cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2243
Views
0
Helpful
7
Replies

New ASA 5505 - inside cannot access outside addresses

veleveque1
Level 1
Level 1

I was using an old Pix 501, and am having trouble getting the ASA 5505 to send internal traffic to the outside. I originally thought it was the lack of a default gateway, but that seems to be configured (When I try to manually set one up, I get a message it is already there).

My ISP provides me with a static IP address range on the outside, 67.115.92.192/29.  The external GW is 67.115.92.193, and I set the outside interface of my FW to 67.115.92.198

Can't quite figure out how to get internal addresses to properly translate and send to the outside interface.  I've searched these forums, but the only answer I can find is "open a TAC case with Cisco"

I'm using ADSM to configure, but logging into the console gives the following config:

ciscoasa# sho config

: Saved

: Written by enable_15 at 20:04:02.428 UTC Thu Aug 28 2008

ciscoasa# sho config

: Saved

: Written by enable_15 at 20:04:02.428 UTC Thu Aug 28 2008

!

ASA Version 8.2(5)

!

hostname ciscoasa

enable password blahblahblah encrypted

passwd blahblahblah encrypted

names                                                                          

!                                                                              

interface Ethernet0/0                                                          

switchport access vlan 2                                                      

!                                                                              

interface Ethernet0/1                                                          

!                                                                              

interface Ethernet0/2                                                          

!                                                                              

interface Ethernet0/3                                                          

!                                                                              

interface Ethernet0/4                                                          

!                                                                              

interface Ethernet0/5                                                          

!                                                                              

interface Ethernet0/6                                                          

!                                                                              

interface Ethernet0/7                                                          

!                                                                              

interface Vlan1                                                                

nameif inside                                                                 

security-level 100                                                            

ip address 192.168.1.1 255.255.255.0                                          

!                                                                              

interface Vlan2                                                                

nameif outside                                                                

security-level 0                                                              

ip address 67.115.92.198 255.255.255.248                                      

!                                                                              

ftp mode passive                                                               

pager lines 24                                                                 

logging enable                                                                 

logging asdm informational                                                     

mtu outside 1500                                                               

mtu inside 1500                                                                

icmp unreachable rate-limit 1 burst-size 1                                     

asdm history enable                                                            

arp timeout 14400                                                              

global (outside) 1 interface                                                   

nat (inside) 1 0.0.0.0 0.0.0.0                                                 

timeout xlate 3:00:00                                                          

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02              

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                   

timeout tcp-proxy-reassembly 0:01:00                                           

timeout floating-conn 0:00:00                                                  

dynamic-access-policy-record DfltAccessPolicy                                  

http server enable                                                             

http 192.168.1.0 255.255.255.0 inside                                          

no snmp-server location                                                        

no snmp-server contact                                                         

snmp-server enable traps snmp authentication linkup linkdown coldstart         

crypto ipsec security-association lifetime seconds 28800                       

crypto ipsec security-association lifetime kilobytes 4608000                   

telnet timeout 5                                                               

ssh timeout 5                                                                  

console timeout 0                                                              

dhcpd auto_config outside                                                      

!                                                                              

dhcpd address 192.168.1.190-192.168.1.200 inside                               

dhcpd dns 68.94.156.1 68.94.157.1 interface inside                             

dhcpd enable inside                                                            

!                                                                              

threat-detection basic-threat                                                  

threat-detection statistics access-list                                        

no threat-detection statistics tcp-intercept                                   

webvpn                                                                         

!                                                                              

class-map inspection_default                                                   

match default-inspection-traffic                                              

!                                                                              

!                                                                              

policy-map type inspect dns preset_dns_map                                     

parameters                                                                    

  message-length maximum client auto                                           

  message-length maximum 512                                                   

policy-map global_policy                                                       

class inspection_default                                                      

  inspect dns preset_dns_map                                                   

  inspect ftp                                                                  

  inspect h323 h225                                                            

  inspect h323 ras                                                             

  inspect rsh                                                                  

  inspect rtsp                                                                 

  inspect esmtp                                                                

  inspect sqlnet                                                               

  inspect skinny                                                               

  inspect sunrpc                                                               

  inspect xdmcp                                                                

  inspect sip                                                                  

  inspect netbios                                                              

  inspect tftp                                                                 

  inspect ip-options                                                           

!                                                                              

service-policy global_policy global                                            

prompt hostname context                                                        

no call-home reporting anonymous                                               

Cryptochecksum:76ab7ed1cac11d6b62fc57f9ab330c0f

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Vincent,

the .198 is the broadcast address! it cannot be used.

I still do not see the route statement

can you share show route?

Please check your inbox

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I changed the interface address and explicitly included a default route.  I can ping the ISP default GW from the ASA, but internal devices on 192.168.1.0/24 still don't seem to get out.  Is the default GW statement correct?  I did not add a trunk stmt to the E0/0 interface yet - would this help?

global (outside) 1 interface                                                   

nat (inside) 1 0.0.0.0 0.0.0.0                                                 

route outside 0.0.0.0 0.0.0.0 67.115.92.193 1 

AND

!                                                                              

interface Vlan1                                                                

nameif inside                                                                 

security-level 100                                                            

ip address 192.168.1.1 255.255.255.0                                          

!                                                                              

interface Vlan2                                                                

nameif outside                                                                

security-level 0                                                              

ip address 67.115.92.197 255.255.255.248    

Hello Vicent,

Regarding the trunk: No, that will not help.

Do the following

1) Add the following command

Fixup Protocol ICMP

capture capin interface inside match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

2) From an internal machine ping 4.2.2.2

3)Provide me the output of

Show run access-Group

show cap capin

show cap capout

Let me know if you read the message I sent you to our inbox (Repy over there )

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry about the delay - this is my home machine so I only work on it after-hours.

Everything looks good based on your advice...

fixup protocol icmp

gave me the message

  INFO Converting fixup protocol icmp to MPF commands

ping to 4.2.2.2 give a reply (very good)

Here are the results of the 3 commands you request:

ciscoasa(config)# show run access-group

ciscoasa(config)# show cap capin      

8 packets captured

   1: 22:51:41.303649 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

   2: 22:51:41.341321 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

   3: 22:51:42.310912 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

   4: 22:51:42.326032 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

   5: 22:51:43.312316 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

   6: 22:51:43.327558 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

   7: 22:51:44.313765 802.1Q vlan#1 P0 192.168.1.2 > 4.2.2.2: icmp: echo request

   8: 22:51:44.329038 802.1Q vlan#1 P0 4.2.2.2 > 192.168.1.2: icmp: echo reply

8 packets shown

ciscoasa(config)# show cap capout     

8 packets captured

   1: 22:51:41.304122 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

   2: 22:51:41.341260 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

   3: 22:51:42.311171 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request

   4: 22:51:42.326002 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply

   5: 22:51:43.312560 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request                                              

   6: 22:51:43.327512 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply                                                

   7: 22:51:44.314009 802.1Q vlan#2 P0 67.115.92.197 > 4.2.2.2: icmp: echo request                                              

   8: 22:51:44.329008 802.1Q vlan#2 P0 4.2.2.2 > 67.115.92.197: icmp: echo reply                                                

8 packets shown                                                                                                                 

ciscoasa(config)#

I will try a Web site next - previously the DNS UDP traffic wasn't getting through.

Hello Vincent,

As you saw traffic is going back and forward now,

Make sure you have a DNS on your computer and try some googling around

Let me know how it goes,

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vishaw jasrotia
Level 1
Level 1

Het Vincent ,

make a default route towards the ISP .

And make

interface Ethernet0/0 as a trunk interface .

Hope this help you

Thanks & regards

Vishaw

can you ping 4.2.2.2 from the ASA?

have you confirmed that the PC's receive the correct IP addresses and default gateway?  If they are getting a correct IP and default gateway, can you ping the ASA inside interface from the PC's? ( you might have to add permit statements to allow pinging the ASA itself.)

Also, the address 67.115.92.198 is fine 67.115.92.199 is the broadcast address.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: