cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
440
Views
0
Helpful
5
Replies

Internet Connectivity Issues Behind my 5505

Dudash202
Level 1
Level 1

Hello!

 

I am having connectivity issues with clients/devices behind my 5505 connecting to the Internet. I do not have a public static IP but I am using a pass through feature that AT&T has that will assign a dhcp Public IP and pass through the modem to a specified device. This part is working properly. I attached a simple drawing I made of my network to visualize what I am talking about. I also posted the show runs of R2 and the 5505. To give a brief summary:

 

From the 5505:

I can get out to the Internet

I can ping any interface inside my network

I can ping any client inside my network

 

From R2 and PC A:

I can ping to 10.10.0.1 (the 5505)

I can not ping anything on the Internet (like 8.8.8.8 for example)

If I do a tracert on PC A to 8.8.8.8, it will reach 10.10.0.9 (R2) and then timeout

If I do a traceroute on R2 to 8.8.8.8, it will timeout immediately 

 

I have been troubleshooting and googling but I am still having this issue. I will be honest and say I don't have much experience or knowledge of firewalls and I am trying to learn as I go. If I need to post any other configs just let me know. Please forgive me for any dumb mistakes I made! :)

 

 

R2 show run:

R2#sh run
Building configuration...


Current configuration : 2237 bytes
!
! Last configuration change at 19:06:59 UTC Sat Sep 5 2015
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FHK1403F3FU
archive
 log config
  hidekeys
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 209.165.200.1 255.255.255.0
 shutdown
!
interface Loopback1
 ip address 10.10.10.101 255.255.255.252
!
interface Loopback2
 no ip address
 shutdown
!
interface Loopback3
 no ip address
 shutdown
!
interface FastEthernet0/0
 ip address 10.10.0.2 255.255.255.252
 ip helper-address 10.10.0.1
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.10.0.9 255.255.255.252
 ip helper-address 10.10.0.1
 duplex auto
 speed auto
!
router ospf 1
 redistribute static subnets
 network 10.10.0.0 0.0.0.3 area 0
 network 10.10.0.8 0.0.0.3 area 0
 network 10.10.10.100 0.0.0.3 area 0
 default-information originate
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
logging esm config
nls resp-timeout 1
cpd cr-id 1
!
!
!
!
!
tftp-server flash:P00308000500.bin
tftp-server flash:P00308000500.loads
tftp-server flash:P00308000500.sb2
tftp-server flash:P00308000500.sbn
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
 shutdown
!
!
telephony-service
 max-ephones 40
 max-dn 140
 ip source-address 10.10.10.101 port 2000
 load 7960-7940 P00308000500
 keepalive 15
 max-conferences 8 gain -6
 transfer-system full-consult
 create cnf-files version-stamp Jan 01 2002 00:00:00
!
!
ephone-dn  1  dual-line
 number 1111
 name Test1
!
!
ephone-dn  3  dual-line
 number 3333
 name Test2
!
!
ephone  1
 device-security-mode none
 mac-address 000F.245D.9576
 button  1:1
!
!
!
ephone  3
 device-security-mode none
 mac-address 000A.F408.37EF
 button  1:3
!
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
end

 

 

 

5505 show run:

DASHASA01# sh run
: Saved
:
ASA Version 8.0(4)
!
hostname DASHASA01
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 shutdown
 no nameif
 security-level 100
 no ip address
!
interface Vlan2
 description OUTSIDE
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 description INSIDE
 nameif inside
 security-level 100
 ip address 10.10.0.1 255.255.255.252
!
interface Vlan4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
access-list INSIDE_LAN extended permit ip 10.0.0.0 255.0.0.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
route inside 10.0.0.0 255.0.0.0 10.10.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
!
prompt hostname context
: end

 

 

Thanks!!!!

5 Replies 5

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I am not sure if you missed it but i don't see any NAT statement configured:-

nat (inside) 1 0 0

For this Global Statement:-

"global (outside) 1 interface"

Thanks and Regards,

Vibhor Amrodia

Thanks Vibhor for the response!

I just want to say sorry for all of my duplicate posts. I'm not sure why but when I originally posted my topic, I would go to the main board and I did not see my name or topic. I even searched for it but I found nothing. 

 

I did add the nat statement to my config and even did it a few different ways to test:

nat (inside) 1 0 0

nat (inside) 1 10.0.0.0 255.0.0.0 

nat (inside) 1 access-list INSIDE_LAN

 

I still can't get out to the Internet. When I do ping/tracert tests (from PC A), I still get stuck between R2 and the 5505 (times out).

Any other suggestions? I just can't figure this out. 

Hi,

Can you run a packet tracer on the ASA device ?

Use this as reference:-

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Something like this:-

packet input inside tcp <IP address of the client not able to go out to the internet> 2345 4.2.2.2 80 det

If this says allowed , you might have to check the traffic on the ASA device using the captures.

https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Thanks and Regards,

Vibhor Amrodia

I did run the packet tracer as you mentioned and it does say allowed all the way through. I did notice something strange that may be causing my issue about an IP address that didn't match my scheme (it was 192.168.1.254) which technically is the IP of the AT&T gateway. I will post the results when I get home later tonight.

I still attempted to capture traffic on the ASA following the link you provided but I was very confused with the code shown as an example. It was hard to follow and I couldn't seem to get it to work. I will it again later today. 

Thanks for you help so far Vibhor, I really appreciate it! 

Review Cisco Networking for a $25 gift card