Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
590
Views
0
Helpful
7
Replies

ASA 5512-X Still no connection

IOS_support
Level 1
Level 1

‎06-07-2014 12:40 PM - edited ‎03-11-2019 09:18 PM

I've appreciated those who have answered; I am not getting anywhere.  I cannot get out to the internet from the ASA

Thanks for your help; it didn't work or I've missed something w/ modifying the ASDM. Also; can I preface that we have it going this way w/ the Network  (MOdem; T1) ------ Firewall ------ Switch (unmanaged) 
Just so you know; in case I missed something. below is our config after the changes. I did the NAT thru the object was that incorrect? 

 

 

Result of the command: "show running-config"

: Saved
:
ASA Version 9.1(2) 
!
hostname IOSASA
domain-name IOS.LOCAL
enable password LCF3phzihasrhsIb encrypted
names
!
interface GigabitEthernet0/0
 speed 100
 duplex full
 nameif Outside
 security-level 0
 ip address 69.61.160.* 255.255.255.248 
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif Inside
 security-level 100
 ip address 191.10.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
dns server-group DefaultDNS
 domain-name IOS.LOCAL
same-security-traffic permit inter-interface
object network Inside
 subnet 191.10.10.0 255.255.255.0
 description Inside IOS
pager lines 24
logging asdm informational
mtu management 1500
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network Inside
 nat (Inside,Outside) dynamic interface
route Outside 0.0.0.0 0.0.0.0 69.61.160.* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:0fb5c0e32efb6aaaada09167008f5a47
: end

Labels:
0 Helpful
7 Replies 7

Marius Gunnerud
VIP
VIP

‎06-07-2014 01:25 PM

Could you post the output of the following packet-tracer:

packet-tracer input Inside tcp 191.10.10.10 12345 4.2.2.2 80 detail

Also please issue the command clear xlate to clear all NAT entries just in case there are some old entries making problems for you...this will drop connections for users, but since there is no connection at the moment I don't think it will be an issue using this command during working hours.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

IOS_support
Level 1
Level 1
In response to Marius Gunnerud

‎06-07-2014 01:42 PM

 
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         Outside
 
Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network Inside
 nat (Inside,Outside) dynamic interface
Additional Information:
Dynamic translate 191.10.10.10/12345 to 69.61.160.154/12345
 Forward Flow based lookup yields rule:
 in  id=0x7fff9ffba430, priority=6, domain=nat, deny=false
hits=4, user_data=0x7fff9f7b5a70, cs_id=0x0, flags=0x0, protocol=0
src ip/id=191.10.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside
 
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9eba5150, priority=0, domain=nat-per-session, deny=false
hits=32540, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff9f9b42a0, priority=0, domain=inspect-ip-options, deny=true
hits=83, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
 
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9eba5150, priority=0, domain=nat-per-session, deny=false
hits=32542, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
 
Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7fff9f79c1f0, priority=0, domain=inspect-ip-options, deny=true
hits=21, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any
 
Phase: 7
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 25539, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
 
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
0 Helpful

Marius Gunnerud
VIP
VIP
In response to IOS_support

‎06-08-2014 10:34 AM

from the PC are you able to ping the ASA (191.10.10.1)?

from the PC are you able to ping the next hop for the default route configured on the ASA (69.61.160.*)?

from the ASA can you ping the next hop for the default route (69.61.160.*)?

As per the packet tracer traffic is permitted through the ASA from the inside network to the outside.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

IOS_support
Level 1
Level 1
In response to Marius Gunnerud

‎06-08-2014 01:49 PM

I am able to ping asa but not t1 appliance.. I'm still missing something; I made 'most' the changes you discussed, when I do the packet tracer (see pic) it looks 'as if' it goes all the way out, but nothing is returned. IF I understand the security right; higher should flow to lower w/o problem so shouldn't I 'see' something? Config and screenshot attached. Apparently I am dense w/ this one or too much in the muck. I didn't have issues w/ the older ASA...... could it be the infrastructure? I've got the T1--- Firewall --- Switch --- Lan; physical part of it. ASA Version 9.1(2) ! hostname OhBoyASA domain-name OhBoy.LOCAL interface GigabitEthernet0/0 speed 100 duplex full nameif Outside security-level 0 ip address 69.62.150.* 255.255.255.248 ! interface GigabitEthernet0/1 speed 100 duplex full nameif Inside security-level 100 ip address 191.10.10.1 255.255.255.0 ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive dns server-group DefaultDNS domain-name IOS.LOCAL same-security-traffic permit inter-interface pager lines 24 logging enable logging asdm informational mtu management 1500 mtu Inside 1500 mtu Outside 1500 icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (Inside,Outside) source dynamic any interface nat (Outside,Inside) source dynamic any interface route Outside 0.0.0.0 0.0.0.0 69.62.150.* 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 192.168.1.0 255.255.255.0 management http 191.10.10.0 255.255.255.255 Inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 191.10.10.2-191.10.10.154 Inside dhcpd enable Inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:8d13ba7a0113603b440e4b4791855506 : end
Preview file
175 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to IOS_support

‎06-08-2014 02:55 PM

But can you ping the T1 appliance from the ASA?  If you have swapped out an old ASA with the current one you are setting up, I am thinking that there is an ARP issue on the T1.  Any chance you could get your service provider to clear the arp cache on the T1 appliance...or perhaps restart it?

For basic connectivity you are not missing anything.  Your traffic is flowing fine from the high security level to the low security level.  I would, as I have mentioned, start taking a look at the T1 as I have a feeling that is where the issue is.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

IOS_support
Level 1
Level 1
In response to Marius Gunnerud

‎06-09-2014 01:03 PM

Thanks!! I apparently had configuration right it was the arp. I asked ISP; they didn't think so, but after that most things get thru. However still no Web page connection. Vpn, email outside all good no Internet pages though
0 Helpful

Marius Gunnerud
VIP
VIP
In response to IOS_support

‎06-09-2014 09:40 PM

is your DNS working correctly? if you issue an nslookup google.com does the URL resolve to an IP?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card