No connection through ASA to internet

Unanswered Question
Jan 22nd, 2009

Hello - after having to replace our ASA 5520, I configured it and now no one behind it can access the Internet. I can ping internet IP's from the ASA but not from behind it. I can't see where the problem is, can anyone help? I am attaching the config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Tshi M Thu, 01/22/2009 - 06:53

could you please post sh access-list Inside_access_in and also your sh xlate?


p.s. you can try removing that inside ACL as a troubleshooting step.


adcorbett_2 Thu, 01/22/2009 - 06:58

Here is the output

sho access-list Inside_access_in

access-list Inside_access_in; 2 elements

access-list Inside_access_in line 1 extended permit icmp any any (hitcnt=146) 0xb34531ad

access-list Inside_access_in line 2 extended permit ip any any (hitcnt=2639) 0xe42c5ef9

sh xlate

0 in use, 2 most used

Tshi M Thu, 01/22/2009 - 07:33


I would first try without the inside ACL and also try to use nat (inside)1 since it looks like that is your inside network. Though the existing command that you have should work.

There is no NAT taking place which makes wonder if we might have a routing problem somewhere in the network.

Do you have anything from your syslog server?

adcorbett_2 Thu, 01/22/2009 - 07:54

Thanks - ok I tried that but still no luck. The subnet is one of two behind that ASA, the other is which is named "inside-network" on the ASA.

The strange part is the clients are not getting a "page cannot be displayed" normal error, but they are getting a "503 Service Unavailable" error, regardless of what website they are going to.

Mo'ath Al Rawashdeh Thu, 01/22/2009 - 08:43


Check whether a static route exists on your core switch (, it should look like this:

ip route


Tshi M Thu, 01/22/2009 - 08:46

i also thought it could have been a routing problem earlier in one of my posting. I think a traceroute should confirm that.

adcorbett_2 Thu, 01/22/2009 - 08:48

Yes, that entry exists in I have saved the config and restarted the ASA. Client computers no longer get the 503 error, just the regular page cannot be displayed error. Telnet on port 80 errors out as well.

Mo'ath Al Rawashdeh Thu, 01/22/2009 - 08:51

Hi again,

How can you be sure that the issue is something wrong on the ASA not your core switch?

Can you plz shed more light on this?


Tshi M Thu, 01/22/2009 - 08:51

how about a traceroute? try it using IP address rather FQDN as I suspect a DNS issue.


telnet 80

adcorbett_2 Thu, 01/22/2009 - 08:56

tracert gets to the default gateway (, then dies

telnet 80: Connect failed

Tshi M Thu, 01/22/2009 - 09:04

it also sounds to me like you are dealing with a routing problem.

Please remove the inside access-list and try. Post your syslog output, post your switch config.

by the way did you remove the inside access-list on the firewall?


This Discussion