No connection through ASA to internet

adcorbett_2 · ‎01-22-2009

Hello - after having to replace our ASA 5520, I configured it and now no one behind it can access the Internet. I can ping internet IP's from the ASA but not from behind it. I can't see where the problem is, can anyone help? I am attaching the config.

Tshi M · ‎01-22-2009

could you please post sh access-list Inside_access_in and also your sh xlate?

regards,

p.s. you can try removing that inside ACL as a troubleshooting step.

regards,

adcorbett_2 · ‎01-22-2009

Here is the output

sho access-list Inside_access_in

access-list Inside_access_in; 2 elements

access-list Inside_access_in line 1 extended permit icmp any any (hitcnt=146) 0xb34531ad

access-list Inside_access_in line 2 extended permit ip any any (hitcnt=2639) 0xe42c5ef9

sh xlate

0 in use, 2 most used

Tshi M · ‎01-22-2009

hi,

I would first try without the inside ACL and also try to use nat (inside)1 192.168.101.0 255.255.255.0 since it looks like that is your inside network. Though the existing command that you have should work.

There is no NAT taking place which makes wonder if we might have a routing problem somewhere in the network.

Do you have anything from your syslog server?

adcorbett_2 · ‎01-22-2009

Thanks - ok I tried that but still no luck. The 192.168.101.0 subnet is one of two behind that ASA, the other is 192.168.100.0 which is named "inside-network" on the ASA.

The strange part is the clients are not getting a "page cannot be displayed" normal error, but they are getting a "503 Service Unavailable" error, regardless of what website they are going to.

Tshi M · ‎01-22-2009

what do you get when you do a traceroute? did you try telnet www.google.com 80? Could you post your ASA log?

I am sure you already google that error but here is a link

http://www.checkupdown.com/status/E503.html

Mo'ath Al Rawashdeh · ‎01-22-2009

Hi,

Check whether a static route exists on your core switch (192.168.100.1), it should look like this:

ip route 0.0.0.0 0.0.0.0 192.168.100.2

regards.

Tshi M · ‎01-22-2009

i also thought it could have been a routing problem earlier in one of my posting. I think a traceroute should confirm that.

adcorbett_2 · ‎01-22-2009

Yes, that entry exists in 192.168.100.1. I have saved the config and restarted the ASA. Client computers no longer get the 503 error, just the regular page cannot be displayed error. Telnet on port 80 errors out as well.

Mo'ath Al Rawashdeh · ‎01-22-2009

Hi again,

How can you be sure that the issue is something wrong on the ASA not your core switch?

Can you plz shed more light on this?

Thx

Tshi M · ‎01-22-2009

how about a traceroute? try it using IP address rather FQDN as I suspect a DNS issue.

tracert 72.14.205.100

telnet 72.14.205.100 80

adcorbett_2 · ‎01-22-2009

tracert 72.14.205.100: gets to the default gateway (192.168.100.1), then dies

telnet 72.14.205.100 80: Connect failed

Tshi M · ‎01-22-2009

it also sounds to me like you are dealing with a routing problem.

Please remove the inside access-list and try. Post your syslog output, post your switch config.

by the way did you remove the inside access-list on the firewall?