Solved: Unable to access internet ASA5505

Bobby Mazzotti · ‎12-11-2012

So I've been struggling with gaining access to the inter through our Comcast business gateway. We have had Comcast configure the device fro true static IP subnetting. Turned of local DHCP on the device etc. Here is my config.

ASA Version 9.1(1)

!

hostname TOCN-EX-01A-C5505-GW

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

description [ROUTED] !4! Outside CMCST

switchport access vlan 1000

!

interface Ethernet0/1

description [TO-IDF] CMST

switchport access vlan 9

!

<--- More --->

interface Ethernet0/2

switchport access vlan 9

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

description [TO-IDF]

switchport access vlan 20

!

interface Vlan1

shutdown

no nameif

no security-level

no ip address

<--- More --->

!

interface Vlan9

nameif INSIDE

security-level 50

ip address 192.168.9.1 255.255.255.0

!

interface Vlan20

no forward interface Vlan9

nameif MGMT

security-level 100

ip address 172.25.0.x 255.255.255.0

!

interface Vlan1000

nameif OUTSIDE

security-level 0

ip address 50.x.x.153 255.255.255.252

!

ftp mode passive

object network outside_any

host 50.x.x.153

object network inside-net

subnet 192.168.9.0 255.255.255.0

pager lines 24

mtu INSIDE 1500

<--- More --->

mtu MGMT 1500

mtu OUTSIDE 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-711.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (any,any) source static any any destination static outside_any outside_any

!

object network inside-net

nat (INSIDE,OUTSIDE) dynamic interface

route MGMT 10.0.0.0 255.0.0.0 172.25.0.1 1

route MGMT 172.0.0.0 255.0.0.0 172.25.0.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

<--- More --->

http 172.0.0.0 255.0.0.0 MGMT

http 10.0.0.0 255.0.0.0 MGMT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet 0.0.0.0 0.0.0.0 MGMT

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 MGMT

ssh timeout 10

console timeout 0

management-access MGMT

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd domain guest.com

!

dhcpd address 192.168.9.10-192.168.9.41 INSIDE

dhcpd enable INSIDE

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

<--- More --->

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

<--- More --->

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:91842498fca18c691b7d731b1e0579f9

: end

Help

Julio Carvajal · ‎12-11-2012

Hello Bobby,

The IP address you must set there is the ISP default gateway ( The one is on their device { Modem, Router,ASDL,ect) not on your asa)

Regards,

Remember to rate all of the helpful posts, let me know if you do not know how

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎12-11-2012

Hello Bobby,

Try this and let me know

nat (inside,outside) 1 source dynamic any interface

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bobby Mazzotti · ‎12-11-2012

Hi Jcarvaja,

Thank you for the quick reply. After adding this nat config this is what I recieve when attempting to ping from the outside interface to 4.2.2.2

asa# config t

asa(config)# nat (inside,outside) 1 source dynamic any interf$

asa(config)# ping out

asa(config)# ping outSIDE 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Julio Carvajal · ‎12-11-2012

Fixup protocol ICMP

Give it a try

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bobby Mazzotti · ‎12-11-2012

No such luck -

asa# config t

asaconfig)# Fixup protocol ICMP

INFO: converting 'fixup protocol icmp ' to MPF commands

asa(config)# ping out

asa(config)# ping outSIDE 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

Julio Carvajal · ‎12-11-2012

Hello.

You are missing the outside route

route outside 0 0 x.x.x.x ( The ISP ) default gateway

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bobby Mazzotti · ‎12-11-2012

Hi Jcarvaja

asa(config)# route outSIDE 0 0 50.x.x.153

%Invalid next hop address, it belongs to one of our interfaces

Julio Carvajal · ‎12-11-2012

Hello Bobby,

The IP address you must set there is the ISP default gateway ( The one is on their device { Modem, Router,ASDL,ect) not on your asa)

Regards,

Remember to rate all of the helpful posts, let me know if you do not know how

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bobby Mazzotti · ‎12-11-2012

Awesome! That was the ticket

Thank you very much!

Julio Carvajal · ‎12-11-2012

Hello Bobby,

Actually it was:

The route

The nat

and the Fixup

Regards,

Remember to rate all of the helpful posts, let me know if you do not know how

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC