ASA 5510 LAN not communicating with WAN

Answered Question
Sep 7th, 2010

Hello.

I'm having a problem here with this 5510. I've got the ADSL connection up and running and I can ping internet IPs from the 5510. The problem is that I have a PC connected on the LAN side of the 5510 and that is unable to ping any internet IPs. I can ping the 5510's LAN IP from the PC but the packets aren't being forwarded over to the WAN interface for some reason. I can't ping the WAN IP of the 5510 either.

Can anyone share some insight? I've attached the configuration of the 5510 before setting up PAT as per this document --->> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b1ee95.shtml

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by mirober2 about 6 years 3 months ago

Hi Felix,

I agree with Golly and the others--it looks like the problem may be with your default gateway/routing. Are you sure the 'show route' output looks correct? It looks like the ASA is allowing the ICMP traffic and taking the correct translation.

To confirm this, you can setup packet captures for ICMP traffic on the outside interface of the ASA:

https://supportforums.cisco.com/docs/DOC-1222

My guess is that you'll see the echo request headed out toward the Internet, but nothing coming back in.

Hope that helps.

-Mike

Correct Answer by golly_wog about 6 years 3 months ago

Hey Bro

Can you

"logging enable"

"logging buffered 7"

run the ping from the LAN host and then do a "sh logg", we are looking for the icmp connection being built along with the xlate as the others pointed out.

It sounds like the default gateway of your hosts might be screwed...

cheers ears

Correct Answer by Federico Coto F... about 6 years 3 months ago

Do the following test.

Can you PING the default gateway of the ASA from the inside computer?

Check the ''sh xlate'' and see if it's building the translation.

Also can do:

packet-tracer input inside tcp x.x.x.x 1024 198.133.219.25 80  (x.x.x.x is the inside IP of the computer)

This will show the results of attempting a connection on TCP port 80 to IP 198

Federico.

Correct Answer by Federico Coto F... about 6 years 3 months ago

Hi Felix,

To provide Internet through the ASA, normally you do the following:

nat (inside) 1 0 0

global (outside) 1 interface

To be able to PING you also add:

policy-map global_policy
class inspection_default

   inspect icmp

If the ASA has a private IP on its public interface, I assume the DSL is doing NAT for that IP (since you can PING internet from the ASA).

You can try the above and check the results.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (6 ratings)
Loading.
Correct Answer
Federico Coto F... Tue, 09/07/2010 - 13:12

Hi Felix,

To provide Internet through the ASA, normally you do the following:

nat (inside) 1 0 0

global (outside) 1 interface

To be able to PING you also add:

policy-map global_policy
class inspection_default

   inspect icmp

If the ASA has a private IP on its public interface, I assume the DSL is doing NAT for that IP (since you can PING internet from the ASA).

You can try the above and check the results.

Federico.

Felix Bowman Tue, 09/07/2010 - 13:15

Hey Federico. Thanks for the response.

I'm using version 8.3 so the global command doesn't exist in this version of the OS anymore and nat is implemented differently.

I'll add the inspect icmp and let you know what happens.

mirober2 Tue, 09/07/2010 - 13:50

Hi Felix,

Can you check the output of this command:

packet-tracer in lan icmp 192.168.5.x 8 0 4.2.2.2

That should help narrow down the problem.

-Mike

mirober2 Tue, 09/07/2010 - 13:51

Also, double check the output of 'show route' to make sure your default gateway is being set by PPPoE correctly.

-Mike

Correct Answer
Federico Coto F... Tue, 09/07/2010 - 13:50

Do the following test.

Can you PING the default gateway of the ASA from the inside computer?

Check the ''sh xlate'' and see if it's building the translation.

Also can do:

packet-tracer input inside tcp x.x.x.x 1024 198.133.219.25 80  (x.x.x.x is the inside IP of the computer)

This will show the results of attempting a connection on TCP port 80 to IP 198

Federico.

Felix Bowman Tue, 09/07/2010 - 14:10

This is the result of the packet trace:-

Result of the command: "packet-tracer input lan icmp 192.168.5.1 8 0 4.2.2.2"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         wan

Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Inside
nat (lan,wan) dynamic interface
Additional Information:
Dynamic translate 192.168.5.1/0 to 69.73.200.137/34850

Phase: 5
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 48, packet dispatched to next module

Result:
input-interface: lan
input-status: up
input-line-status: up
output-interface: wan
output-status: up
output-line-status: up
Action: allow

Felix Bowman Tue, 09/07/2010 - 14:12

This is the result of the show route command:

Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 216.110.96.1 to network 0.0.0.0

C    192.168.15.0 255.255.255.0 is directly connected, Management
C    192.168.5.0 255.255.255.0 is directly connected, lan
S*   0.0.0.0 0.0.0.0 [1/0] via 216.110.96.1, wan

Thanks for all the responses so far! I really appreciate it.

Correct Answer
golly_wog Tue, 09/07/2010 - 15:32

Hey Bro

Can you

"logging enable"

"logging buffered 7"

run the ping from the LAN host and then do a "sh logg", we are looking for the icmp connection being built along with the xlate as the others pointed out.

It sounds like the default gateway of your hosts might be screwed...

cheers ears

Correct Answer
mirober2 Wed, 09/08/2010 - 05:14

Hi Felix,

I agree with Golly and the others--it looks like the problem may be with your default gateway/routing. Are you sure the 'show route' output looks correct? It looks like the ASA is allowing the ICMP traffic and taking the correct translation.

To confirm this, you can setup packet captures for ICMP traffic on the outside interface of the ASA:

https://supportforums.cisco.com/docs/DOC-1222

My guess is that you'll see the echo request headed out toward the Internet, but nothing coming back in.

Hope that helps.

-Mike

Nagaraja Thanthry Tue, 09/07/2010 - 18:42

Hello,

Your firewall seems to be sending data outside fine. What is the DNS server

you are using for your hosts? Please try using 4.2.2.2 as your DNS server

and see if that helps.

If you want to check ping connectivity, please try the following command:

icmp permit any echo-reply outside

Hope this helps.

Regards,

NT

Felix Bowman Wed, 09/08/2010 - 05:05

Setting the DNS on the host to 4.2.2.2 didn't help. The host still can't ping anything outside.

Felix Bowman Wed, 09/08/2010 - 11:40

Hey guys, I got the problem sorted out. The gateway being botched was indeed the problem.

Thanks a lot for your input and insights. I really appreciate it.

golly_wog Wed, 09/08/2010 - 14:39

Hey Brother - give me some points, i told you what the issue was and my magicall seeing crystal ball didn't come cheap!

;-)

Federico Coto F... Wed, 09/08/2010 - 15:01

Hey Golly,

Reading through the post you indeed provided the answer.

So... I gave you +5 because of that and because the points seem to be getting a lot harder to get lately ;-)

Federico.

Felix Bowman Thu, 09/09/2010 - 05:49

My apologies. I didn't realize that I could give more than one set of points.

Once again, I really appreciate the time and help that you all have given to me in getting this problem resolved.

Actions

This Discussion