAT rule.
by default all traffic from inside to outside is permitted. so there is no need for the ACL to permit traffic.
What i am suggesting is
remove the followings.
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 11.11.11.8 255.255.255.248
access-list INSIDE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list INBOUND extended permit icmp any any echo
access-list INBOUND extended permit icmp any any echo-reply
access-list INBOUND extended permit icmp any any time-exceeded
access-group INSIDE in interface inside
access-group INBOUND in interface outside
nat (inside,outside) source dynamic LAN_NETWORK interface
and add the foloowing
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
and default route which you already created
thanks
vipin
please update the status
12-06-2011 05:55 AM
Hi,
Thanks for the input.
ASA version 8.3(1) does not support global commands anymore. So i had to stay with my nat command.
Your advice on the removal of the access-lists worked.
I had to remove the INSIDE acces-lists but left the acls for icmp so that i can be able to perform some ping to the outside network.
Its working fine now.
Thanks for the input.I appreciate you all.
12-06-2011 04:22 AM
So you mean to say that the inside users can ping your default gateway?
if that is true traffic through the firewall is working fine?
are your inside users are not able to ping 4.2.2.2?
Are you able to ping 4.2.2.2 from your ASA and the default gateway?
Can you powerdown and power on youor default gateway?
It could be an arp issue if this is a new implementation.
Thanks,
Sachin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide