06-10-2012 11:31 AM - edited 03-11-2019 04:17 PM
Hi everyone, hopefully someone will help me out here as it's been two days and still no biscuit with trying to get my internal network talking to the world
Background stuff:
======================================================================================
SPN-ASA-01# show ver
Cisco Adaptive Security Appliance Software Version 8.4(3)
Device Manager Version 6.4(7)
Compiled on Fri 06-Jan-12 10:24 by builders
System image file is "disk0:/asa843-k8.bin"
Config file at boot was "startup-config"
SPN-ASA-01 up 46 mins 59 secs
Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 2048MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is c84c.7527.a2fc, irq 11
1: Ext: Ethernet0/0 : address is c84c.7527.a2f4, irq 255
2: Ext: Ethernet0/1 : address is c84c.7527.a2f5, irq 255
3: Ext: Ethernet0/2 : address is c84c.7527.a2f6, irq 255
4: Ext: Ethernet0/3 : address is c84c.7527.a2f7, irq 255
5: Ext: Ethernet0/4 : address is c84c.7527.a2f8, irq 255
6: Ext: Ethernet0/5 : address is c84c.7527.a2f9, irq 255
7: Ext: Ethernet0/6 : address is c84c.7527.a2fa, irq 255
8: Ext: Ethernet0/7 : address is c84c.7527.a2fb, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
======================================================================================
SPN-ASA-01# show config
: Saved
: Written by enable_15 at 18:27:36.729 UTC Sun Jun 10 2012
!
ASA Version 8.4(3)
!
hostname SPN-ASA-01
domain-name Alex.com
enable password qWIYV3TAiNmF9uuz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 100
!
interface Ethernet0/1
switchport access vlan 101
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 102
!
interface Vlan100
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!
interface Vlan101
nameif INSIDE
security-level 100
ip address 10.10.0.99 255.255.255.0
!
interface Vlan102
nameif DMZ
security-level 50
ip address 10.10.2.1 255.255.255.0
!
boot system disk0:/asa843-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 194.168.4.100
name-server 192.168.8.100
domain-name Alex.com
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http server idle-timeout 5
http 10.10.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 10.10.0.0 255.255.255.0 INSIDE
telnet timeout 5
ssh 10.10.0.0 255.255.255.0 INSIDE
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3d3bdc95cf3bf31cf7dfa800e3cdf7c4
======================================================================================
ISP is Virgin Media, their modem (192.168.100.1) is connected to eth 0/0. Internet connectivity works like a charm on the ASA itself although I have only tested by pinging google and 8.8.8.8 - in both cases replies are received back.
Now, what doesn't work for is the connectivity from my LAN through the ASA on eth 0/1 - I could swear that the config has all the relevant bits to actually be able to talk out?
Can anyone see any holes and/or have suggestions why it's not working?
I would really appreciate any input!
cheers,
Adrian
06-10-2012 01:51 PM
Hi,
Try adding:
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
Remove:
nat (INSIDE,OUTSIDE) source dynamic any interface
Also enable 'inspect icmp'. Make sure your PC can ping ASA inside and have correct DNS settings for internet browsing.
hth
MS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: