Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
432
Views
0
Helpful
2
Replies

Can't access internet - Easy question for experts! (ASA 5510)

Go to solution
MARIO PAIVA
Level 1
Level 1

‎11-23-2008 09:11 AM - edited ‎02-21-2020 03:07 AM

Dear All

I can't access internet from my inside network!!

I don't know why!?

Router :

Interface Ethernet f0/0: IP 195.xxx.xxx.17/29 (connect to router)

ASA NETWORK

Interface External e0/0 :IP 195.xxx.xxx.18/29 (connect to router)

Interface internal: e0/1: IP 10.10.100.1 mask 255.255.252.0

ASA Configuration

ASA Version 8.0(2)

!

hostname ciscoasa

domain-name domain.com

enable password xxxxxxxxxxxx encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Interface_to_cisco_router

security-level 0

ip address 195.xxx.xxx.18 255.255.255.248

!

interface Ethernet0/1

nameif Int_Internal_domain

security-level 100

ip address 10.10.100.1 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxxxxxxxxxxxx encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone WEST 0

clock summer-time WEDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Interface_to_cisco_router

dns domain-lookup Int_Internal_domain.com

dns server-group DefaultDNS

name-server 195.22.0.136

name-server 195.22.0.33

domain-name domain.com

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list Interface_to_router_Cisco_access_in extended permit object-group TCPUDP any any eq domain

access-list Interface_to_router_Cisco_access_in extended permit tcp any any eq www

pager lines 24

logging list Registo_eventos_william level emergencies

logging list Registo_eventos_william level emergencies class vpn

logging asdm informational

logging recipient-address william@domain.com level critical

mtu management 1500

mtu Interface_to_router_Cisco 1500

mtu Int_Internal_domain 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Interface_to_router_Cisco) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

access-group Interface_to_router_Cisco_access_in in interface Interface_to_router_Cisco

route Interface_to_router_Cisco 0.0.0.0 0.0.0.0 195.xxx.xxx.17 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.100.0 255.255.255.0 Int_Internal_domain

http 10.10.10.0 255.255.255.0 management

http 195.xxx.xxx.16 255.255.255.248 Interface_to_router_Cisco

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet 10.10.100.0 255.255.255.0 Int_Internal_domain

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.10.100.20-10.10.100.250 Int_Internal_domain

dhcpd dns 10.10.100.2 195.22.0.136 interface Int_Internal_domain

dhcpd lease 345600 interface Int_Internal_domain

dhcpd domain domain.com interface Int_Internal_domain

dhcpd enable Int_Interna_domain

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

Thanks in advance

MP

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎11-23-2008 10:19 AM

Hi MP,

Based on the below configuration, only traffic from the management interface can to go the internet.

global (Interface_to_router_Cisco) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

You need to include your inside interface in the nat statement if you want to have traffic from inside to go the internet.

Example:

nat (Int_Internal_domain) 101 0.0.0.0 0.0.0.0

Regards,

Arul

*Pls rate if it helps*

View solution in original post

0 Helpful
2 Replies 2

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎11-23-2008 10:19 AM

Hi MP,

Based on the below configuration, only traffic from the management interface can to go the internet.

global (Interface_to_router_Cisco) 101 interface

nat (management) 101 0.0.0.0 0.0.0.0

You need to include your inside interface in the nat statement if you want to have traffic from inside to go the internet.

Example:

nat (Int_Internal_domain) 101 0.0.0.0 0.0.0.0

Regards,

Arul

*Pls rate if it helps*

0 Helpful

Go to solution
MARIO PAIVA
Level 1
Level 1
In response to ajagadee

‎11-24-2008 05:09 AM

Hi Ajagadee

Thanks very much for you post! It did help a lot. I modified the configuration to the following:

global (Interface_to_router_Cisco) 101 interface

nat (Int_Internal) 101 10.10.100.0 255.255.255.0

nat (Int_Internal) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

and add access-list

access-list Int_Internal_access_in extended permit tcp any any

access-list Int_Internal_access_in extended permit udp any any

It is know working fine!

Kind regards

MP

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card