Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How to connect to the internet with ASA 5515 X?

Hi all:

 

I just got my new ASA 5515 X firewall and I got stuck in the first steps.

 

I can ping a public IP (8.8.8.8) from the device but I cannot ping it from my LAN.

 

I know I am missing either NAT rules or Access rules or maybe both, but I need some help, please.

 

Thank you.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Hmm. It looks pretty

Hmm. It looks pretty straightforward.

Can you browse to public websites (vs ping)?

For ping, add the following at the cli:

conf t
policy-map global_policy
 class inspection_default
inspect icmp
end
wr mem

Then also run:

packet-tracer input inside icmp 192.168.203.1 0 0 8.8.8.8 detailed

..and share the output.

 

30 REPLIES
Hall of Fame Super Silver

Out of the box you can use

Out of the box you can use the Startup Wizard if you're not familiar with ASA configuration. It will step you through most of what's necessary for a basic setup.

Please refer to the Quick Start Guide for details.

New Member

Thanks for your comment,

Thanks for your comment, Marvin.

I did use the wizard, and also followed this video tutorial on youtube, although it is about 5505: http://www.youtube.com/watch?v=vFnXd3ttRk8

But no success. There seems to be something preventing traffic from the inside LAN reach the public network.

I'm attaching the output of "show run" in case it helps.

Thanks again

 

 

 

Hall of Fame Super Silver

Hmm. It looks pretty

Hmm. It looks pretty straightforward.

Can you browse to public websites (vs ping)?

For ping, add the following at the cli:

conf t
policy-map global_policy
 class inspection_default
inspect icmp
end
wr mem

Then also run:

packet-tracer input inside icmp 192.168.203.1 0 0 8.8.8.8 detailed

..and share the output.

 

New Member

100% right. I'm embarrassed.

100% right.

 

I'm embarrassed. I did reach the internet! I didn't even try to browse, only ping and ping and ping …

After running that commands I can do both.

Thank you so much.

Hall of Fame Super Silver

You're welcome. Glad it's

You're welcome. Glad it's working.

I often remind my colleagues that inability to get responses when pinging only indicates that icmp echo requests are not getting icmp echo replies.

While it's a common "test", it is not a definitive indicator of end to end connectivity.

New Member

Hey Marvin,Can you help me

Hey Marvin,

Can you help me with this basic configuration. I cannot reach the internet with my current setup of access-list, NAT, and static command.

The configuration are as follows:

SFRA(config)# sh run | i access                               

access-list inside extended permit icmp any any 

access-list inside extended permit tcp any any 

access-list xyz extended permit ip 192.168.1.0 255.255.255.0 any 

dynamic-access-policy-record DfltAccessPolicy

threat-detection statistics access-list

SFRA(config)# sh run nat  

nat (inside,outside) after-auto source dynamic any interface

SFRA(config)# sh run | i route                                                

route outside 0.0.0.0 0.0.0.0 172.17.5.254 1

 

SFRA(config)# sh run interface 

!

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 172.17.5.93 255.255.255.0 

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 

SFRA(config)# packet-tracer input inside icmp 192.168.1.1 0 0 8.8.8.8 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

 

Phase: 2

Type: ACCESS-LIST

Subtype: 

Result: DROP

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7fff2960c520, priority=500, domain=permit, deny=true

        hits=4, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=192.168.1.1, mask=255.255.255.255, port=0, tag=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0

        input_ifc=inside, output_ifc=any

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Thanks,

-Vinita

Hall of Fame Super Silver

Vinita,Try adding the icmp

Vinita,

Try adding the icmp inspection as I noted earlier in the thread response to the original poster.

Also, you don't need access-lists on the inside since by default the higher security interface is allowed any-any to lower security interfaces.

New Member

I'm having a similar issue. I

I'm having a similar issue. I have set this up more than once and still can't get online. I've googled and tried all kinds of things - and nothing.

ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object service internet
 service tcp source eq www destination eq www
object network obj-any
 subnet 0.0.0.0 0.0.0.0
access-list global_access extended permit ip any any
access-list from_outside extended permit icmp any any echo
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any unidirectional no-proxy-arp
!
object network obj-any
 nat (inside,outside) dynamic interface
<--- More --->
              
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route inside 0.0.0.0 0.0.0.0 192.168.16.1 1
route inside 10.9.0.0 255.255.248.0 192.168.16.1 1
route inside 10.9.10.0 255.255.255.0 192.168.16.1 1
route inside 172.16.30.0 255.255.255.0 192.168.16.1 1
route inside 192.168.10.0 255.255.255.0 192.168.16.1 1
route inside 192.168.71.0 255.255.255.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
<--- More --->
              
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
<--- More --->
              
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a46b6f52772908dc97f10d276d2d250c
: end

Hall of Fame Super Silver

Joel,Your routing is a bit

Joel,

Your routing is a bit askew:

route inside 0.0.0.0 0.0.0.0 192.168.16.1 1
route inside 10.9.0.0 255.255.248.0 192.168.16.1 1
route inside 10.9.10.0 255.255.255.0 192.168.16.1 1
route inside 172.16.30.0 255.255.255.0 192.168.16.1 1
route inside 192.168.10.0 255.255.255.0 192.168.16.1 1
route inside 192.168.71.0 255.255.255.0 192.168.16.1 1

I don't know about all the ones you have in there, but your default route should be on the outside interface.

I assume you have some upstream device doing NAT also since your outside interface is a private address. Also, I'm not quite sure what your intention is with:

nat (inside,outside) source static any any unidirectional no-proxy-arp

Also, you don't need access-lists on the inside since by default the higher security interface is allowed any-any to lower security interfaces.

New Member

Marvin, how about this? Still

Marvin, how about this?

Still can't get to the internet from a laptop connected to ASA but I now CAN ping google from firewall cli

And I'm trying to give this a base config to send somewhere else and they'll put the ACL's they need there (and change the OUTSIDE interface information). Right now it's just at my workstation between a laptop and a switch on my network. I am using Tutty from my work PC via console cable, then I have ASDM 7.1 connected via my personal laptop, and a third laptop connected to int 0/1 (IP 10.9.250.99.)

hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
              
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
<--- More --->
              
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
<--- More --->
              
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:c1a9113b4c0fb58b0ed39f7eb2d6d72a
: end

New Member

I can now ping google from

I can now ping google from the ASA but still can't get internet from laptop. I ran packet tracer command (modified) that you provided earlier and got this:

ciscoasa# packet-tracer input inside icmp 10.9.250.20  0.0.0.      0 8.8.83 .8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff217fc8d0, priority=500, domain=permit, deny=true
    hits=2, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=10.9.250.2, mask=255.255.255.255, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
<--- More --->
              
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

I fixed the static routes - deleted all but one and made it for the Outside interface and disabled NAT. All that's left are ACL's and they're implicit - I didn't draw them up.

Hall of Fame Super Silver

Joel,I think you went one

Joel,

I think you went one step too far by taking out your NAT statement. Please re-add:

object network obj-any
 nat (inside,outside) dynamic interface

New Member

Ok, now what did I do wrong?

Ok, now what did I do wrong? And Marvin - thanks so much for your help in this, my Cisco is pretty rusty and I haven't been on an ASA in quite some time.

 

ciscoasa# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 192.168.16.250 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu INSIDE 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-any
 nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.16.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
<--- More --->
              
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
<--- More --->
              
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
<--- More --->
              
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:44985f4b7c40271888ff6dee5072dd95
: end

ciscoasa#

Hall of Fame Super Silver

Is this problem resolved? If

Is this problem resolved? If so, please rate and mark it answered.

If not, please re-run the same packet-tracer you did earlier and share the results.

New Member

packet-tracer input inside

packet-tracer input inside icmp 10.9.250.2 0 0 8.8.8.8 detailed

 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff217fc8d0, priority=500, domain=permit, deny=true
    hits=3, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=10.9.250.2, mask=255.255.255.255, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
<--- More --->
              
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hall of Fame Super Silver

Hmm, the configuration looks

Hmm, the configuration looks correct but for some reason the packet-tracer reports an implicit rule is prohibiting the flow. Since you are going from INSIDE to OUTSIDE (and the security levels are set correctly), the implicit rule should be to allow all traffic.

Can you make sure your running-config is saved and reload the ASA and retry it?

New Member

saved config, reloaded

saved config, reloaded:

ciscoasa# packet-tracer input inside icmp 10.9.250.2 0 0 8.8.8.8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29d57570, priority=500, domain=permit, deny=true
    hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=10.9.250.2, mask=255.255.255.255, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
input-interface: INSIDE
<--- More --->
              
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hall of Fame Super Silver

Joel,Don't use your ASA

Joel,

Don't use your ASA inside address (10.9.250.2) as the source IP. Instead try any host address from that subnet (e.g. 10.9.250.3):

packet-tracer input inside icmp 10.9.250.3 0 0 8.8.8.8 detailed

New Member

Phase: 1Type: ROUTE

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj-any
 nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29d55aa0, priority=6, domain=nat, deny=false
    hits=2013, user_data=0x7fff2a6a0980, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
<--- More --->
              
Type: NAT
<--- More --->
              
Subtype: per-session
<--- More --->
              
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b804b0, priority=0, domain=nat-per-session, deny=true
    hits=2125, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a633a90, priority=0, domain=inspect-ip-options, deny=true
    hits=2035, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any

Result:
<--- More --->
              
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed


ciscoasa#

Hall of Fame Super Silver

I'm not sure why it's saying

I'm not sure why it's saying NAT failed in the summary when the details indicate it is allowed.

Let's try a more specific NAT entry as follows:

object network inside_net

   subnet 10.9.250.0 255.255.255.0

   nat (INSIDE,OUTSIDE) dynamic interface

Try that and re-run the same packet-tracer.

New Member

packet-tracer input inside

packet-tracer input inside icmp 10.9.250.3 0 0 8.8.8.8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_net
 nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff293db020, priority=6, domain=nat, deny=false
    hits=33, user_data=0x7fff2a6a3810, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=10.9.250.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
<--- More --->
              
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b804b0, priority=0, domain=nat-per-session, deny=true
    hits=4012, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a633a90, priority=0, domain=inspect-ip-options, deny=true
    hits=3502, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any
<--- More --->
              

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed


ciscoasa#

New Member

Marvin, first of all - thanks

Marvin, first of all - thanks so much for your help! Second, am I doing something wrong with my topology? I was given this to configure and would normally put firewall > router > switches, etc - the network designer on this wants router on outside of firewall. Didn't know if that mattered.

New Member

Just to remind us where we're

Just to remind us where we're at, here's the run config as it currently sits:

ciscoasa# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 10.9.251.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-any
 subnet 0.0.0.0 0.0.0.0
object network inside_net
 subnet 10.9.250.0 255.255.255.0
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-any
 nat (INSIDE,OUTSIDE) dynamic interface
object network inside_net
 nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 10.9.251.1 1
timeout xlate 3:00:00
<--- More --->
              
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
<--- More --->
              
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
<--- More --->
              
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:698b9a799eebf45f724474d3dd59a664
: end

ciscoasa#

Hall of Fame Super Silver

To the design question,

To the design question, either way should work. The firewall is often a convenient place to put the private-public NAT but it doesn't have to be. There are advantages to having a router on the outside - it can generally handle "real" routing much more capably than a firewall.

Thanks for the recap - I should have been clearer that the new NAT rule is in place of the old one. They should process in order of longest prefix match, but just to be safe, please undo the earlier one. i.e.,

object network obj-any
 no nat (INSIDE,OUTSIDE) dynamic interface

...and then, for good measure "clear xlate".

Then please re-run the packet-tracer.

New Member

ciscoasa# sho run: Saved:ASA

ciscoasa# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname ciscoasa
enable password djMW8L3Na14L7q2L encrypted
names
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 10.9.251.2 255.255.255.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.9.250.2 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
<--- More --->
              
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network inside_net
 subnet 10.9.250.0 255.255.255.0
pager lines 24
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network inside_net
 nat (INSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 10.9.251.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
<--- More --->
              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
<--- More --->
              
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
<--- More --->
              
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

ciscoasa# sho runpacket-tracer input inside icmp 10.9.250.3 0 0 8.8.8.8 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         OUTSIDE

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
object network inside_net
 nat (INSIDE,OUTSIDE) dynamic interface
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff293db020, priority=6, domain=nat, deny=false
    hits=22235, user_data=0x7fff2a6a3810, cs_id=0x0, flags=0x0, protocol=0
    src ip/id=10.9.250.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 3
<--- More --->
              
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29b804b0, priority=0, domain=nat-per-session, deny=true
    hits=26730, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a633a90, priority=0, domain=inspect-ip-options, deny=true
    hits=25709, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
    input_ifc=INSIDE, output_ifc=any
<--- More --->
              

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed


ciscoasa#

Hall of Fame Super Silver

I'm a bit perplexed. It looks

I'm a bit perplexed. It looks very straightforward to me and should work.

Just for a separate data point, can you try packet-tracer with a TCP flow?

For instance:

packet-tracer input inside tcp 10.9.250.3 1025 8.8.8.8 80 detailed

New Member

Hi Eurosigma,Can you post

Hi Eurosigma,

Can you post your configurations? As in I am specifically looking for object network configs. I have NAT, access-list, and static route in place. Yet not able to reach the internet. 

Did you not have it configured at all? I tried using the configs that you have attached, but still no luck.

Thanks for the help. Any help is appreciated.

 

-Vinita

New Member

Hi Eurosigma,Can you post

Hi Eurosigma,

Can you post your configurations? As in I am specifically looking for object network configs. I have NAT, access-list, and static route in place. Yet not able to reach the internet. 

Did you not have it configured at all? I tried using the configs that you have attached, but still no luck.

Thanks for the help. Any help is appreciated.

 

-Vinita

New Member

Of course. Here you are. I

Of course. Here you are. I hope it helps.

 

If you do not have an ADSL router in front of the Cisco, like I do, you would simply replace 192.168.1.36 address with your public IP. And 192.168.1.1 with your default gateway IP.

1258
Views
5
Helpful
30
Replies
CreatePlease to create content