cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12686
Views
0
Helpful
5
Replies

Network systems cannot access internet

naushad_khan
Level 1
Level 1

What should i do on my Cisco ASA 5505 firewall to grant access to my network systems to access internet via gateway. I use ASDM to configure the firewall.

1 Accepted Solution

Accepted Solutions

Hi,

I'm not a big fan of GUIs  but you can paste CLI configs into the ASDM if my memory is good.

So pasting show run would give us the config and we could look at it to see if it's ok.

Second step would be to perform a packet-tracer and post result here.

here's a video that demonstrates the feature: http://www.youtube.com/watch?v=T9G5FKItoyw

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

5 Replies 5

cadet alain
VIP Alumni
VIP Alumni

Hi,

1)configure a default route on Outside interface. the CLI command is route outside  0.0.0.0 0.0.0.0 x.x.x.x  where x.x.x.x is the next-hop IP.

2) configure NAT but the syntax differs since 8.3 OS

3) configure ICMP inspection if you want  ping replies from outside to get to inside hosts

I think It's better you post your config: show run and we will tell you what's missing.

Regards.

Alain.

Don't forget to rate helpful posts.

I am not very confortable with cli commands. I use adsm to configure my firewall. Everything is working fine on my firewall. All my rules are working fine. The only thing missing is any of my PCs or laptops which are in the same network are not able to browse internet with the default gateway of my firewall.

Default route on outside interface is 0.0.0.0 0.0.0.0 124.153.85.235

Hi,

I'm not a big fan of GUIs  but you can paste CLI configs into the ASDM if my memory is good.

So pasting show run would give us the config and we could look at it to see if it's ok.

Second step would be to perform a packet-tracer and post result here.

here's a video that demonstrates the feature: http://www.youtube.com/watch?v=T9G5FKItoyw

Regards.

Alain

Don't forget to rate helpful posts.

Result of the command: "show run"

: Saved

:

ASA Version 8.2(1)

!

hostname OCTOPUS-FIREWALL

names

!

interface Vlan1

description "***Connection on Inside port ETH 0/1***"

nameif Inside

security-level 100

ip address 10.100.1.1 255.255.255.0

!

interface Vlan2

description "***Uplink connection on Outside Port ETH0/0***"

nameif Outside

security-level 0

ip address 124.153.82.50 255.255.255.248

!

interface Vlan3

description "connected_on_192.168.1.x"

no nameif

no security-level

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone IST 5 30

dns domain-lookup Inside

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 124.153.69.80

name-server 124.153.69.15

object-group network Netmagic_Monitor_Group

network-object host 124.153.69.124

network-object host 124.153.69.121

network-object host 124.153.69.123

network-object host 123.108.39.124

network-object host 124.153.99.124

network-object host 180.179.39.124

network-object host 124.153.69.203

network-object host 124.153.69.204

object-group network Netmagic_Network_Group

network-object host 124.153.99.242

network-object host 123.108.39.242

network-object host 124.153.69.242

network-object host 180.179.39.242

network-object host 202.87.39.242

object-group service 7070 tcp

port-object eq 7070

access-list 101 extended permit tcp any host 124.153.85.175 eq 8085

access-list 101 extended deny ip host 204.152.184.139 any

access-list 101 extended deny ip host 58.63.237.42 any

access-list 101 extended deny ip host 58.252.208.131 any

access-list 101 extended permit ip object-group Netmagic_Network_Group any

access-list 101 extended deny ip host 60.250.122.226 any

access-list 101 extended permit ip object-group Netmagic_Monitor_Group any

access-list 101 extended deny ip host 121.254.71.105 any

access-list 101 extended permit tcp any host 124.153.85.232 eq ftp

access-list 101 extended permit tcp any host 124.153.85.232 eq 8085

access-list 101 extended permit tcp any host 124.153.85.235 eq 8081

access-list 101 extended permit tcp any host 124.153.85.233 eq www

access-list 101 extended permit tcp any host 124.153.85.233 eq 1433

access-list 101 extended permit tcp any host 124.153.85.233 eq https

access-list 101 extended permit tcp any host 124.153.85.233 eq ftp

access-list 101 extended permit tcp any host 124.153.85.233 eq ssh

access-list 101 extended permit tcp any host 124.153.85.233 eq ftp-data

access-list 101 extended permit tcp any host 124.153.85.233 eq 59001

access-list 101 extended permit tcp any host 124.153.85.172 eq 8085

access-list 101 extended permit tcp any host 124.153.85.172 eq ftp

access-list 101 extended permit tcp any host 124.153.85.173 eq 8085

access-list 101 extended permit tcp any host 124.153.85.173 range ftp-data ftp

access-list 101 extended permit tcp any host 124.153.85.174 eq www

access-list 101 extended permit tcp any host 124.153.82.53 eq 8085

access-list 101 extended permit tcp any host 124.153.85.235 eq 8094

access-list 101 extended permit tcp any host 124.153.85.234 eq 8080

access-list 101 extended permit tcp any host 124.153.85.172 eq 7272

access-list 101 extended permit icmp any host 124.153.85.173

access-list 101 extended permit tcp any host 124.153.82.52 eq 8081

access-list 101 extended permit icmp any host 124.153.85.235

access-list 108 extended deny tcp any host 58.63.237.42

access-list 108 extended deny udp any host 58.63.237.42

access-list 108 extended deny udp any host 121.254.71.105

access-list 108 extended deny udp any host 60.250.122.226

access-list 108 extended deny tcp any host 121.254.71.105

access-list 108 extended deny ip any host 61.157.96.8

access-list 108 extended deny ip any host 58.252.208.131

access-list 108 extended deny tcp any host 60.250.122.226

access-list 108 extended permit ip any any

access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.220 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.26 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 213.171.216.50 eq smtp

access-list octopusepat_82_54 extended permit tcp host 10.100.1.172 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.9 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.7 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.12 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.14 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.6 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.10 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.15 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.218 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.97 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.25 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.60 host 72.14.213.109 eq 465

access-list octopusepat_82_54 extended permit tcp host 10.100.1.59 host 72.14.213.109 eq 465

pager lines 24

logging enable

logging timestamp

logging trap critical

logging asdm informational

logging facility 18

logging host Outside 202.87.39.89

mtu Inside 1500

mtu Outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 124.153.82.54

nat (Inside) 1 access-list octopusepat_82_54

static (Inside,Outside) 124.153.85.232 10.100.1.5 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.234 10.100.1.38 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.233 10.100.1.120 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.173 10.100.1.2 netmask 255.255.255.255

static (Inside,Outside) 124.153.82.53 10.100.1.98 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.174 10.100.1.11 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.172 10.100.1.100 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.175 10.100.1.52 netmask 255.255.255.255

static (Inside,Outside) 124.153.85.235 10.100.1.55 netmask 255.255.255.255

static (Inside,Outside) 124.153.82.52 10.100.1.10 netmask 255.255.255.255

static (Outside,Inside) 124.153.82.50 10.100.1.1 netmask 255.255.255.255

access-group 108 in interface Inside

access-group 101 in interface Outside

route Outside 0.0.0.0 0.0.0.0 124.153.82.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console TACACS+ LOCAL

aaa authorization command LOCAL

http server enable

http 10.100.1.0 255.255.255.0 Inside

http 122.170.115.164 255.255.255.255 Outside

snmp-server host Outside 123.108.39.124 community chn2000

snmp-server host Outside 123.108.39.39 community chn2000

snmp-server host Outside 124.153.69.121 community chn2000

snmp-server host Outside 124.153.69.123 community chn2000

snmp-server host Outside 124.153.69.124 community chn2000

snmp-server host Outside 124.153.69.203 community chn2000

snmp-server host Outside 124.153.69.204 community chn2000

snmp-server host Outside 124.153.99.124 community chn2000

snmp-server host Outside 124.153.99.39 community chn2000

snmp-server host Outside 180.179.39.124 community chn2000

snmp-server host Outside 202.87.39.39 community chn2000

snmp-server host Outside 202.87.44.69 community chn2000

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 124.153.69.242 255.255.255.255 Outside

ssh 122.170.115.164 255.255.255.255 Outside

ssh timeout 5

console timeout 5

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp authenticate

ntp trusted-key 1

webvpn

username cisco password miNpFGsdff.9QSZNEuyO encrypted

username netmagic password VWIMcRsCCdfr7Oc5YO encrypted

username netmagic attributes

service-type nas-prompt

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:a08cd5d128fc909a8122b6d52a9cb19a

: end

Hi,

1) why use policy NAT ?    nat (Inside) 1 access-list octopusepat_82_54

You're not permitting web traffic and dns traffic in this ACL so you won't be able to browse. you don't even permit icmp so you can't ping outside hosts.

2) if you do just simple nat: nat(inside) 10.100.1.0 255.255.255.0   in addition to policy NAT then you'll have to

  -enable icmp inspection or

  -apply an ACL inbound on outside to permit icmp replies

Cisco recommends doing the first one like this:

policy-map global_policy

class inspection_default

inspect icmp

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: