08-03-2019 12:12 PM - edited 02-21-2020 09:22 AM
I am having an issue accessing the Internet from workstations/server behind my Cisco ASA5540 firewall. I have worked on this for many hours, with no luck. I have been using Cisco PIX firewalls for years, and am trying very hard to get over on this ASA5540 firewall. I honestly do not understand what the issue is. I can ping out to the Internet from the firewall, no problem, both a IPs and at DNS names. I just cannot get out to the Internet from any server or workstation. The following is my configuration, and after that, a "show version" output. Please let me know what you think might be wrong here. Thank you very much!
ciscoasa5540(config)# show config
: Saved
: Written by enable_15 at 18:29:44.131 UTC Fri Aug 2 2019
!
ASA Version 7.2(2)
!
hostname ciscoasa5540
domain-name edenhosting.net
enable password Vkz0vtCccFeMll8t encrypted
names
name 10.1.252.245 NS1 description Primary DNS Server (91)
name 10.1.252.219 Sendmail description OLD Mail Server (92)
name 10.1.252.247 ExchangeServer description Exchange Server 2016 (94)
name 10.1.252.249 WebServerIIS80 description Windows Server 2012 (93)
name 10.1.252.190 DRAC-DNS description DRAC for DNS Server (87)
name 10.1.252.191 DRAC-WebServer description DRAC for Web Server (92)
name 10.1.252.246 NAS description Synology NAS (86)
name 10.1.252.250 WebServerIIS10 description Windows Server 2019 (88)
name 10.1.252.192 DRAC-VirtualServer description DRAC for Virtual Server (89)
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 12.43.6.90 255.255.0.0
!
interface GigabitEthernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.1.252.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd ZPTx1zDL8pJ7Ffwu encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server NS1
name-server 8.8.8.8
domain-name edenhosting.net
access-list inside_access_in extended permit tcp host 12.43.6.91 host NS1 eq domain
access-list inside_access_in extended permit udp host 12.43.6.91 host NS1 eq domain
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq pop3
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq smtp
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq domain
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 587
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 465
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq www
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq https
access-list inside_access_in extended permit tcp host 12.43.6.92 host Sendmail eq 8088
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp host 12.43.6.93 host WebServerIIS80 eq www
access-list inside_access_in extended permit ip 10.1.252.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 999999
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging facility 23
mtu outside 1500
mtu inside 1500
mtu management 1500
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
nat (inside) 1 10.1.252.0 255.255.255.0
static (inside,outside) 12.43.6.91 NS1 netmask 255.255.255.255
static (inside,outside) 12.43.6.92 Sendmail netmask 255.255.255.255 tcp 0 120
static (inside,outside) 12.43.6.93 WebServerIIS80 netmask 255.255.255.255 tcp 0 120
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.43.6.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
!
prompt hostname context
Cryptochecksum:c01c5eda61d05eb6144365d3feb1d611
ciscoasa5540(config)# show version
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Compiled on Wed 22-Nov-06 14:16 by builders
System image file is "disk0:/asa722-k8.bin"
Config file at boot was "startup-config"
ciscoasa5540 up 2 hours 41 mins
Hardware: ASA5540-K8, 2560 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 001a.2f94.4f56, irq 9
1: Ext: GigabitEthernet0/1 : address is 001a.2f94.4f57, irq 9
2: Ext: GigabitEthernet0/2 : address is 001a.2f94.4f58, irq 9
3: Ext: GigabitEthernet0/3 : address is 001a.2f94.4f59, irq 9
4: Ext: Management0/0 : address is 001a.2f94.4f55, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
WebVPN Peers : 10
This platform has an ASA 5540 VPN Premium license.
Serial Number: JMX1112L1JH
Running Activation Key: 0x133c6c4f 0x3cca370e 0x9882a598 0x897810c8 0x0a2c0289
Configuration register is 0x1
Configuration last modified by enable_15 at 18:29:39.206 UTC Fri Aug 2 2019
08-03-2019 01:58 PM
ASA 7.2 ~(Hoooo) its quite old code, cisco retired ages ago. let me re-think what iam providng suggestion may not be correct, since been long worked. on that. before 8.3 there was some global command for NAT, which is no longer available in 8.3 onwards.
high level i think you having NAT issue ( also your Internet subnet is correct ? 255.255.0.0 - no provider will allocate this kind of address space for user, please check that also).
hostname(config)# global (outside) 1 X.x.x.x << public IP or range you can specify
here is the reference guide :
08-03-2019 02:14 PM
08-03-2019 03:43 PM
Since you moved from PIX, many things changes on ASA.
To make it easy, start with simple config and build on top of static NAT and more complex things you like to do.
So lets focus Internal networks NAT with Public IP get internet access done.
once you made changes post the configuration to review. (since i dont have any old code device for to simulate for your problem)
we have moved way ahead of 9.x trends.
08-03-2019 04:48 PM
08-03-2019 05:24 PM
08-04-2019 03:33 AM
asa917-32-k8.bin - this is latest verion,
read the release notes :
https://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html
upgrading from 7.2 to 9.1 is big change. so make sure you aware lot of config changes and upgrade path.
08-08-2019 04:12 PM
08-08-2019 05:59 PM
its been long time i have not worked on SSM since we moved to FTD.
as per the cisco here is the latest. IPS-SSM_20-K9-sys-1.1-a-7.0-2-E3.img
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide