cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1314
Views
0
Helpful
2
Replies

Users behind ASA5505 Firewall are unable to access the internet

michoco911
Level 1
Level 1

I have a normal setup of ASA5505 (without security license) connected behind an internet router.

From the ASA5505 console I can ping the Internet.

However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem.

In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below. Please advise regarding the potential problem:

hostname Firewall

interface Ethernet0/0

description Connected To Internet Router

switchport access vlan 10

!

interface Ethernet0/1

description Connected To Internal Core Switch 192.168.1.20

switchport access vlan 20

!

interface Vlan10

description Connected To Internet Router

nameif outside

security-level 0

ip address 195.228.185.82 255.255.255.248

!

interface Vlan20

description Connected To Internal Core Switch 192.168.1.20

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

access-list Internet-ACL extended permit ip 192.168.1.0 255.255.255.0 any

access-list Internet- ACL extended permit ip 192.168.2.0 255.255.255.0 any

access-list Internet- ACL extended permit ip 192.168.3.0 255.255.255.0 any

access-list Internet- ACL extended permit ip 192.168.4.0 255.255.255.0 any

access-list Internet- ACL extended permit ip 192.168.5.0 255.255.255.0 any

route outside 0.0.0.0 0.0.0.0 195.228.185.85 1

route inside 192.168.2.0 255.255.255.0 192.168.1.20 1

route inside 192.168.3.0 255.255.255.0 192.168.1.20 1

route inside 192.168.4.0 255.255.255.0 192.168.1.20 1

route inside 192.168.5.0 255.255.255.0 192.168.1.20 1

global (outside) 1 interface

nat (inside) 1 access-list Internet- ACL

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

2 Replies 2

Hi,

It is normal that you cannot PING the internet since this will not work by default from behind the firewall.

You need to add inspect icmp to the global_default_policy

Now, the internal users should be able to get to the Internet, check that the translations and connections are being built sh xlate and sh conn

Hope it helps.


Federico.

cadet alain
VIP Alumni
VIP Alumni

Hi,

By default there is no icmp inspection on the ASA which means that return packets to ICMP

issued from high security level towards low security level are not allowed.

So you must enable ICMP inspection or put an ACL on outside interface inbound permitting icmp echo-replies.

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/trouble.html#wp1059758

To verify where the ASA is stuck when forwarding traffic you can use packet-tracer:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1878788

Regards.

Alain.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: