Re: ASA5520 not connecting to internet

ashnil.kumar · ‎02-02-2012

hello experts

I have a cisco 3750 switch connected to the ASA5520 which is connected to the internet

LAN ----> Catalyst -----> ASA5520 ------> INTERNET

10.1.4.0 ---10.0.0.1 ----10.0.0.2 ------- 203.98.227.3

On my switch I have VLANs configured. From the 10.1.4.0 network, I'm able to ping switch gateway. I can ping insde of ASA .. See my ASA config below. I have allowed http and dns traffic outside but cannot browse internet from the 10.1.4.0 network. Please help.

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 203.98.227.254 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.2 255.255.255.252

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

object-group icmp-type ICMP_GRP

icmp-object echo

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object traceroute

icmp-object information-reply

icmp-object information-request

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list in_out extended permit tcp 10.1.4.0 255.255.255.224 any eq www

access-list in_out extended permit object-group TCPUDP 10.1.4.0 255.255.255.224 any eq domain

access-list in_out extended permit icmp any any object-group ICMP_GRP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (any,any) source static any any

access-group in_out in interface inside

route outside 0.0.0.0 0.0.0.0 203.98.227.3 1

route inside 10.1.4.0 255.255.255.224 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:dc2ba7a91c9d2244fd109ef7c46e2547

: end

mvsheik123 · ‎02-02-2012

Hi,

What is the ASA version? if it is pre 8.3, can you try...

1. remove

nat (any,any) source static any any

2. Add:

nat (inside) 1 0 0

global (outside) 1 interface

access-list in_out extended permit tcp 10.1.4.0 255.255.255.224 any eq https

hth

MS

ashnil.kumar · ‎02-02-2012

hi

ASA version 8.4(2), so cannot enter the commands except for the last one. No internet access still.

mvsheik123 · ‎02-03-2012

8.3 & up...

object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Try and post the results.

Thx

MS

ashnil.kumar · ‎02-03-2012

hi

tried the config but no luck yet. see below is the ASA config . See attached are few screenshots of the packet tracer.

Result of the command: "show running-config"

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 203.98.227.220 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.0.2 255.255.255.252

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group icmp-type ICMP_GRP

icmp-object echo

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object traceroute

icmp-object information-reply

icmp-object information-request

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list in_out extended permit tcp 10.1.4.0 255.255.255.224 any eq www

access-list in_out extended permit object-group TCPUDP 10.1.4.0 255.255.255.224 any eq domain

access-list in_out extended permit tcp 10.1.4.0 255.255.255.224 any eq https

access-list in_out extended permit ip any any

access-list in_out extended permit icmp any any object-group ICMP_GRP

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network obj_any

nat (inside,outside) dynamic interface

access-group in_out in interface inside

route outside 0.0.0.0 0.0.0.0 203.98.227.3 1

route inside 10.1.4.0 255.255.255.224 10.0.0.1 1

route inside 10.10.10.0 255.255.255.128 10.0.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.1.4.0 255.255.255.224 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class class-default

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:bc571cc40077cde13fa27e347e0e39e9

: end

ebarticel · ‎02-03-2012

Do you have a default route on switch for 10.1.40.0?

ashnil.kumar · ‎02-04-2012

indeed it was a route problem on my switch. I had a default-gateway configured. I removed it and put in ip route 0.0.0.0 0.0.0.0 and it works like a charm.

Thank you all who contibuted.

One more question.

I have two email servers with public ips on my internal network.

Email server1 - 203.98.227.2 ---- internal ip 10.1.4.5

Email server 2 - 203.98.227.4 ---- internal ip 10.1.4.6

I want my email server (10.1.4.5) to use staic nat of 203.98.227.2 when sending and receiving email and email server 2 (10.1.4.6) to use staic nat of 203.98.227.16 when sending and receiving email.

I have a web server (global ip 203.98.227.6 internal ip 10.1.4.8). . How do i forward all traffic coming to ASA public interface with the web server ip address to be forwarded to 10.1.4.8.

THanks everyone.

ebarticel · ‎02-05-2012

Try this commands

static (inside, outside) tcp 203.98.227.6 http 10.1.4.8 http netmask 255.255.255.255

static (inside, outside) tcp 203.98.227.2 smtp 10.1.4.5 smtp netmask 255.255.255.255

static (inside, outside) tcp 203.98.227.4 smtp 10.1.4.6 smtp netmask 255.255.255.255

Hope this helps

Eugen

ashnil.kumar · ‎02-05-2012

hi eugen

my ASA has version 8.4(2) so cannot put in the commands.

Do u also need to put accesslist with nat commands.

ebarticel · ‎02-05-2012

If you can not use those commands, then better use extended ACL with nat coomands.

Eugen