Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA basic configuration help

I'm running into an issue where I cannot even access the internet from the inside network.  I did a capture on the ASA.  The inside interface shows pings from the internal host to the internet but nothing coming back.  The same capture on the outside interface shows the host natted to the outside interface's IP address.  It shows the host sending the pings to the internet and it also shows the ping replies coming back to the outside interface's IP address.  So, I know the pings are going from inside to outside and natted properly.  But for some reason, the ASA is not allow the traffic back in.  Here's my configuration.  Can someone enlighten me?  This is for a client so I hid his IP address.

: Saved

:

ASA Version 8.2(5)

!

hostname ASA

domain-name x.org

names

!

interface Ethernet0/0

switchport access vlan 98

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

switchport access vlan 2

!

interface Ethernet0/4

switchport access vlan 2

!

interface Ethernet0/5

switchport access vlan 2

!

interface Ethernet0/6

switchport access vlan 2

!

interface Ethernet0/7

switchport access vlan 2

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.148.2 255.255.255.0

!

interface Vlan98

nameif outside

security-level 0

ip address <>

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name x

access-list CAP1 extended permit ip any host 8.8.8.8

access-list CAP1 extended permit ip host 8.8.8.8 any

pager lines 24

logging enable

logging timestamp

logging buffer-size 51200

logging asdm-buffer-size 500

logging monitor informational

logging buffered errors

logging history errors

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 <> 1

route inside 192.168.150.0 255.255.255.0 192.168.148.1 1

route inside 192.168.151.0 255.255.255.0 192.168.148.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable 8443

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

!

prompt hostname context

no call-home reporting anonymous

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

ASA basic configuration help

Hi,

Like in another thread it would seem that you are missing the inspection configurations. Have you completely removed the "policy-map" configurations.

If you have then you could try adding the following

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect icmp error

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect rtsp

  inspect skinny

  inspect icmp

  inspect esmtp

service-policy global_policy global

- Jouni

4 REPLIES
Super Bronze

ASA basic configuration help

Hi,

Like in another thread it would seem that you are missing the inspection configurations. Have you completely removed the "policy-map" configurations.

If you have then you could try adding the following

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect icmp error

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect rtsp

  inspect skinny

  inspect icmp

  inspect esmtp

service-policy global_policy global

- Jouni

New Member

ASA basic configuration help

Thank you.  that was it.

Super Bronze

ASA basic configuration help

Hi,

Basically what was causing the ICMP not to go through completely was missing the "inspect icmp" configurations.

Without them the ASA will let the ICMP Echo messages from behind the ASA pass to the Internet. Provided ofcourse the "security-level" or the "access-list" allow that.

However, the Echo Reply message would be blocked by default.

The solution to that is the above adding of "inspect icmp" (although the above contains a lot more)

Other alternative would have been to allow "echo-reply" messages in a "outside" interface ACL.

- Jouni

New Member

Re: ASA basic configuration help

Thanks for the explanation. I suspected it was something like this. I looked up as many ASA "basic" configuration for Internet connectivity I could find and all they had were dynamic pat. Thanks!

166
Views
0
Helpful
4
Replies
CreatePlease to create content