cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3797
Views
0
Helpful
19
Replies

users cannot access internet

edwincharles
Level 1
Level 1

dears ,

i am trying to setup LAN network as attached,pls find the current config

users are not able to acces internet, from switch cannot ping 8.8.8.8, from ASA can ping 8.8.8.8

2 Accepted Solutions

Accepted Solutions

Thank you Edwin, perfect, from the firewall you can ping the ip 8.8.8.8?

Also please remove this line:

no access-list ouside_in extended permit icmp host 172.16.32.253 any 

you should have

access-list ouside_in extended permit icmp any any echo
access-list ouside_in extended permit icmp any any echo-reply




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Thank you

Could  you please execute the command ip routing on the switch? and try again. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

19 Replies 19

Julio E. Moisa
VIP Alumni
VIP Alumni

Hi Edwin

Your config looks fine but the access-group configuration is missed. It is essential to enable the ACLs.

access-group <acl name> in interface <namif associated to the acl>

example

access-group <INSIDE-ACL> in interface <inside>

I used to create the NAT using object-groups along with the NAT statement.

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi Julio,

can you help me on it

Sure,

Please me provide you an example, before I could confirm communication from the firewall to the gateways of the networks configured on the switch?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hi

Try to executing these command lines:

Your NAT statement is ok so you dont need the following line:

no nat (inside,outside) after-auto source dynamic any interface

To enable the ACLs and apply it to the interface

access-group inside_access_in interface inside.

Please try and keep me posted. Also verify if the computers have the gateway configured and DNS addresses like 8.8.8.8 / 4.2.2.2

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

I can ping from switch 8.8.8.8

from user cannot ping 8.8.8.8 and no internet

attached new config of asa

Hi

They already should have Internet access, in order to enable ping try these commands:

access-list inside_access_in line 1 extended permit icmp 10.10.0.0 255.255.0.0 any echo
access-list inside_access_in line 2 extended permit icmp 10.10.0.0 255.255.0.0 any echo-reply

access-list ouside_in line 1 extended permit icmp host 172.16.32.253 any echo
access-list ouside_in line 2 extended permit icmp host 172.16.32.253 any echo-reply

Usually icmp is not part of IP, you need to enable icmp on both ways.

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

dear julio,

no successs, no internet

cannot ping 8.8.8.8

not able to ping the modem also

Thanks for the update,

Just a question about the IP configured under the outside interface, is it the IP of the network received through the modem? or it is the gateway? and the default route should be pointing to gateway, do you know what is the gateway for the subnet 172.16.32.0/24?

If you connect a PC to the modem, can you see what IP you obtained from the modem?

interface GigabitEthernet1/1
 description to WAN
 nameif outside
 security-level 0
 ip address 172.16.32.1 255.255.255.0 

route outside 0.0.0.0 0.0.0.0 172.16.32.253



>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

172.16.32.253 is IP of the DSL MODEM

Thank you, 

If you connect a PC to the modem, can you see what IP you obtained and its gateway from the modem?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

attached ip getting when directly connected to pc

Thank you Edwin, perfect, from the firewall you can ping the ip 8.8.8.8?

Also please remove this line:

no access-list ouside_in extended permit icmp host 172.16.32.253 any 

you should have

access-list ouside_in extended permit icmp any any echo
access-list ouside_in extended permit icmp any any echo-reply




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

yes, I can

Hi

Your firewall config looks fine, can you set up a PC manually and use DNS 8.8.8.8 and 4.2.2.2

Also Im assuming the ip routing command is configured on the layer 3 switch, is that correct?




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<