cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3256
Views
0
Helpful
7
Replies

Can't ping out to the internet from the internal LAN through ASA5505

sifurobbie
Level 1
Level 1

Hello,

Hope someone can help with a slight problem. I have a set up like so

LAN (192.168.16.0/24) >>> ASA5505 (192.168.16.250 gateway/inside) (x.x.x.194 outside) >>> ISP Router (x.x.x.193) >>> Internet.

The problem I'm having is I'm unable to ping out from the internal LAN to the internet through the ASA5505. I assign a static IP, gateway and appropriate DNS servers manually to a laptop and rebooted it. I connect the laptop to a free ethernet port assigned to the correct vlan, vlan 1 in this instance. I can ping the gateway of my 5505 fine (192.168.16.250), but nothing else. I can't ping by domain name or IP address. I'm able to ping to the internet from the 5505 itself fine. I have rebooted the 5505 and it made no difference. Is it something very simple I'm missing? I have provided the configuration for reference.

This is my first attempt configuring an ASA5505 and any help will be most appreciated.

Thank you.

Rob


ASA Version 7.2(4)
!
hostname wms-asa-5505
enable password 9wrgr/C1doQHK27R encrypted
passwd ccI2bVURfbXCZPL4 encrypted
names
!
interface Vlan1
description inside to LAN 192.168.16.0/24
nameif inside
security-level 100
ip address 192.168.16.250 255.255.255.0
!
interface Vlan2
description outside via ISP router x.x.x.193
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.240
!
interface Ethernet0/0
description to ISP via int vlan 2
switchport access vlan 2
!
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd This is a private network. Unauthorised access is strictly prohibited.
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 217.13.128.17
name-server 83.218.143.36
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
access-list ACL_IN extended permit icmp any any echo-reply
access-list ACL_IN extended permit icmp any any time-exceeded
access-list ACL_IN extended permit icmp any any unreachable
access-list ACL_OUT extended permit tcp any any object-group Internet_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_OUT in interface inside
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

To ping out you would need to permit ICMP on the inside ACL (ACL_OUT):

access-list ACL_OUT permit icmp any any

Then please also add the inspection for icmp:

policy-map global_policy
  class inspection_default

     inspect icmp

Hope that helps.

Hi Halijen,

Thank you for a prompt response. I will try your suggestions and see how I get on.

Best Regards,

Rob

Great, thanks.

Hi Halijenn,

Good news and not so good news I'm afraid. I can now ping via IP to the internet from the internal LAN through the 5505 after your suggestions so thank you for that. But I can't ping from the internal LAN by hostname to any external addresses. The test laptop is set up with the correct DNS servers and I have specified the ASA to look outside for the external DNS servers.

Your help once again is most appreciated.

Best,

Rob

Try to add this.

"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 any eq 53"

You can even be tighter by changing the word any with  "host ip_ address_of_dns_server", eg

"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 host 4.2.2.2 eq 53

This will allow dns queries out.

Regards,

Hi Edadios,

Many thanks! That worked great once that line was in place. Correct me if I'm wrong, basically the access list said let udp/dns requests from the outside into the internal network (192.168.16.0) to the inside interface?

Regards,

Rob

No, the access list is allowing DNS request from internal network of 192.168.16.0/24 towards DNS server on the outside (assuming that you are using your ISP DNS server or external DNS server).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: