New 5505: Need help getting inside network to the internet

Unanswered Question
Sep 13th, 2007
User Badges:



I'm a proud owner of a new ASA 5505. I've gone through the getting started guide and some other documentation and can't seem to get the routes/rules right to get my inside interface ( to my outside interface (my.public.i.p) to get to the internet. Although I didn't understand where to specifically define my.public.i.p gateway, is that something the ASA figures out on its own?

I've tried adding a static route for the inside like so: ip: gw: (inside interface IP) and it claims the route exists already.

So, I tried to create an access rule:

Outgoing rule allowing inside network to go to "any" and for some reason the wizard defines it, but then adds its own "deny" rule directly underneath. I trace the packets and they're getting dropped by some built-in implicit rules defined by the ASA.

What is this newbie overlooking?

I'm simply trying to set up my device and at least get the 1 PC that has access to the ASDM out to the internet and I can't even do that... This is one SERIOUS device coming from my limited networking background.

I thought walking through the wizards would at least get me on the internet, but it's not working...




I was looking at some debugging logging and when I try to go to for instance I get a "No route to My.External.dns.ip from (The internal IP of the PC I'm connected to the ASA directly)

Recommended action is to add a route... Ok, I try to define a route, but ASA tells me the route already exists... Must be a route/rule thing I'm not understanding. Thanks again!

(This is also posted in getting started LANs but I think it belongs here... Sorry, I'll remove the other one)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
royalblues Thu, 09/13/2007 - 07:39
User Badges:
  • Green, 3000 points or more

How are you connected to the ISP internet from the ASA?

All you need to do is configure PAT and proper access-lists and a default route to the ISP

Here is a sample config

interface Ethernet0/0

nameif inside

security-level 100

ip address

interface Ethernet0/1

nameif outside

security-level 0

ip address

Firewall(config)# nat (inside) 1 0 0

Firewall(config)# global (outside) 1 interface

access-list acl_out permit tcp any eq www

access-group acl_out in interface inside

route outside



kcaporaso Thu, 09/13/2007 - 07:46
User Badges:

Great Narayan - Now, how do I get that configuration, I'm using the GUI... I'm still learning my way around... Thanks!!

Oh - I have a static IP from my ISP.

Internet --> Cable Modem (basically a bridge) --> ASA 5505 --> PC (eventually a switch)

royalblues Thu, 09/13/2007 - 08:10
User Badges:
  • Green, 3000 points or more

Even my firewall skills are a bit rusty.

I do not know how to use the ADSM or the GUI..

is there any problem using the CLI anyway :-)


kcaporaso Thu, 09/13/2007 - 08:12
User Badges:

No, no issues at all using the CLI, I'm a vi CLI type guy!

If you're will to spit out the commands I'll do it.

Oh, I did add the outside route and it gave me internet access.

The other things you mentioned PAT and access lists, are those things I should definitely add on?


royalblues Thu, 09/13/2007 - 08:10
User Badges:
  • Green, 3000 points or more

Even my firewall skills are a bit rusty.

I do not know how to use the ADSM or the GUI..

is there any problem using the CLI anyway :-)


anitakuang Tue, 10/09/2007 - 02:50
User Badges:

Hi Kcaporaso,

Have you tried to configure ASA using dhcp on the outside interface?


Internet--> ADSL router (half bridge)-->ASA 5505--> PC

I have been working around it for a couple of days, but still no effect. I also realised a static route should be added.My question is whether it is possible to obtain the external IP directly from ADSL router and have it present on outside interface?

Here is the result of "sh route":

ciscoasa(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is to network

C is directly connected, _internal_loopback

C is directly connected, inside

S* [1/0] via, outside

Any comments or advice would be greatly appreciated~~~~~

kcaporaso Tue, 10/09/2007 - 10:08
User Badges:

consider posting this as a New topic. I have 5 statics so I have not tried using DHCP on the external interface. I can tell ya that your Gateway of last resort looks a little odd. Mine is the default gateway of my ISP connection. I imagine it should look something like 203.109.128.x

Good luck!

anitakuang Tue, 10/09/2007 - 18:15
User Badges:

Hi Kcaporaso,

Thanks for your help.

Actually, I am wondering how to post a thread as well.

As I am new to this forum, i didn't get used to the submit-a-topic section yet.

Consider it as a silly question:)






This Discussion