Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 not connecting to the internet

My ASA 5505 9.1 previously worked but I recently swapped out my modem (different issue).  The new modem is bridged so my ASA gets an IP address from the ISP.

Internet ------ SB6141 modem ---------- ASA ---------- rest of network (direct connection or router)

I have no issues connecting to the ASA and when I remove the ASA my router properly connects to the internet.  

Things I have tried

  1. Setting static address for ASA outside interface
  2. Pinging 8.8.8.8 from ASDM (ping fails in ASDM but works in CLI)
  3. Modifying the NAT
  4. Successful packet trace
  5. Reading multiple other forum entries

I can't figure out what is blocking the traffic to the outside.  Below is my running-config.

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

xlate per-session deny tcp any4 any4

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 10.0.1.0 Wireless

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

boot system disk0:/asa914-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

object network obj-192.168.2.0

 subnet 192.168.2.0 255.255.255.248

object network obj_any

 subnet 0.0.0.0 0.0.0.0

object network Wireless

 subnet 10.0.1.0 255.255.255.0

 description Created during name migration

object network NETWORK_OBJ_192.168.2.0_29

 subnet 192.168.2.0 255.255.255.248

object network obj_any_1

 subnet 0.0.0.0 0.0.0.0

 description Outside

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_1 tcp

 port-object eq www

 port-object eq https

object-group service DM_INLINE_TCP_2 tcp

 port-object eq 4444

 port-object eq 4445

 port-object eq 4446

object-group service Wemo tcp-udp

 port-object eq 3478

object-group service DM_INLINE_SERVICE_1

 service-object udp destination eq 1701 

 service-object tcp destination eq pptp 

 service-object udp destination eq 4500 

 service-object udp destination eq isakmp 

 service-object tcp destination eq 50 

 service-object tcp destination eq 51 

 service-object tcp destination eq 44000 

object-group service DM_INLINE_TCP_3 tcp

 port-object eq 4444

 port-object eq 4445

 port-object eq 4446

 port-object eq 5900

 port-object eq 5901

object-group network DM_INLINE_NETWORK_1

 network-object host 217.79.189.135

 network-object host 24.197.239.70

object-group service DM_INLINE_TCP_4 tcp

 port-object eq 5900

 port-object eq 5901

object-group service DM_INLINE_TCP_5 tcp

 port-object eq www

 port-object eq https

access-list inside_access_in extended permit object-group TCPUDP object Wireless any 

access-list inside_access_in extended permit icmp object Wireless any 

access-list inside_access_in extended permit ip object Wireless any 

access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 any 

access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any 

access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group DM_INLINE_TCP_5 

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any 

access-list inside_access_in extended permit icmp 192.168.2.0 255.255.255.0 any 

access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any 

access-list inside_access_in extended permit object-group TCPUDP 192.168.2.0 255.255.255.0 any 

access-list inside_nat0_outbound extended permit ip any4 192.168.2.0 255.255.255.248 

access-list inside_nat0_outbound extended permit tcp any4 192.168.2.0 255.255.255.248 

access-list inside_nat0_outbound_1 extended permit ip any4 192.168.2.0 255.255.255.248 

access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_2 

access-list outside_access_in remark VNC

access-list outside_access_in extended permit tcp any object AppleRouter object-group DM_INLINE_TCP_4 

access-list outside_access_in extended deny tcp object-group DM_INLINE_NETWORK_1 any object-group DM_INLINE_TCP_3 

access-list outside_access_in remark Migration, ACE (line 2) expanded: permit tcp any4 interface outside object-group DM_INLINE_TCP_1

access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq www 

access-list outside_access_in extended permit tcp any4 0.0.0.0 0.0.0.0 eq https 

access-list outside_access_in remark ICMP config

access-list outside_access_in extended permit icmp any4 0.0.0.0 0.0.0.0 

access-list outside_access_in extended permit tcp any4 object AppleRouter object-group Wemo 

access-list outside_access_in extended permit udp any4 object AppleRouter object-group Wemo 

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any4 interface outside 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715-100.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,any) source static any any destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup inactive

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.2.0_29 NETWORK_OBJ_192.168.2.0_29 no-proxy-arp route-lookup inactive

!

object network AppleRouter-4500

 nat (inside,outside) static interface service tcp 4500 4500 

object network AppleRouter-4444

 nat (inside,outside) static interface service tcp 4444 4444 

object network AppleRouter-5901

 nat (inside,outside) static interface service tcp 5901 5901 

object network AppleRouter-5900

 nat (inside,outside) static interface service tcp 5900 5900 

object network AppleRouter-4445

 nat (inside,outside) static interface service tcp 4445 4445 

object network AppleRouter-4446

 nat (inside,outside) static interface service tcp 4446 4446 

object network Wemo-tcp

 nat (inside,outside) static interface service tcp 3478 3478 

object network Wemo-udp

 nat (inside,outside) static interface service udp 3478 3478 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

 

telnet 192.168.1.0 255.255.255.0 inside

telnet Wireless 255.255.255.0 inside

telnet timeout 10

ssh 192.168.1.0 255.255.255.0 inside

ssh Wireless 255.255.255.0 inside

ssh timeout 10

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

  • Firewalling
Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

First lets eliminate the ASA

First lets eliminate the ASA as the problem, Connect a PC directly to one of the "inside" ports on the ASA and make sure it recieves an IP in the 192.168.1.0/24 range.

add this command to the ASA

object network obj_any
  nat (inside,outside) dynamic interface

now try to ping 8.8.8.8 or 4.2.2.2

If ping works, now add the router back into the loop and see if you are able to reach the internet again.

--

Please remember to select a correct answer and rate helpful posts

 

-- Please remember to rate and select a correct answer
4 REPLIES
VIP Green

First lets eliminate the ASA

First lets eliminate the ASA as the problem, Connect a PC directly to one of the "inside" ports on the ASA and make sure it recieves an IP in the 192.168.1.0/24 range.

add this command to the ASA

object network obj_any
  nat (inside,outside) dynamic interface

now try to ping 8.8.8.8 or 4.2.2.2

If ping works, now add the router back into the loop and see if you are able to reach the internet again.

--

Please remember to select a correct answer and rate helpful posts

 

-- Please remember to rate and select a correct answer
New Member

 Marius,Your answer was

 

Marius,

Your answer was perfect. I was connected directly to the ASA but needed the NAT statement to get through the outside interface. Somehow I must have deleted that NAT rule. I was able to ping and as soon as I connected the router everything was working. 

Is there any risk to leaving the any statement or should I change to something else?  I want to grant all outbound traffic from the inside interface.

VIP Green

In my opinion there is no big

In my opinion there is no big risk in leaving the command as is.  Had you used the command:

nat (any,outside) dynamic interface

then you would be looking at a risk. But as always it is best to be as specific as possible so removing that command from the any object and placing it under an object with a more specific subnet would be better.

--

Please remember to select a correct answer and rate helpful posts
 

-- Please remember to rate and select a correct answer
New Member

 Marius,Your answer was

*

208
Views
0
Helpful
4
Replies
This widget could not be displayed.