06-24-2010 03:03 AM - edited 03-11-2019 11:03 AM
Hello,
Hope someone can help with a slight problem. I have a set up like so
LAN (192.168.16.0/24) >>> ASA5505 (192.168.16.250 gateway/inside) (x.x.x.194 outside) >>> ISP Router (x.x.x.193) >>> Internet.
The problem I'm having is I'm unable to ping out from the internal LAN to the internet through the ASA5505. I assign a static IP, gateway and appropriate DNS servers manually to a laptop and rebooted it. I connect the laptop to a free ethernet port assigned to the correct vlan, vlan 1 in this instance. I can ping the gateway of my 5505 fine (192.168.16.250), but nothing else. I can't ping by domain name or IP address. I'm able to ping to the internet from the 5505 itself fine. I have rebooted the 5505 and it made no difference. Is it something very simple I'm missing? I have provided the configuration for reference.
This is my first attempt configuring an ASA5505 and any help will be most appreciated.
Thank you.
Rob
ASA Version 7.2(4)
!
hostname wms-asa-5505
enable password 9wrgr/C1doQHK27R encrypted
passwd ccI2bVURfbXCZPL4 encrypted
names
!
interface Vlan1
description inside to LAN 192.168.16.0/24
nameif inside
security-level 100
ip address 192.168.16.250 255.255.255.0
!
interface Vlan2
description outside via ISP router x.x.x.193
nameif outside
security-level 0
ip address x.x.x.194 255.255.255.240
!
interface Ethernet0/0
description to ISP via int vlan 2
switchport access vlan 2
!
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd This is a private network. Unauthorised access is strictly prohibited.
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 217.13.128.17
name-server 83.218.143.36
object-group service Internet_Services tcp
port-object eq www
port-object eq domain
port-object eq https
port-object eq ftp
port-object eq 8080
access-list ACL_IN extended permit icmp any any echo-reply
access-list ACL_IN extended permit icmp any any time-exceeded
access-list ACL_IN extended permit icmp any any unreachable
access-list ACL_OUT extended permit tcp any any object-group Internet_Services
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_OUT in interface inside
access-group ACL_IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.16.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
06-24-2010 03:17 AM
To ping out you would need to permit ICMP on the inside ACL (ACL_OUT):
access-list ACL_OUT permit icmp any any
Then please also add the inspection for icmp:
policy-map global_policy
class inspection_default
inspect icmp
Hope that helps.
06-24-2010 04:10 AM
Hi Halijen,
Thank you for a prompt response. I will try your suggestions and see how I get on.
Best Regards,
Rob
06-24-2010 04:13 AM
Great, thanks.
06-25-2010 03:55 AM
Hi Halijenn,
Good news and not so good news I'm afraid. I can now ping via IP to the internet from the internal LAN through the 5505 after your suggestions so thank you for that. But I can't ping from the internal LAN by hostname to any external addresses. The test laptop is set up with the correct DNS servers and I have specified the ASA to look outside for the external DNS servers.
Your help once again is most appreciated.
Best,
Rob
06-25-2010 04:36 AM
Try to add this.
"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 any eq 53"
You can even be tighter by changing the word any with "host ip_ address_of_dns_server", eg
"access-list ACL_OUT permit udp 192.168.16.0 255.255.255.0 host 4.2.2.2 eq 53
This will allow dns queries out.
Regards,
06-25-2010 05:55 AM
Hi Edadios,
Many thanks! That worked great once that line was in place. Correct me if I'm wrong, basically the access list said let udp/dns requests from the outside into the internal network (192.168.16.0) to the inside interface?
Regards,
Rob
06-25-2010 06:00 AM
No, the access list is allowing DNS request from internal network of 192.168.16.0/24 towards DNS server on the outside (assuming that you are using your ISP DNS server or external DNS server).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: