Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Internet Access from Inside to Outside ASA 5510 ver 9.1

Hi everyone, I need help setting up an ASA 5510 to allow all traffic going from the inside to outside so I can get internet access through it. I have worked on this for days and I have finally got traffic moving between my router and my ASA, but that is it. Everything is blocked because of NAT rules I assume.

I get errors like this when I try Packet Tracer:

(nat-xlate-failed) NAT failed

(acl-drop) Flow is denied by configured rule

Version Information:

Cisco Adaptive Security Appliance Software Version 9.1(4)

Device Manager Version 7.1(5)

Compiled on Thu 05-Dec-13 19:37 by builders

System image file is "disk0:/asa914-k8.bin"

Here is my ASA config, all I want for this exercise is to pass traffic from the inside network to the outside to allow internet access so I can access the internet and then look for specific acl's or nat for specific services:

Thank You!

Config:

ASA5510# sh running-config

: Saved

:

ASA Version 9.1(4)

!

hostname ASA5510

domain-name

inside.int

enable password <redacted> encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd <redacted> encrypted

names

dns-guard

!

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

!

interface Ethernet0/1

description WAN Interface

nameif Outside

security-level 0

ip address 199.199.199.123 255.255.255.240

boot system disk0:/asa914-k8.bin

ftp mode passive

dns domain-lookup Outside

dns server-group DefaultDNS

name-server 199.199.199.4

domain-name

inside.int

object network inside-net

subnet 10.0.0.0 255.255.255.0

description Inside Network Object

access-list USERS standard permit 10.10.1.0 255.255.255.0

access-list OUTSIDE-IN extended permit ip any any

access-list INSIDE-IN extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Inside 1500

mtu Outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source dynamic any interface

!

object network inside-net

  nat (Inside,Outside) dynamic interface

access-group INSIDE-IN in interface Inside

access-group OUTSIDE-IN in interface Outside

!

router rip

network 10.0.0.0

network 199.199.199.0

version 2

no auto-summary

!

route Outside 0.0.0.0 0.0.0.0 199.199.199.113 1

route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1

route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1

route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 Inside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username <redacted> password <redacted> encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

  parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

   inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

   destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

   subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:

<redacted>
: end

SH NAT:

ASA5510# sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic any interface

    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source dynamic inside-net interface

     translate_hits = 0, untranslate_hits = 0

SH RUN NAT:


ASA5510# sh run nat
nat (Inside,Outside) source dynamic any interface
!
object network inside-net
nat (Inside,Outside) dynamic interface

SH RUN OBJECT:

ASA5510(config)# sh run object

object network inside-net

subnet 10.0.0.0 255.255.255.0

description Inside Network Object

Hi all,Hello everyone, I need some help before my head explodes. Idddddddd
  • Firewalling
4 REPLIES

Internet Access from Inside to Outside ASA 5510 ver 9.1

Hello Mitchell,

First of all how are you testing this:

interface Ethernet0/0

description LAN Interface

nameif Inside

security-level 100

ip address 10.10.1.1 255.255.255.252

Take in consideration that the netmask is /30

The Twice NAT is good, ACLs are good.

do the following and provide us the result

packet-tracer input inside tcp 10.10.1.2 1025 4.2.2.2 80

packet-tracer input inside tcp 192.168.1.100 1025 4.2.2.2 80

And provide us the result!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura

Note: Check my website, there is a video about this that might help you.
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

here is the result I got.

here is the result I got. Please help!!

 

ciscoasa(config)# packet-tracer input INSIDE tcp 10.0.0.2 1025 4.2.2.2 80

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

Hi, ASA inside ip : 10.10.1.1

Hi,

 

ASA inside ip : 10.10.1.1 255.255.255.252   and  Inside LAN (from NAT statement) is 10.0.0.0/24. Where and how this 10.0.0.0/24 connected to ASA? I see you enabled RIPv2 on ASA but is this learning the 10.0.0.0/24 network? If you think all IPs are correct, post 'Show route' from ASA.

Also, try to ping the host from ASA and viceversa.

Thx

MS

Hi Mitchell,Can you check by

Hi Mitchell,

Can you check by doing ping or trace from the FW towards any public IP say 4.2.2.2 or something else?

Is that going through well???

When you try to access internet from inside LAN were you able to see the connection progress & ACL hits in the FW?

 

Regards

Karthik

3508
Views
0
Helpful
4
Replies
This widget could not be displayed.