Solved: ASA 5510 cannot connect to the internet

andrewla1212 · ‎05-22-2008

What's wrong or missing from the configuration below? No internet access. On the ASA, I can ping my T1 router:

T1 router - 69.X.X.193

Outside interface 69.X.X.196

Inside interface 10.10.1.254

asa5510(config)# show run

: Saved

:

ASA Version 8.0(2)

!

hostname asa5510

domain-name http://www.test.com

enable password XXXXXXXXXXXXXXXX encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 69.X.X.196 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd XXXXXXXXXXXXXXXX encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name http://www.test.com

access-list incoming_traffic extended permit ip any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group incoming_traffic in interface outside

route outside 0.0.0.0 0.0.0.0 63.X.X.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

username testuser password XXXXXXXXXXXXXXXX encrypted

prompt hostname context

Cryptochecksum:xxx

: end

asa5510(config)#

husycisco · ‎05-22-2008

Hi Andrew,

Nothing is wrong with your ACL or NAT statements.

Your default static route is not within the range of your outside interfacce

route outside 0.0.0.0 0.0.0.0 63.X.X.193 1

Check it again.

Regards

View solution in original post

arturo.guzman · ‎05-22-2008

nat (inside) 1 0.0.0.0 0.0.0.0 // int this case you have to put your segmente lan maybe like this.

nat (inside) 1 10.10.1.0 255.255.255.0

or may be like this

nat (inside) 1 10.0.0.0 255.0.0.0

In other hand you have to make an acl for the inside interface maybe like this.

access-list inside_in extended permit ip 10.10.1.0 255.255.255.0 any

and apply it to the interface.

access-group inside_in in interface inside

don't forget qualify me

husycisco · ‎05-22-2008

Hi Andrew,

Nothing is wrong with your ACL or NAT statements.

Your default static route is not within the range of your outside interfacce

route outside 0.0.0.0 0.0.0.0 63.X.X.193 1

Check it again.

Regards

andrewla1212 · ‎05-23-2008

Hi Huseyin,

Thanks for the sharp eyes on the ip.

vitripat · ‎05-22-2008

This is not a issue with either nat/global configuration or subnet mask. Outside interface and gateway IP are in the same subnet.

I think this is an issue with the upstream device. To verify, try this-

policy-map global_policy

class inspection_default

inspect icmp

Now check if from hosts on the inside interface, are you able to ping 63.X.X.193 and 4.2.2.2?

If you can ping 63.X.X.193 but not 4.2.2.2, traffic is passing through ASA, however not through the upstream device (router). Thats where you need to look in.

Regards,

Vibhor.

husycisco · ‎05-22-2008

Hi Vibhor,

"Outside interface and gateway IP are in the same subnet"

Following is the ip address statement for outside interface

!!!

ip address 69.X.X.196 255.255.255.248

and following is the default route

!!

route outside 0.0.0.0 0.0.0.0 63.X.X.193

How can 63.x.x.193 be within same subnet of 69.x.x.192/29 ?

According to the config of T1 router, the default route for ASA must either be the T1 router itself (69.x.x.193), or the default gateway assigned to T1 router by ISP within 69.x.x.192/29

vitripat · ‎05-23-2008

ahh .. i missed that .. :-) Thanks for pointing it out. :-)