ASA5505 No Internet Connectivity

Answered Question
Feb 1st, 2008
User Badges:

I am setting up a new ASA 5505. The old firewallhas a IP x1.x2.x3.x4, subnet, gateway g1.g2.g3.g4, DNS d1.d2.d3.d4. I am connected to a cable modem

I cannot connect to the internet. Can someone please help, I am new to Cisco.

Result of the command: "show config": Saved

: Written by enable_15 at 17:50:24.909 CST Fri Feb 1 2008


ASA Version 7.2(3)


hostname xxxxx

domain-name default.domain.invalid

enable password R8oXOL9vUpDFQFqu encrypted



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

ip address x1.x2.x3.x4


interface Ethernet0/0

switchport access vlan 2


interface Ethernet0/1


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server d1.d2.d3.d4

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1

route outside g1.g2.g3.g4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns


dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside



class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


Correct Answer by oszkari about 9 years 3 months ago


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
oszkari Fri, 02/01/2008 - 16:48
User Badges:


the configuration seems ok, you should have access to the internet.(if the ip, gw addresses are correct)

Do not check the internet access with ping, by default icmp packets are not permitted trough ASA.

greentw1972 Fri, 02/01/2008 - 17:12
User Badges:

I have double checked everything. Attempting to connect with IE and no luck. Tried 2 different computers. Is there anything else I need to setup? This is a new install. Could it have something to do with the cable modem? As I mentioned the current firewall, Syamantec is working with these parameters.

I will try again in the morning and post a log.

Thanks for you help.

oszkari Fri, 02/01/2008 - 17:16
User Badges:

no dhcpd dns interface inside

set a real dns server

dhcpd dns your_provider_dns_server_address interface inside

srue Fri, 02/01/2008 - 17:59
User Badges:
  • Blue, 1500 points or more

try using as your DNS server and see if that works

greentw1972 Fri, 02/01/2008 - 19:03
User Badges:

I have not entered the DNS provided by my IPS. However this entry is in my configuration.

dhcpd dns


dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside

Should I change the to the

excession Sat, 02/02/2008 - 08:20
User Badges:

Should one of your ports have "switchport access vlan 1"?

Can you ping the firewalls inside interface?

greentw1972 Sat, 02/02/2008 - 09:05
User Badges:

Setting the DNS worked. Thank you for your help.

Is there any other setting I need to make for security?


oszkari Sat, 02/02/2008 - 13:47
User Badges:

It depends on the needs...

Now you have a fully functional SPI firewall,

which drops all the traffic which was not initiated from the inside lan.

You could filter the outgoing traffic too and

do some application layer inspection on http...lot of exploits circulate these days..


This Discussion