Can't ping out to the internet from the internal LAN through ASA5505

Unanswered Question
Jun 24th, 2010
User Badges:

Hello,


Hope someone can help with a slight problem. I have a set up like so


LAN (192.168.16.0/24) >>> ASA5505 (192.168.16.250 gateway/inside) (x.x.x.194 outside) >>> ISP Router (x.x.x.193) >>> Internet.


The problem I'm having is I'm unable to ping out from the internal LAN to the internet through the ASA5505. I assign a static IP, gateway and appropriate DNS servers manually to a laptop and rebooted it. I connect the laptop to a free ethernet port assigned to the correct vlan, vlan 1 in this instance. I can ping the gateway of my 5505 fine (192.168.16.250), but nothing else. I can't ping by domain name or IP address. I'm able to ping to the internet from the 5505 itself fine. I have rebooted the 5505 and it made no difference. Is it something very simple I'm missing? I have provided the configuration for reference.


This is my first attempt configuring an ASA5505 and any help will be most appreciated.


Thank you.


Rob



ASA Version 7.2(4)
!
hostname wms-asa-5505
enable password 9wrgr/C1doQHK27R encrypted
passwd ccI2bVURfbXCZPL4 encrypted
names
!
interface Vlan1
description inside to LAN 192.168.16.0/24
nameif inside
security-level 100
ip address 192.168.16.250 255.255.255.0
!
interface Vlan2
description outside via ISP router x.x.x.193
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.240
!
interface Ethernet0/0
description to ISP via int vlan 2
switchport access vlan 2
!
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd This is a private network. Unauthorised access is strictly prohibited.
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 217.13.128.17
name-server 83.218.143.36
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
access-list ACL_IN extended permit icmp any any echo-reply
access-list ACL_IN extended permit icmp any any time-exceeded
access-list ACL_IN extended permit icmp any any unreachable
access-list ACL_OUT extended permit tcp any any object-group Internet_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_OUT in interface inside
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0


!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 06/24/2010 - 03:17
User Badges:
  • Cisco Employee,

To ping out you would need to permit ICMP on the inside ACL (ACL_OUT):

access-list ACL_OUT permit icmp any any


Then please also add the inspection for icmp:

policy-map global_policy
  class inspection_default

     inspect icmp


Hope that helps.

sifurobbie Thu, 06/24/2010 - 04:10
User Badges:

Hi Halijen,


Thank you for a prompt response. I will try your suggestions and see how I get on.


Best Regards,


Rob

sifurobbie Fri, 06/25/2010 - 03:55
User Badges:

Hi Halijenn,


Good news and not so good news I'm afraid. I can now ping via IP to the internet from the internal LAN through the 5505 after your suggestions so thank you for that. But I can't ping from the internal LAN by hostname to any external addresses. The test laptop is set up with the correct DNS servers and I have specified the ASA to look outside for the external DNS servers.


Your help once again is most appreciated.


Best,


Rob

edadios Fri, 06/25/2010 - 04:36
User Badges:
  • Silver, 250 points or more

Try to add this.


"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 any eq 53"


You can even be tighter by changing the word any with  "host ip_ address_of_dns_server", eg


"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 host 4.2.2.2 eq 53


This will allow dns queries out.


Regards,

sifurobbie Fri, 06/25/2010 - 05:55
User Badges:

Hi Edadios,


Many thanks! That worked great once that line was in place. Correct me if I'm wrong, basically the access list said let udp/dns requests from the outside into the internal network (192.168.16.0) to the inside interface?


Regards,


Rob

Jennifer Halim Fri, 06/25/2010 - 06:00
User Badges:
  • Cisco Employee,

No, the access list is allowing DNS request from internal network of 192.168.16.0/24 towards DNS server on the outside (assuming that you are using your ISP DNS server or external DNS server).

Actions

This Discussion