Solved: No internet on Cisco Core Switch directly connected to Cisco ASA firewall

Navindar Singh · ‎10-05-2015

I am configuring a Cisco core switch and Cisco ASA firewall from scratch. The firewall WAN and LAN interfaces are both up and i can get internet on the firewall and ping both outside and inside. The Firewall LAN interface is directly connected to the Core switch. I cannot seem to get internet on the core switch. I have added static routes on both ends but its still not working. Can someone please assist me urgently. I have attached the configs of both the switch and the firewall.

Just to add on to that. Before the Firewall, i had installed a cisco router directly connected to the core switch and internet worked fine on the Core switch and all the VLANS. I am not sure what i am missing on the FW configs.

mvsheik123 · ‎10-05-2015

Hi Navindar,

Couple of things...

1. ACL on ASA:

access-list inside_access_in extended permit ip host 10.0.0.0 any

host 10.0.0.0 says single host. Change it to...

access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 any

2. NAT statement for Internal networks...

object network Inside_Net
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface

hth

MS

View solution in original post

mvsheik123 · ‎10-05-2015

Hi Navindar,

Couple of things...

1. ACL on ASA:

access-list inside_access_in extended permit ip host 10.0.0.0 any

host 10.0.0.0 says single host. Change it to...

access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 any

2. NAT statement for Internal networks...

object network Inside_Net
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface

hth

MS

Navindar Singh · ‎10-05-2015

Hello MS, thanks a lot for the quick response, i have made the changes that you had suggested and still there is no internet on the core switch. Is there anything else that i am missing?

object network Inside_Net
subnet 10.0.0.0 255.0.0.0
access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 any

object network Inside_Net
nat (inside,outside) dynamic interface

Navindar Singh · ‎10-05-2015

Guys, can anyone assist me as this is quite urgent, i have to do some testing on the client site tomorrow and i need this to be up.

mvsheik123 · ‎10-06-2015

Hi Navindar,

You still have trouble? You are testing internet by ping or browsing?

Pls post updated ASA configs .

Thx

MS

Navindar Singh · ‎10-06-2015

Hello Sheik, thanks for your response. I was trying pinging from the switch all along and didn't even check the browser. It works fine from the browser and thats what i need. Any reason why i cant ping outside from the core switch?? Thanks a lot for your time.

mvsheik123 · ‎10-06-2015

ACL is not applied to interface, so not blocking anything.

1. Loks like you are using public dns, so point dns server lookup to outside.

2. In the default inspection options add 'inspect icmp'.

3. If your ASA connected to cable provider router, reboot the same.

4. Make sure your test pc settings are correct.

5. If you trying to test ping from switch, make sure dourse packets originating from 10.x.x.x vlan (use extended ping).

Thx

MS

Navindar Singh · ‎10-07-2015

Thanks a lot for your assistance Sheik, much appreciated.