01-22-2009 06:16 AM - edited 03-11-2019 07:40 AM
Hello - after having to replace our ASA 5520, I configured it and now no one behind it can access the Internet. I can ping internet IP's from the ASA but not from behind it. I can't see where the problem is, can anyone help? I am attaching the config.
01-22-2009 06:53 AM
could you please post sh access-list Inside_access_in and also your sh xlate?
regards,
p.s. you can try removing that inside ACL as a troubleshooting step.
regards,
01-22-2009 06:58 AM
Here is the output
sho access-list Inside_access_in
access-list Inside_access_in; 2 elements
access-list Inside_access_in line 1 extended permit icmp any any (hitcnt=146) 0xb34531ad
access-list Inside_access_in line 2 extended permit ip any any (hitcnt=2639) 0xe42c5ef9
sh xlate
0 in use, 2 most used
01-22-2009 07:33 AM
hi,
I would first try without the inside ACL and also try to use nat (inside)1 192.168.101.0 255.255.255.0 since it looks like that is your inside network. Though the existing command that you have should work.
There is no NAT taking place which makes wonder if we might have a routing problem somewhere in the network.
Do you have anything from your syslog server?
01-22-2009 07:54 AM
Thanks - ok I tried that but still no luck. The 192.168.101.0 subnet is one of two behind that ASA, the other is 192.168.100.0 which is named "inside-network" on the ASA.
The strange part is the clients are not getting a "page cannot be displayed" normal error, but they are getting a "503 Service Unavailable" error, regardless of what website they are going to.
01-22-2009 08:00 AM
what do you get when you do a traceroute? did you try telnet www.google.com 80? Could you post your ASA log?
I am sure you already google that error but here is a link
01-22-2009 08:43 AM
Hi,
Check whether a static route exists on your core switch (192.168.100.1), it should look like this:
ip route 0.0.0.0 0.0.0.0 192.168.100.2
regards.
01-22-2009 08:46 AM
i also thought it could have been a routing problem earlier in one of my posting. I think a traceroute should confirm that.
01-22-2009 08:48 AM
Yes, that entry exists in 192.168.100.1. I have saved the config and restarted the ASA. Client computers no longer get the 503 error, just the regular page cannot be displayed error. Telnet on port 80 errors out as well.
01-22-2009 08:51 AM
Hi again,
How can you be sure that the issue is something wrong on the ASA not your core switch?
Can you plz shed more light on this?
Thx
01-22-2009 08:51 AM
how about a traceroute? try it using IP address rather FQDN as I suspect a DNS issue.
tracert 72.14.205.100
telnet 72.14.205.100 80
01-22-2009 08:56 AM
tracert 72.14.205.100: gets to the default gateway (192.168.100.1), then dies
telnet 72.14.205.100 80: Connect failed
01-22-2009 09:04 AM
it also sounds to me like you are dealing with a routing problem.
Please remove the inside access-list and try. Post your syslog output, post your switch config.
by the way did you remove the inside access-list on the firewall?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide