Re: No internet access with ASA 5506-x - Page 2

Maximus908 · ‎02-25-2019

Hello,

Can anybody help me please...?

I try to get through my new ASA with my pc, but I can't, after some days on the net to try to find a solution, I need your experience...:-)

I live in Belgium, thus excuse me for my poor technical English,

My problem is :

I connect the ASA behind a modem from my ISP, this modem is bridged in PPPOE.

Behind the ASA, I have 3 Cisco routers 2811, and 2 Cisco switchs, and in final my pc ( this is a topology for labs).

But I can't pass through the ASA with my pc, impossible to go out...

I can ping the IP address 192.168.1.1 (ASA Gi1/1) from my pc (10.2.99.1).

I think that I need access-list, but I don't know...

Here is the config :

LasVegasASA1# sh run
: Saved

:
: Serial Number: ********
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
terminal width 350
hostname LasVegasASA1
enable password ******* encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group ISP1-PROXIMUS
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic any interface
!
object network obj_any
nat (any,outside) dynamic interface
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP1-PROXIMUS request dialout pppoe
vpdn group ISP1-PROXIMUS localname ********@PROXIMUS
vpdn group ISP1-PROXIMUS ppp authentication chap
vpdn username ********@PROXIMUS password ************ store-local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:******************
: end

LasVegasASA1# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1/1 10*.***.***.79 YES manual up up
GigabitEthernet1/2 192.168.1.1 YES CONFIG up up
GigabitEthernet1/3 unassigned YES unset administratively down down
GigabitEthernet1/4 unassigned YES unset administratively down down
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up down
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset down down

LasVegasASA1# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 109.130.208.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 10*.***.***.1, outside
O E2 10.2.3.0 255.255.255.0 [110/1] via 192.168.1.2, 04:21:03, inside
O E2 10.2.7.0 255.255.255.252 [110/1] via 192.168.1.2, 04:21:03, inside
O E2 10.2.7.4 255.255.255.252 [110/1] via 192.168.1.2, 04:21:03, inside
O E2 10.2.7.8 255.255.255.252 [110/1] via 192.168.1.2, 04:21:03, inside
O E2 10.2.99.0 255.255.255.0 [110/1] via 192.168.1.2, 04:21:03, inside
C 192.168.1.0 255.255.255.252 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
O E2 192.168.2.0 255.255.255.252 [110/1] via 192.168.1.2, 04:21:03, inside
O E2 192.168.3.0 255.255.255.252 [110/1] via 192.168.1.2, 04:21:03, inside

Thank you in advance for your answer.

Marc

Richard Burts · ‎02-26-2019

Thank you for the log messages (and there are certainly a lot of them). I do see log messages relating to pc pinging the ASA interface. But I do not see any messages relating to pc pinging 8.8.8.8.

Would you post the output of show nat detail

HTH

Rick

HTH

Rick

Maximus908 · ‎02-26-2019

Indeed, no 8.8.8.8 ???

Here is sh nat :

LasVegasASA1(config)# sh nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic any interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 109.129.13.224/32

Richard Burts · ‎02-26-2019

Thank you for the output. It is interesting that the hit count is 0. I am wondering if the ping attempt to outside is getting to the ASA. It looks like the pc is several hops away from the ASA. Is it possible that one of those devices has some security policy that does not allow the ping to external addresses? Or is it possible that one of those devices does not have a default route?

It might be interesting to compare the results of tracert 192.168.1.1 and tracert 8.8.8.8

HTH

Rick

HTH

Rick

Maximus908 · ‎02-26-2019

I will review all my configurations one by one, and I will come back to you if I have found one or more errors, thank you

Have a nice day...:-)

Marc

Maximus908 · ‎02-26-2019

Hello Venkat,

Here is the result of the your command :

LasVegasASA1# packet-tracer input inside icmp 10.2.99.1 1 1 8.8.8.8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 109.130.208.1 using egress ifc outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd4d6140, priority=6, domain=nat, deny=false
hits=6, user_data=0x7fffddd24f40, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffdd400b20, priority=0, domain=nat-per-session, deny=true
hits=1973, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffddb831c0, priority=0, domain=inspect-ip-options, deny=true
hits=28, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Do you have a solution ?

Marc

SlawekO · ‎03-02-2019

see: https://www.youtube.com/watch?v=FfPJ_dvM_is

you must set dynamic NAT

Maximus908 · ‎03-05-2019

Hello,

I always have a problem to go through the ASA with a pc...

Here is a plan ( I precise that this,is only for labs to play and to learn) :-) :

And here is the configuration of ASA 5506-X :

LasVegasASA1# sh run
: Saved

:
: Serial Number: **********
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.4(1)
!
terminal width 350
hostname LasVegasASA1
domain-name cyberesilient.be
enable password *********
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group ISP1-PROXIMUS
ip address pppoe setroute
!
interface GigabitEthernet1/2
description " Connection To LasVegasRTR1 "
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.252
!
interface GigabitEthernet1/3
description " Connection To LasVegasRTR2 "
nameif inside2
security-level 0
ip address 10.2.7.18 255.255.255.252
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!
interface GigabitEthernet1/4
description " Connection To PcMarc "
nameif inside3
security-level 0
ip address 10.2.7.22 255.255.255.252
ospf message-digest-key 1 md5 *****
ospf authentication message-digest
!
interface GigabitEthernet1/5
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
security-level 0
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
banner exec Welcome on CYBERESILIENT...
banner login Welcome to $(hostname) - $(domain).
banner motd You have logged in to a secure device.
banner motd
banner motd If you are not authorized to access this device, log out immediately or risk possible criminal consequences.
banner motd
banner motd Contact me at admin@cyberesilient.be for any issues.
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name cyberesilient.be
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
mtu inside3 1500
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
router ospf 1
router-id 3.3.3.3
network 10.2.7.16 255.255.255.252 area 0
network 10.2.7.20 255.255.255.252 area 0
log-adj-changes
redistribute connected
redistribute static
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.2.99.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 10.2.65.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.1.2 255.255.255.255 inside
ssh 10.2.65.2 255.255.255.255 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP1-PROXIMUS request dialout pppoe
vpdn group ISP1-PROXIMUS localname *******@PROXIMUS
vpdn group ISP1-PROXIMUS ppp authentication chap
vpdn username ********@PROXIMUS password ***** store-local
dhcpd dns 208.67.220.220 208.67.222.222
dhcpd lease 3000
dhcpd ping_timeout 30
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username Admin password ******* encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:bc7374d99d1a8a4af6b9859af512d63a
: end

LasVegasASA1# sh int ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1/1 9*.***.**.202 YES CONFIG up up
GigabitEthernet1/2 192.168.1.1 YES CONFIG up up
GigabitEthernet1/3 10.2.7.18 YES CONFIG up up
GigabitEthernet1/4 10.2.7.22 YES CONFIG up up
GigabitEthernet1/5 unassigned YES unset administratively down down
GigabitEthernet1/6 unassigned YES unset administratively down down
GigabitEthernet1/7 unassigned YES unset administratively down down
GigabitEthernet1/8 unassigned YES unset administratively down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up down
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Management1/1 unassigned YES unset down down

LasVegasASA1# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 1**.*0.2**.1 to network 0.0.0.0

S* 0.0.0.0 0.0.0.0 [1/0] via 1**.*0.2**.1, outside
O 10.2.3.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:03, inside3
O 10.2.4.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.7.0 255.255.255.252 [110/74] via 10.2.7.21, 04:04:13, inside3
O 10.2.7.4 255.255.255.252 [110/11] via 10.2.7.21, 04:04:13, inside3
O 10.2.7.8 255.255.255.252 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.7.12 255.255.255.252 [110/11] via 10.2.7.17, 04:04:03, inside2
C 10.2.7.16 255.255.255.252 is directly connected, inside2
L 10.2.7.18 255.255.255.255 is directly connected, inside2
C 10.2.7.20 255.255.255.252 is directly connected, inside3
L 10.2.7.22 255.255.255.255 is directly connected, inside3
O 10.2.10.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.11.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.12.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.20.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:13, inside3
O 10.2.21.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:16, inside3
O 10.2.22.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:16, inside3
O 10.2.65.0 255.255.255.0 [110/12] via 10.2.7.17, 04:04:06, inside2
O 10.2.99.0 255.255.255.0 [110/12] via 10.2.7.21, 04:04:16, inside3
C 192.168.1.0 255.255.255.252 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside

LasVegasASA1# sh nat detail

Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic obj_any interface
translate_hits = 7597, untranslate_hits = 151
Source - Origin: 0.0.0.0/0, Translated: 91.182.3.202/32

LasVegasASA1# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/18/20 ms

LasVegasASA1# ping 10.2.65.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.65.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Thank you in advance.

Marc

Richard Burts · ‎03-05-2019

Marc

You have given us a revised description of the topology and a revised config of the ASA and the output of some show commands. But you have not told us what does work and what does not work. Can you tell us that?

HTH

Rick

HTH

Rick

Maximus908 · ‎03-06-2019

Hello Richard,

The problem is that I had no connection to internet through my ASA, but now it’s Ok...

In fact, I had a mistake, by my fault, with a bad default route on a router.

Now, all is perfect...👍

Thank you

Richard Burts · ‎03-06-2019

Thanks for the update. Glad to know that the issue turned out to be a bad default route on a router. Glad that now all is perfect.

HTH

Rick

HTH

Rick