07-12-2021 02:15 PM
Hi,
I have Cisco ASA-5506-X. I am pretty new to this I switched from a dynamic IP address to the static IP address.
My static IP subnet is: xxx.xxx.xxx.184/29, hence my subnet mask is 255.255.255.248 and static IP address range xxx.xxx.xxx.186-190
My purpose is to create a PAT which will be assigning my static IPs to the ports. At this moment I cannot even create one PAT.
When I plug in my internet with the static IP address to WiFi router it works. Here is the configuration.
Connection Type: Static IP
IP address: xxx.xxx.xxx.186
Subnet Mask: 255.255.255.248
Gateway: xxx.xxx.xxx.185
Primary DNS Server: xxx.xxx.xxx.242
Secondary DNS Server xxx.xxx.xxx.34
Currently I am connected to the ASA-5506-X through an Ethernet cable plugged in to the port 7 (inside_6).
I use Cisco ASA CLI. When I ping an IP address or website from ASA CLI being connected to the console port everything works.
ASA2(config)# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2(config)# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 142.250.200.36, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
However, the internet does not work in the browser. It is written ERR_NAME_NOT_RESOLVED in Chrome. Any ping from the console on my computer, not in ASA CLI does not work.
User ~ % ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
User ~ % ping www.google.com
ping: cannot resolve www.google.com: Unknown host
I went through packet tracing as advised here: I can ping, but not browse the internet.. ASA 5505
ASA2(config)# packet-tracer input inside_6 tcp 192.168.1.10 12345 8.8.8.8 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop xxx.xxx.xxx.185 using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any6
nat (inside_6,outside) dynamic interface
Additional Information:
Dynamic translate 192.168.1.10/12345 to xxx.xxx.xxx.186/12345
Forward Flow based lookup yields rule:
in id=0x7f8b6f719790, priority=6, domain=nat, deny=false
hits=73, user_data=0x7f8b6f70bcc0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside_6, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false
hits=825362, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8b6eacb990, priority=0, domain=inspect-ip-options, deny=true
hits=887, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false
hits=825363, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f8b6eb88c70, priority=0, domain=inspect-ip-options, deny=true
hits=431263, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false
hits=825365, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8b6e88b720, priority=0, domain=inspect-ip-options, deny=true
hits=786699, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8b6dc5d580, priority=0, domain=nat-per-session, deny=false
hits=825366, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f8b6e88b720, priority=0, domain=inspect-ip-options, deny=true
hits=786700, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 408188, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside_6
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Here are my configurations:
ASA2(config)# show run
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.8(2)
!
hostname ASA2
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address xxx.xxx.xxx.186 255.255.255.248
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.242 outside
name-server xxx.xxx.xxx.34 outside
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network PublicIP1
host xxx.xxx.xxx.185
object network LocalLAN
host 192.168.1.1
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
icmp deny any echo outside
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network LocalLAN
nat (inside_6,outside) dynamic PublicIP1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.185 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
service sw-reset-button
telnet timeout 5
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
service-policy global_policy global
prompt hostname context
ASA2(config)# show int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.186 YES manual up up
GigabitEthernet1/2 192.168.1.1 YES unset down down
GigabitEthernet1/3 192.168.1.1 YES unset down down
GigabitEthernet1/4 192.168.1.1 YES unset down down
GigabitEthernet1/5 192.168.1.1 YES unset down down
GigabitEthernet1/6 192.168.1.1 YES unset up up
GigabitEthernet1/7 192.168.1.1 YES unset up up
GigabitEthernet1/8 192.168.1.1 YES unset down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up down
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES unset down down
BVI1 192.168.1.1 YES CONFIG up up
ASA2(config)# show nameif
Interface Name Security
GigabitEthernet1/1 outside 0
GigabitEthernet1/2 inside_1 100
GigabitEthernet1/3 inside_2 100
GigabitEthernet1/4 inside_3 100
GigabitEthernet1/5 inside_4 100
GigabitEthernet1/6 inside_5 100
GigabitEthernet1/7 inside_6 100
GigabitEthernet1/8 inside_7 100
BVI1 inside 100
ASA2(config)# show route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is xxx.xxx.xxx.185 to network 0.0.0.0
S* 0.0.0.0 0.0.0.0 [1/0] via xxx.xxx.xxx.185, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
L 192.168.1.1 255.255.255.255 is directly connected, inside
C xxx.xxx.xxx.184 255.255.255.248 is directly connected, outside
L xxx.xxx.xxx.186 255.255.255.255 is directly connected, outside
ASA2(config)# show run route
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.185 1
ASA2(config-network-object)# show nat
Auto NAT Policies (Section 2)
1 (inside_6) to (outside) source dynamic LocalLAN PublicIP1
translate_hits = 0, untranslate_hits = 0
2 (inside_1) to (outside) source dynamic obj_any1 interface
translate_hits = 0, untranslate_hits = 0
3 (inside_2) to (outside) source dynamic obj_any2 interface
translate_hits = 0, untranslate_hits = 0
4 (inside_3) to (outside) source dynamic obj_any3 interface
translate_hits = 0, untranslate_hits = 0
5 (inside_4) to (outside) source dynamic obj_any4 interface
translate_hits = 0, untranslate_hits = 0
6 (inside_5) to (outside) source dynamic obj_any5 interface
translate_hits = 0, untranslate_hits = 0
7 (inside_6) to (outside) source dynamic obj_any6 interface
translate_hits = 55, untranslate_hits = 18
8 (inside_7) to (outside) source dynamic obj_any7 interface
translate_hits = 0, untranslate_hits = 0
Do you have any idea what is a problem and what could help to make it work?
07-12-2021 06:32 PM
I do not see any ACL to allow the traffic. (or i may be missed due to Long post)
Do you Look to set up a BVI interface? if not follow the below setup :
https://www.petenetlive.com/KB/Article/0001422
07-12-2021 08:00 PM
hi,
is your LAN PC using static DNS or from DHCP?
try to add this:
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
07-15-2021 03:23 AM - edited 07-15-2021 03:23 AM
@balaji.bandi @johnlloyd_13 Thank you for your answers.
I have tried your advice and it still did not work (dhcpd and removing BVI which was very useful in the end).
Since I have been trying so many things and there was a lot of mess in the settings, I have just decided to reset my Cisco ASA to factory default (configure factory-default). Then went through super basic configuration for setting up the firewall, adding your advice (removing BVI and dhcpd dns), then added dns lookup and server-group (I have static DNS). I did not add any access lists (didn't have any before as well). And guess what? It works now.
It is difficult for me to tell what was the reason why it did not work before.
07-15-2021 06:45 AM
No worries, end it is working, so may be good to know learning lessons. nice to know we mark as solution now - since it working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide