Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA-5505 no access from LAN to outside

Hi All: I'm a newbie Cisco user and seem to have FUBAR'd my router config. I have a single LAN (192.168.21/24) with a single public server and two VPNs. After configuration of the VPNs I can no longer reach anything outside from the LAN. Servers inside the LAN can't ping or resolve external IPs.

I keep staring at the config but I don't see what's blocking the internal network from connecting to the outside world?

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

enable password RQPm7xkzY.37Q.Ne encrypted

passwd RQPm7xkzY.37Q.Ne encrypted

names

name 192.168.22.0 vpn1

name 192.168.21.10 server2

name zzz.216.245.245 server2-public

name 192.168.21.51 server1

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.21.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address zzz.216.245.242 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

object-group service remotedesktop tcp

port-object eq 3389

object-group service DM_INLINE_TCP_0 tcp

group-object remotedesktop

port-object eq www

port-object eq https

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object tcp

access-list outside_access_in extended permit tcp any host server2-public object-group DM_INLINE_TCP_0

access-list outside_access_in extended permit ip any host server2

access-list outside_cryptomap extended permit ip 192.168.21.0 255.255.255.0 vpn2.20.8.192 255.255.255.224

access-list outside_cryptomap extended permit tcp 192.168.21.0 255.255.255.0 vpn2.20.8.192 255.255.255.224

access-list outside_cryptomap extended permit icmp 192.168.21.0 255.255.255.0 vpn2.20.8.192 255.255.255.224

access-list outside_cryptomap extended permit udp 192.168.21.0 255.255.255.0 vpn2.20.8.192 255.255.255.224

access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_2 192.168.21.0 255.255.255.0 vpn1 255.255.255.0

access-list NONAT extended permit ip 192.168.21.0 255.255.255.0 vpn2 255.255.255.224

access-list NONAT extended permit ip 192.168.21.0 255.255.255.0 vpn1 255.255.255.0

access-list outside_cryptomap_2 extended permit ip 192.168.21.0 255.255.255.0 vpn1 255.255.255.0

access-list inside_access_in extended permit tcp host server2 192.168.21.0 255.255.255.0 inactive

access-list inside_access_in extended permit tcp host server2 any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool clientVPN 192.168.19.10-192.168.19.20 mask 255.255.255.248

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside) 1 server2-public

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) server2-public server2 netmask 255.255.255.255

static (outside,inside) server2 server2-public netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 zzz.216.245.241 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.21.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map1 1 match address outside_cryptomap

crypto map outside_map1 1 set pfs group5

crypto map outside_map1 1 set peer zzz.198.199.249

crypto map outside_map1 1 set transform-set ESP-AES-256-SHA

crypto map outside_map1 1 set nat-t-disable

crypto map outside_map1 2 match address outside_cryptomap_1

crypto map outside_map1 2 set pfs group5

crypto map outside_map1 2 set peer xxx.74.200.198

crypto map outside_map1 2 set transform-set ESP-AES-256-SHA

crypto map outside_map1 2 set nat-t-disable

crypto map outside_map1 3 match address outside_cryptomap_2

crypto map outside_map1 3 set pfs group5

crypto map outside_map1 3 set peer yyy.86.176.218

crypto map outside_map1 3 set transform-set ESP-AES-128-SHA

crypto map outside_map1 3 set nat-t-disable

crypto map outside_map1 interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 28800

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.21.200-192.168.21.220 inside

dhcpd dns 192.168.21.21 interface inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy admins internal

group-policy admins attributes

vpn-tunnel-protocol svc webvpn

webvpn

  url-list none

  svc ask enable

username user1 password BnP4oFE0lYFNYi3z encrypted privilege 0

username user1 attributes

vpn-group-policy admins

username admin1 password u6X0S5AMkqoOgmEg encrypted privilege 15

username admin1 attributes

service-type admin

username user2 password aZ5Twsd5dVRxpzaI encrypted privilege 0

username user2 attributes

vpn-group-policy admins

username user3 password 8DT3.DeM1K6vSVsL encrypted privilege 0

username user3 attributes

vpn-group-policy admins

tunnel-group admin type remote-access

tunnel-group admin general-attributes

address-pool clientVPN

default-group-policy admins

tunnel-group zzz.198.199.249 type ipsec-l2l

tunnel-group zzz.198.199.249 ipsec-attributes

pre-shared-key *

tunnel-group xxx.74.200.198 type ipsec-l2l

tunnel-group xxx.74.200.198 ipsec-attributes

pre-shared-key *

tunnel-group yyy.86.176.218 type ipsec-l2l

tunnel-group yyy.86.176.218 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:96ef72aff7d98c9b62813cc932654157

: end

asdm image disk0:/asdm-621.bin

asdm location vpn2.16.102.32 255.255.255.224 inside

asdm location vpn1 255.255.255.0 inside

asdm location vpn2 255.255.255.224 inside

asdm location 192.168.19.0 255.255.255.0 inside

asdm location 192.168.21.224 255.255.255.248 inside

asdm location server2 255.255.255.255 inside

asdm location server2-public 255.255.255.255 inside

asdm location server1 255.255.255.255 inside

no asdm history enable

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

ASA-5505 no access from LAN to outside

Normally an ASA permits traffic by default from a higher security interface to a lower one (i.e., inside to outside).

However once you put an access-list on the inside interface, there is an implicit deny added for that interface once traffic has been compared to the access-list entries. So,

     access-list inside_access_in extended permit tcp host server2 any

     access-group inside_access_in in interface inside

...tells the ASA to allow only server2 (192.168.21.10) traffic. All other traffic into the inside interface will be denied.

3 REPLIES
Hall of Fame Super Silver

ASA-5505 no access from LAN to outside

Normally an ASA permits traffic by default from a higher security interface to a lower one (i.e., inside to outside).

However once you put an access-list on the inside interface, there is an implicit deny added for that interface once traffic has been compared to the access-list entries. So,

     access-list inside_access_in extended permit tcp host server2 any

     access-group inside_access_in in interface inside

...tells the ASA to allow only server2 (192.168.21.10) traffic. All other traffic into the inside interface will be denied.

New Member

ASA-5505 no access from LAN to outside

Thanks Marvin: So, I'm not sure why I added that ACL for server2...but having disabled it, I still can't seem to get any traffic from inside the network through the default IF. I tried adding a new rule to the inside IF allowing any-any, but that didn't work either.

But then I noticed that there was an implicit rule for IPv6 traffic that said "Any less secure network" as the destination, and it couldn't be edited in the ASDM GUI...but that didn't appear in the IPv4 "inside" Access Rules...so I deleted each disabled access rule one-by-one, and after deleting the last one, the implicit rule popped back up and everything started working...

thanks for putting me on the correct path!

Hall of Fame Super Silver

ASA-5505 no access from LAN to outside

You're welcome. Glad it helped.

213
Views
0
Helpful
3
Replies