Re: Installed ASA 5520 - Unable to get out to internet

xbsolutions · ‎04-14-2006

I'm pretty new working with the Cisco products, however I have the privledge to test the ASA 5520. I'm unable to ping the outside interface from the inside network. I'm unable to go out to the Internet. Any help is appreciated. Here is my config:

ASA Version 7.0(4)

!

hostname ciscoasa

domain-name XXXXXXXX.com

enable password xxxxxxxxxxx

encrypted

names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 123.x.x.x.255.255.248

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.199.1 255.255.255.0

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 99

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list acl_dmz extended permit ip 192.168.199.0 255.255.255.0 any

access-list acl_int extended permit tcp 192.168.0.0 255.255.255.0 any eq www

access-list acl_int extended permit tcp 192.168.0.0 255.255.255.0 any eq https

access-list acl_int extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp

access-list acl_int extended permit tcp 192.168.0.0 255.255.255.0 any eq domain

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

no failover

monitor-interface Outside

monitor-interface Inside

monitor-interface DMZ

monitor-interface management

icmp permit any echo Outside

icmp permit any echo-reply Outside

icmp permit any Inside

icmp permit host 123.123.123.123 echo DMZ

icmp permit host 123.123.123.123 echo-reply DMZ

asdm image disk0:/asdm-504.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 123.x.x.x.123.123.126 netmask 255.255.255.248

global (Outside) 1 123.x.x.127 netmask 255.255.255.248

global (Outside) 1 interface

nat (Inside) 0 192.168.0.0 255.255.0.0

nat (DMZ) 0 192.0.0.0 255.0.0.0

access-group acl_int in interface Outside

access-group acl_int out interface Outside

access-group acl_int in interface Inside

access-group acl_int out interface Inside

access-group acl_dmz in interface DMZ

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 Inside

http 192.168.199.0 255.255.255.0 DMZ

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 Inside

telnet 192.168.199.0 255.255.255.0 DMZ

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 30

ssh 192.168.0.0 255.255.255.0 Inside

ssh 192.168.199.0 255.255.255.0 DMZ

ssh timeout 30

console timeout 0

dhcpd address 192.168.0.50-192.168.0.100 Inside

dhcpd address 192.168.199.50-192.168.199.100 DMZ

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 192.168.0.1

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd domain xxxxxxxx.com

dhcpd auto_config DMZ

dhcpd enable Inside

dhcpd enable DMZ

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxx

: end

Patrick Laidlaw · ‎04-14-2006

Hello XBSolutions

A pix does not allow you to traverse one interface and terminate connections on another. But to solve your problems with getting out here are the commands you can use to pat your inside and dmz networks out to the internet using the outside interface ip address.

global (Outside) 1 interface

nat (Inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 1 192.255.0.0 255.255.0.0

access-list inbound_in permit icmp any any

access-group inbound_in in interface outside

The access-list will allow your pings going out to respond back, everything else should now work fine. To watch your pings traverse the firewall execute the command "debug icmp trace".

Patrick

Patrick Laidlaw · ‎04-14-2006

If you noticed I changed the number for global from 0 to 1 so it would match your nat statements.

Patrick

xbsolutions · ‎04-17-2006

Thanks Patrick, I changed my config to match your sugestions. However, I'm still not able to get out or ping the Outside interface. Take a look below.

ASA Version 7.0(4)

!

hostname ciscoasa

domain-name xxxxxxxxx.com

enable password xxxxxxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 123.123.123.123 255.255.255.248

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif DMZ

security-level 50

ip address 192.168.199.1 255.255.255.0

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 99

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxxxx encrypted

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list acl_dmz extended permit ip 192.168.199.0 255.255.255.0 any

access-list inbound_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu DMZ 1500

mtu management 1500

no failover

icmp permit any echo Outside

icmp permit any echo-reply Outside

icmp permit any Inside

icmp permit host 123.123.123.123 echo DMZ

icmp permit host 123.123.123.123 echo-reply DMZ

asdm image disk0:/asdm-504.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 1 192.168.0.0 255.255.0.0

nat (DMZ) 1 192.168.0.0 255.255.0.0

access-group inbound_in in interface Outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.0.0 255.255.255.0 Inside

http 192.168.199.0 255.255.255.0 DMZ

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 192.168.0.0 255.255.255.0 Inside

telnet 192.168.199.0 255.255.255.0 DMZ

telnet 192.168.1.0 255.255.255.0 management

telnet timeout 30

ssh 192.168.0.0 255.255.255.0 Inside

ssh 192.168.199.0 255.255.255.0 DMZ

ssh timeout 30

console timeout 0

dhcpd address 192.168.0.50-192.168.0.100 Inside

dhcpd address 192.168.199.50-192.168.199.100 DMZ

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 192.168.0.1

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd domain xxxxxxxxx.com

dhcpd auto_config DMZ

dhcpd enable Inside

dhcpd enable DMZ

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

: end

ciscoasa#

globalnettech · ‎04-19-2006

Hello,

try and add a default route to your configuration:

route outside 0 0 123.123.123.xxx 1

where the IP address 123.123.123.xxx is the address of the device directly connected to the outside interface of your ASA.

HTH,

GNT