Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1429
Views
10
Helpful
4
Replies

There is internet connection in ASA CLI but cannot connect in browser with static IP Cisco ASA-5506-X

00u113vaduihn6f9P5d7
Level 1
Level 1

‎07-12-2021 02:15 PM

Hi,

 

I have Cisco ASA-5506-X. I am pretty new to this I switched from a dynamic IP address to the static IP address. 

 

My static IP subnet is: xxx.xxx.xxx.184/29, hence my subnet mask is 255.255.255.248 and static IP address range xxx.xxx.xxx.186-190

 

My purpose is to create a PAT which will be assigning my static IPs to the ports. At this moment I cannot even create one PAT.

 

When I plug in my internet with the static IP address to WiFi router it works. Here is the configuration.

 

Connection Type: Static IP

IP address: xxx.xxx.xxx.186

Subnet Mask: 255.255.255.248

Gateway: xxx.xxx.xxx.185

Primary DNS Server: xxx.xxx.xxx.242

Secondary DNS Server xxx.xxx.xxx.34

 

Currently I am connected to the ASA-5506-X through an Ethernet cable plugged in to the port 7 (inside_6).

 

I use Cisco ASA CLI. When I ping an IP address or website from ASA CLI being connected to the console port everything works.

 

ASA2(config)# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

ASA2(config)# ping www.google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 142.250.200.36, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

 

However, the internet does not work in the browser. It is written ERR_NAME_NOT_RESOLVED in Chrome.  Any ping from the console on my computer, not in ASA CLI does not work.

 

User ~ % ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

Request timeout for icmp_seq 3

Request timeout for icmp_seq 4

Request timeout for icmp_seq 5

User ~ % ping www.google.com

ping: cannot resolve www.google.com: Unknown host

 

I went through packet tracing as advised here: I can ping, but not browse the internet.. ASA 5505 

 

ASA2(config)# packet-tracer input inside_6 tcp 192.168.1.10 12345 8.8.8.8 80 detail

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop xxx.xxx.xxx.185 using egress ifc  outside

 

Phase: 2

Type: NAT

Subtype: 

Result: ALLOW

Config:

object network obj_any6

 nat (inside_6,outside) dynamic interface

Additional Information:

Dynamic translate 192.168.1.10/12345 to xxx.xxx.xxx.186/12345

 Forward Flow based lookup yields rule:

 in  id=0x7f8b6f719790, priority=6, domain=nat, deny=false

        hits=73, user_data=0x7f8b6f70bcc0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside_6, output_ifc=outside

 

Phase: 3      

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false

        hits=825362, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 4

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f8b6eacb990, priority=0, domain=inspect-ip-options, deny=true

        hits=887, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

 

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false

        hits=825363, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 6

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f8b6eb88c70, priority=0, domain=inspect-ip-options, deny=true

        hits=431263, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside, output_ifc=any

 

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false

        hits=825365, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 8

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f8b6e88b720, priority=0, domain=inspect-ip-options, deny=true

        hits=786699, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=outside, output_ifc=any

 

Phase: 9

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false

        hits=825366, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 10

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f8b6e88b720, priority=0, domain=inspect-ip-options, deny=true

        hits=786700, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=outside, output_ifc=any

 

Phase: 11

Type: FLOW-CREATION

Subtype: 

Result: ALLOW

Config:

Additional Information:

New flow created with id 408188, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Result:

input-interface: inside_6

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

 

Here are my configurations:

 

 

ASA2(config)# show run

 

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.8(2) 

!

hostname ASA2

 

names

 

!

interface GigabitEthernet1/1

 nameif outside

 security-level 0

 ip address xxx.xxx.xxx.186 255.255.255.248 

!

interface GigabitEthernet1/2

 bridge-group 1

 nameif inside_1

 security-level 100

!

interface GigabitEthernet1/3

 bridge-group 1

 nameif inside_2

 security-level 100

!

interface GigabitEthernet1/4

 bridge-group 1

 nameif inside_3

 security-level 100

!

interface GigabitEthernet1/5

 bridge-group 1

 nameif inside_4

 security-level 100

!

interface GigabitEthernet1/6

 bridge-group 1

 nameif inside_5

 security-level 100

!

interface GigabitEthernet1/7

 bridge-group 1

 nameif inside_6

 security-level 100

!

interface GigabitEthernet1/8

 bridge-group 1

 nameif inside_7

 security-level 100

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

interface BVI1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

 name-server xxx.xxx.xxx.242 outside

 name-server xxx.xxx.xxx.34 outside

same-security-traffic permit inter-interface

object network obj_any1

 subnet 0.0.0.0 0.0.0.0

object network obj_any2

 subnet 0.0.0.0 0.0.0.0

object network obj_any3

 subnet 0.0.0.0 0.0.0.0

object network obj_any4

 subnet 0.0.0.0 0.0.0.0

object network obj_any5

 subnet 0.0.0.0 0.0.0.0

object network obj_any6

 subnet 0.0.0.0 0.0.0.0

object network obj_any7

 subnet 0.0.0.0 0.0.0.0

object network PublicIP1

 host xxx.xxx.xxx.185

object network LocalLAN

 host 192.168.1.1

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

icmp deny any echo outside

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network obj_any1

 nat (inside_1,outside) dynamic interface

object network obj_any2

 nat (inside_2,outside) dynamic interface

object network obj_any3

 nat (inside_3,outside) dynamic interface

object network obj_any4

 nat (inside_4,outside) dynamic interface

object network obj_any5

 nat (inside_5,outside) dynamic interface

object network obj_any6

 nat (inside_6,outside) dynamic interface

object network obj_any7

 nat (inside_7,outside) dynamic interface

object network LocalLAN

 nat (inside_6,outside) dynamic PublicIP1

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.185 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

no snmp-server location

no snmp-server contact

service sw-reset-button

telnet timeout 5

dhcpd address 192.168.1.2-192.168.1.254 inside

dhcpd enable inside

service-policy global_policy global

prompt hostname context 

 

ASA2(config)# show int ip brief                                       

Interface                  IP-Address      OK? Method Status                Protocol

Virtual0                   127.1.0.1       YES unset  up                    up  

GigabitEthernet1/1         xxx.xxx.xxx.186 YES manual up                    up  

GigabitEthernet1/2         192.168.1.1     YES unset  down                  down

GigabitEthernet1/3         192.168.1.1     YES unset  down                  down

GigabitEthernet1/4         192.168.1.1     YES unset  down                  down

GigabitEthernet1/5         192.168.1.1     YES unset  down                  down

GigabitEthernet1/6         192.168.1.1     YES unset  up                    up  

GigabitEthernet1/7         192.168.1.1     YES unset  up                    up  

GigabitEthernet1/8         192.168.1.1     YES unset  down                  down

Internal-Control1/1        127.0.1.1       YES unset  up                    up  

Internal-Data1/1           unassigned      YES unset  up                    down

Internal-Data1/2           unassigned      YES unset  up                    up  

Internal-Data1/3           unassigned      YES unset  up                    up  

Internal-Data1/4           169.254.1.1     YES unset  up                    up  

Management1/1              unassigned      YES unset  down                  down

BVI1                       192.168.1.1     YES CONFIG up                    up  

 

ASA2(config)# show nameif

Interface                Name                     Security

GigabitEthernet1/1       outside                    0

GigabitEthernet1/2       inside_1                 100

GigabitEthernet1/3       inside_2                 100

GigabitEthernet1/4       inside_3                 100

GigabitEthernet1/5       inside_4                 100

GigabitEthernet1/6       inside_5                 100

GigabitEthernet1/7       inside_6                 100

GigabitEthernet1/8       inside_7                 100

BVI1                     inside                   100

 

ASA2(config)# show route

 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is xxx.xxx.xxx.185 to network 0.0.0.0

 

S*       0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.185, outside

C        192.168.1.0 255.255.255.0 is directly connected, inside

L        192.168.1.1 255.255.255.255 is directly connected, inside

C        xxx.xxx.xxx.184 255.255.255.248 is directly connected, outside

L        xxx.xxx.xxx.186 255.255.255.255 is directly connected, outside

 

ASA2(config)# show run route

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.185 1

 

ASA2(config-network-object)# show nat

 

Auto NAT Policies (Section 2)

1 (inside_6) to (outside) source dynamic LocalLAN PublicIP1 

    translate_hits = 0, untranslate_hits = 0

2 (inside_1) to (outside) source dynamic obj_any1 interface 

    translate_hits = 0, untranslate_hits = 0

3 (inside_2) to (outside) source dynamic obj_any2 interface 

    translate_hits = 0, untranslate_hits = 0

4 (inside_3) to (outside) source dynamic obj_any3 interface 

    translate_hits = 0, untranslate_hits = 0

5 (inside_4) to (outside) source dynamic obj_any4 interface 

    translate_hits = 0, untranslate_hits = 0

6 (inside_5) to (outside) source dynamic obj_any5 interface 

    translate_hits = 0, untranslate_hits = 0

7 (inside_6) to (outside) source dynamic obj_any6 interface 

    translate_hits = 55, untranslate_hits = 18

8 (inside_7) to (outside) source dynamic obj_any7 interface 

    translate_hits = 0, untranslate_hits = 0

 

Do you have any idea what is a problem and what could help to make it work?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎07-12-2021 06:32 PM

I do not see any ACL to allow the traffic. (or i may be missed due to Long post)

 

Do you Look to set up a BVI interface? if not follow the below setup :

https://www.petenetlive.com/KB/Article/0001422

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

johnlloyd_13
Level 9
Level 9

‎07-12-2021 08:00 PM

hi,

is your LAN PC using static DNS or from DHCP?

try to add this:

dhcpd dns 8.8.8.8 4.2.2.2 interface inside

 

00u113vaduihn6f9P5d7
Level 1
Level 1

‎07-15-2021 03:23 AM - edited ‎07-15-2021 03:23 AM

@balaji.bandi @johnlloyd_13 Thank you for your answers.

 

I have tried your advice and it still did not work (dhcpd and removing BVI which was very useful in the end).

 

Since I have been trying so many things and there was a lot of mess in the settings, I have just decided to reset my Cisco ASA to factory default (configure factory-default). Then went through super basic configuration for setting up the firewall, adding your advice (removing BVI and dhcpd dns), then added dns lookup and server-group (I have static DNS). I did not add any access lists (didn't have any before as well). And guess what? It works now.

 

It is difficult for me to tell what was the reason why it did not work before.

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to 00u113vaduihn6f9P5d7

‎07-15-2021 06:45 AM

No worries, end it is working, so may be good to know learning lessons. nice to know we mark as solution now - since it working.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card