cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1475
Views
0
Helpful
12
Replies

ASA 5505 Unable to Get To Internet

marcbilyou
Level 1
Level 1

First time attempting to set up a 5505.  Trying to replace a snapgear firewall and replicate the settings to the 5505.  The config is below...thanks in advance !

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 71.x.x.x 255.255.255.0

!

interface Vlan12

description Test

nameif Test

security-level 100

ip address 192.8.10.1 255.255.255.0

!

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

access-list outside_in extended permit tcp any interface outside eq lpd

access-list outside_in extended permit tcp any interface outside eq 9100

access-list outside_in extended permit tcp any interface outside eq pcanywhere-data

access-list outside_in extended permit tcp any interface outside eq 5632

access-list outside_in extended permit tcp any interface outside eq 563

access-list outside_in extended permit tcp any interface outside eq 1658

access-list outside_in extended permit tcp any interface outside eq 2462

access-list outside_in extended permit tcp any interface outside eq 2463

access-list outside_in extended permit tcp any interface outside eq 2464

access-list outside_in extended permit tcp any interface outside eq 2466

access-list outside_in extended permit tcp any interface outside eq 2470

access-list outside_in extended permit tcp any interface outside eq 2474

access-list outside_in extended permit tcp any interface outside eq 2459

access-list outside_in extended permit tcp any interface outside eq 2460

access-list outside_in extended permit tcp any interface outside eq 2475

access-list outside_in extended permit tcp any interface outside eq 2471

access-list outside_in extended permit tcp any interface outside eq 2484

access-list outside_in extended permit tcp any interface outside eq 2485

access-list outside_in extended permit tcp any interface outside eq 2458

access-list outside_in extended permit tcp any interface outside eq 2465

access-list outside_in extended permit tcp any interface outside eq 2473

access-list outside_in extended permit tcp any interface outside eq 2476

access-list outside_in extended permit tcp any interface outside eq 2490

access-list outside_in extended permit tcp any interface outside eq 2491

access-list outside_in extended permit tcp any interface outside eq 2472

access-list outside_in extended permit tcp any interface outside eq 2467

access-list outside_in extended permit tcp any interface outside eq 2468

access-list outside_in extended permit tcp any interface outside eq 5555

access-list outside_in extended permit tcp any interface outside eq 2493

access-list outside_in extended permit tcp any interface outside eq 2461

access-list outside_in extended permit tcp any interface outside eq www

access-list outside_in extended permit tcp any interface outside eq 2494

access-list outside_in extended permit tcp any interface outside eq ftp

access-list outside_in extended permit tcp any interface outside eq 2469

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu Test 1500

ip local pool Root_Address_Pool 192.168.1.250-192.168.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface lpd 192.168.1.75 lpd netmask 255.255.255.255

static (inside,outside) tcp interface 9100 192.168.1.75 9100 netmask 255.255.255.255

static (inside,outside) tcp interface pcanywhere-data 192.168.1.77 pcanywhere-data netmask 255.255.255.255

static (inside,outside) tcp interface 5632 192.168.1.77 5632 netmask 255.255.255.255

static (inside,outside) tcp interface 563 192.168.1.207 563 netmask 255.255.255.255

static (inside,outside) tcp interface 1658 192.168.1.207 1658 netmask 255.255.255.255

static (inside,outside) tcp interface 2462 192.168.1.67 2462 netmask 255.255.255.255

static (inside,outside) tcp interface 2463 192.168.1.105 2463 netmask 255.255.255.255

static (inside,outside) tcp interface 2464 192.168.1.98 2464 netmask 255.255.255.255

static (inside,outside) tcp interface 2466 192.168.1.96 2466 netmask 255.255.255.255

static (inside,outside) tcp interface 2470 192.168.1.70 2470 netmask 255.255.255.255

static (inside,outside) tcp interface 2474 192.168.1.97 2474 netmask 255.255.255.255

static (inside,outside) tcp interface 2459 192.168.1.102 2459 netmask 255.255.255.255

static (inside,outside) tcp interface 2460 192.168.1.104 2460 netmask 255.255.255.255

static (inside,outside) tcp interface 2475 192.168.1.90 2475 netmask 255.255.255.255

static (inside,outside) tcp interface 2471 192.168.1.76 2471 netmask 255.255.255.255

static (inside,outside) tcp interface 2484 192.168.1.77 2484 netmask 255.255.255.255

static (inside,outside) tcp interface 2485 192.168.1.108 2485 netmask 255.255.255.255

static (inside,outside) tcp interface 2458 192.168.1.153 2458 netmask 255.255.255.255

static (inside,outside) tcp interface 2465 192.168.1.156 2465 netmask 255.255.255.255

static (inside,outside) tcp interface 2473 192.168.1.247 2473 netmask 255.255.255.255

static (inside,outside) tcp interface 2476 192.168.1.71 2476 netmask 255.255.255.255

static (inside,outside) tcp interface 2490 192.168.1.174 2490 netmask 255.255.255.255

static (inside,outside) tcp interface 2491 192.168.1.90 2491 netmask 255.255.255.255

static (inside,outside) tcp interface 2472 192.168.1.171 2472 netmask 255.255.255.255

static (inside,outside) tcp interface 2467 192.168.1.110 2467 netmask 255.255.255.255

static (inside,outside) tcp interface 2468 192.168.1.121 2468 netmask 255.255.255.255

static (inside,outside) tcp interface 5555 192.168.1.109 5555 netmask 255.255.255.255

static (inside,outside) tcp interface 2493 192.168.1.133 2493 netmask 255.255.255.255

static (inside,outside) tcp interface 2461 192.168.1.185 2461 netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.1.133 www netmask 255.255.255.255

static (inside,outside) tcp interface 2494 192.168.1.143 2494 netmask 255.255.255.255

static (inside,outside) tcp interface ftp 192.168.1.133 ftp netmask 255.255.255.255

static (inside,outside) tcp interface 2469 192.168.1.161 2469 netmask 255.255.255.255

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 71.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 8.8.8.8

dhcpd auto_config outside

!

dhcpd address 192.168.1.160-192.168.1.170 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc enable

group-policy root internal

group-policy root attributes

vpn-tunnel-protocol svc

username marc password SOoNa5RWkx5P2AUX encrypted privilege 0

username marc attributes

vpn-group-policy root

tunnel-group SSL_VPN type remote-access

tunnel-group SSL_VPN general-attributes

address-pool Root_Address_Pool

default-group-policy root

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:af8a84dd9c2857610b44de42ce9d056e

: end

2 Accepted Solutions

Accepted Solutions

Hello Marc,

Good thing is that as I told you previously the configuration on the ASA is good.

Now regarding the new issue as MS suggested its looks like an arp issue.

Can you do the following:

interface vlan 2

ip address 2.2.2.2 255.255.255.224

ip address 71.x.x.x 255.255.255.0

This will generate a gratitiuos arp, the Modem will got to learn that the ip address 71.x.x.x.x has the mac address of the ASA.

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Hello Marc,

This seems to be a problem on the other side, You can create captures on your asa so you can confirm the packets are being delivered properly but you do not need to open something for the return traffic.

Hope this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Marc,

You are unable to go to the internet from witch interface.

Interface vlan 1 seems to have all the configuration required to go out, now regarding vlan 12 you are missing the nat configuration:

nat (test) 1 0 0

That should do it,

Regards,

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry I didnt specify, I cannot get out when directly connected to vlan 1 on port 6.

Hello Marc,

Ok lets do some troubleshooting questions on this:

1- Can you ping from the ASA to the default gateway DSL

2-Can you ping from the ASA to 4.2.2.2

3-Can you ping from the computer conected to port 6 to the ASA inside interface

4- Provide the following output

packet-tracer input inside tcp 192.168.1.15 1025 4.2.2.2 80

5-What dns are you using ( If local please use 4.2.2.2 and try it one more time)

I will be more than glad to help, so please provide the answers.

Do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I took the unit offsite, changed the outside address, and all worked.

The site that doesnt work uses an Actiontec Modem from Fios, is there any configuration which would need to be done on that end?  Or how would I troubleshoot this new scenario?

Thank you so much for all of your help with this.......

Have you tried rebooting the Actiontec Modem and any other devices in the path after connecting ASA5505 inplace of snapgear firewall? The clears the ARP on the provider modem.

hth

MS

Unfortunately I did already.  No luck.

Hello Marc,

Good thing is that as I told you previously the configuration on the ASA is good.

Now regarding the new issue as MS suggested its looks like an arp issue.

Can you do the following:

interface vlan 2

ip address 2.2.2.2 255.255.255.224

ip address 71.x.x.x 255.255.255.0

This will generate a gratitiuos arp, the Modem will got to learn that the ip address 71.x.x.x.x has the mac address of the ASA.

Do please rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK, so i took the actiontek out of the equation and all is working.


The only problem I have left that I found so far is that when I try to connect to someones remote VPN from inside our network, I am unable to establish a connection.

The Cisco VPN client is set to use the default port 10000.

How do I open the firewall up so that it will allow this outgoing connection?  Thanks again !!!!!!!!!!!!!!!!!

Your Inside address range and Remote access ip pool are in the same range..

ip local pool Root_Address_Pool 192.168.1.250-192.168.1.254 mask 255.255.255.0

This will cause access issues. cTry changing the remote access pool range to diff. range ..192.168.20.x.

Thx

MS

Hello Marc,

So this is an outbound connection, you do not have any ACL  to te inside interface of the ASA, so all the communication being started on this side should  be accepted.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Correct this is an outbound connection, but, do any inbound ports need to be opened for the Cisco van client to work?

Hello Marc,

This seems to be a problem on the other side, You can create captures on your asa so you can confirm the packets are being delivered properly but you do not need to open something for the return traffic.

Hope this helps.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: