cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4238
Views
0
Helpful
29
Replies

ASA 5512 internet connection

Hi,

I'm new into networking and I have a problem setting up ASA 5512 firewall. The problem is that I can't setup internet connection inside my network.

I've created two interfaces WAN with the public IP address (security level 0), and LAN with the ip of 192.168.35.4, security level 100. Actually, we are replacing the old router, and this one should take his address. I've added static route 0\0 to my default gateway, and I'm able to ping Google DNS server from the router, but can't from network computer. The network switch is also present on 192.168.35.254.

For the testing purpose I've changed WAN IP address to 192.168.99.1, and attached computer to it with IP 192.168.99.2, and when I try to ping it from the LAN interface, it does not return ping.

I would appreciate any help.

1 Accepted Solution

Accepted Solutions

I thinl it's your global_access acl.

You haven't applied it to an interface with the access-group command.

So it applies to all interfaces which includes the LAN interface as well as the WAN interface.

So either add ICMP in there or remove the acl if you don't want it applied to all interfaces.

Jon

View solution in original post

29 Replies 29

Roberto Kippins
Level 1
Level 1

Hi, with the asa you will need to add some nat configurations to translate your inside network out to the internet, to better help you can you post some configs.

Hi Roberto, thank you for your help. I've uploaded Interfaces printscreen, NAT prtscr and Access Rules prtscr. Just note that I'll be using only two interfaces (LAN and WAN), and WAN will be configured with public IP address, subnet mask and route to default gateway.

 

You won't be able to ping the WAN interface from the LAN as ASAs don't allow this.

Unless you mean trying to ping the computer connected to the WAN interface ?

If possible can you post the running configuration and not ASDM screens.

If you can't no problem but I can never make any sense out of the ASDM screens :-)

Also if possible try and do your testing from end devices on either side and not using ay of the ASA interfaces as this doesn't always work and can lead to misleading results.

Jon

Hi Jon,

I'm not trying to ping WAN interface, but the computer connected to it. And I'm doing so from the computer connected to the LAN interface through the switch. But that's only for testing purposes, the main problem is that I don't have Internet access on network connected to the LAN interface, so I suppose that the problem is the same.

Yes I suspect it is.

Can you try and download the running configuration and then post it here.

Before that though if you are using ping to test from the inside to outside then because ICMP is not stateful you need to do one of two things to allow the return packets back in -

1) enable ICMP inspection

or

2) allow the ping replies back from the outside in the acl you have applied inbound on the outside interface assuming you have one.

With TCP and UDP you don't need to do this but like I say ICMP behaves differently.

Jon

Result of the command: "show config"

: Saved
: Written by enable_15 at 17:05:11.008 CEST Fri Feb 20 2015
!
ASA Version 9.1(2) 
!
hostname ciscoasa
enable password 0EnLStscpb84AAdM encrypted
names
!
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address 192.168.99.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif LAN
 security-level 100
 ip address 192.168.35.6 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 nameif LanTest
 security-level 0
 ip address 192.168.9.1 255.255.255.0 
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif Management
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns server-group DefaultDNS
 name-server 208.67.222.222
 name-server 208.67.220.220
 name-server 8.8.8.8
 name-server 8.8.4.4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Bruce
 host 192.168.35.203
object network Buzz
 host 192.168.35.202
object network Exchange
 host 192.168.35.205
object network Fiona
 host 192.168.35.25
object network Mirror2
 host 192.168.35.24
object network Remy
 host 192.168.35.147
object network VOIP-Phone
 host 192.168.35.152
object service 81
 service tcp source eq 81 destination eq 81 
object service Fax-TCP
 service tcp source eq 5061 destination eq 5061 
object service Fax-UDP
 service udp source eq 5061 destination eq 5061 
object service Phone1
 service tcp source range sip 5090 destination range sip 5090 
object service Phone2
 service udp source range sip 5090 destination range sip 5090 
object service Phone3
 service udp source range 7000 7499 destination range 7000 7499 
object service Phone4
 service udp source range 9000 9049 destination range 9000 9049 
object service Phone5
 service udp source eq 10000 destination eq 10000 
object service SVN
 service tcp source eq 3690 destination eq 3690 
object service Sipgate
 service udp source eq sip destination eq sip 
object service Telavox
 service udp source eq sip destination eq sip 
object service Voiptalk
 service udp source eq sip destination eq sip 
object network Dug
 host 192.168.35.39
object network obj-0.0.0.0
 subnet 0.0.0.0 0.0.0.0
access-list WAN_cryptomap extended permit ip 192.168.35.0 255.255.255.0 192.168.11.0 255.255.255.0 
access-list WAN_cryptomap_1 extended permit ip 192.168.35.0 255.255.255.0 192.168.135.0 255.255.255.0 
access-list WAN_cryptomap_4 extended permit ip 192.168.35.0 255.255.255.0 10.176.0.0 255.240.0.0 
access-list WAN_cryptomap_2 extended permit ip 192.168.35.0 255.255.255.0 192.168.13.0 255.255.255.0 
access-list WAN_access_in extended permit tcp any interface WAN eq pptp 
access-list WAN_access_in extended permit object Telavox any interface WAN 
access-list global_access extended permit object Phone1 object Dug any 
access-list global_access extended permit object Phone2 object Dug any 
access-list global_access extended permit object Phone3 any any 
access-list global_access extended permit object Phone4 any any 
access-list global_access extended permit object Phone5 any any 
access-list global_access extended permit object Phone1 object VOIP-Phone any 
access-list global_access extended permit object Phone2 object VOIP-Phone any 
access-list global_access extended deny object Phone1 any any 
access-list global_access extended deny object Phone2 any any 
access-list global_access extended permit tcp object Exchange any eq smtp 
access-list global_access extended permit tcp object Exchange any eq pop3 
pager lines 24
logging asdm informational
mtu Management 1500
mtu WAN 1500
mtu LAN 1500
mtu LanTest 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Management
icmp permit any LAN
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Dug
 nat (LAN,WAN) static interface service tcp pptp pptp 
object network obj-0.0.0.0
 nat (LAN,WAN) dynamic interface
!
nat (WAN,LAN) after-auto source static any any destination static interface Dug service Telavox Telavox no-proxy-arp
nat (LAN,WAN) after-auto source dynamic any interface
access-group WAN_access_in in interface WAN
access-group global_access global
route WAN 0.0.0.0 0.0.0.0 192.168.99.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
aaa authorization command LOCAL 
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 Management
http 192.168.0.0 255.255.0.0 Management
http 192.168.0.0 255.255.0.0 LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map WAN_map0 1 match address WAN_cryptomap
crypto map WAN_map0 1 set peer 87.250.55.3 
crypto map WAN_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map0 2 match address WAN_cryptomap_1
crypto map WAN_map0 2 set peer 89.150.226.81 
crypto map WAN_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map0 3 match address WAN_cryptomap_2
crypto map WAN_map0 3 set peer 93.87.60.250 
crypto map WAN_map0 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map0 5 match address WAN_cryptomap_4
crypto map WAN_map0 5 set peer 78.136.7.248 
crypto map WAN_map0 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map0 interface WAN
crypto ca trustpool policy
crypto ikev1 enable WAN
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.0.0 LAN
telnet 192.168.35.0 255.255.255.0 LAN
telnet timeout 5
ssh 192.168.35.0 255.255.255.0 LAN
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access LAN
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1 
password-policy minimum-length 10
password-policy minimum-uppercase 1
password-policy minimum-numeric 1
username telnet password UBDVVNhXLXYuxKdR encrypted privilege 15
username Manager password DRq0OEQUQvtvAaAs encrypted privilege 15
tunnel-group Colocation type ipsec-l2l
tunnel-group Colocation general-attributes
 annotation CryptoMapEntry=WAN_map0[2]
 default-group-policy GroupPolicy1
tunnel-group Colocation ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group Belgrade type ipsec-l2l
tunnel-group Belgrade general-attributes
 annotation CryptoMapEntry=WAN_map0[1]
 default-group-policy GroupPolicy1
tunnel-group Belgrade ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group Pancevo type ipsec-l2l
tunnel-group Pancevo general-attributes
 annotation CryptoMapEntry=WAN_map0[3]
 default-group-policy GroupPolicy1
tunnel-group Pancevo ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group RackSpace type ipsec-l2l
tunnel-group RackSpace general-attributes
 annotation CryptoMapEntry=WAN_map0[5]
 default-group-policy GroupPolicy1
tunnel-group RackSpace ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map icmp-class
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 5 mode exec command dir
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command service-policy
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:0ed54b5a914e596dd4ecdfa8ed65c609

I've enabled ICMP inspection but it's still the same. Anyone can help?

What IP address are you testing from and to ie. what are the IPs in the ping ?

Jon

I'm pinging 192.168.99.2 from 192.168.35.110, and also from the LAN interface.

Can you run this command on the ASA and post the output -

"packet-tracer input inside icmp 192.168.35.11 192.168.99.2"

Jon

packet-tracer input lan icmp 192.168.35.11 192.168.99.2
                                                                           ^
ERROR: % Invalid input detected at '^' marker.

can you try -

packet-tracer input inside icmp 192.168.35.11 8 0 192.168.99.2

that should show if the ASA is allowing it through.

If you want to try it from outside you need to add this line to acl on the outside interface -

access-list WAN_access_in permit icmp host 192.168.99.2 host 192.168.35.11

and then -

packet-tracer outside icmp 192.168.99.2 0 0 192.168.99.2

Jon

It only important for me to access outside from the inside. Here are the results.

Result of the command: "packet-tracer input lan icmp 192.168.35.11 8 0 192.168.99.2"

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.99.0    255.255.255.0   WAN

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I thinl it's your global_access acl.

You haven't applied it to an interface with the access-group command.

So it applies to all interfaces which includes the LAN interface as well as the WAN interface.

So either add ICMP in there or remove the acl if you don't want it applied to all interfaces.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco