cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1857
Views
0
Helpful
8
Replies

Issue with Internet in ASA 5505 with Static PAT on ASA and Internet Router..

shanilkumar2003
Level 1
Level 1

Dear All,

I have an ASA 5505 behind my internet router. i have got only one public ip configured on the router outside interface.192.168.20.0/24 subnet is configured between ASA and router and inside network is 192.168.10.0/24 (Please refer the attached diagram).

I have exposed my mail server and ftp server to public through static PAT in router and ASA with the same public on router outside interface. Iam facing issue some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working. i have attached the diagram and ASA config , after this issue is sorted out i need to configure a L2L VPN to my head office ,Kindly help to find out the issue..

Thanks in Advance..

Shanil

3 Accepted Solutions

Accepted Solutions

mvsheik123
Level 7
Level 7

Hi Shanil,

"some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working"

Assuming all the PC configs (IP/Subnet/DNS/physical connectivity etc) is correct, does ASA have required license or any limited hosts (50) license?

I had seen posting related to L2L config scenarios similar to yours, pls search the forum. Feel free to post any questions to resolve any issue though.

hth

MS

View solution in original post

Hi Bro

mvsheik123 is correct. Your Cisco ASA 5505 currently comes with a 10-User Bundle license. I believe you've more than 10 IP Addresses from your LAN that passes through the Cisco ASA 5505. For this reason, you're currently facing intermittent network connectivity issues with regards to DNS. I know this because of the error message seen in your show logging output, that you provided;

%ASA-4-450001: Deny traffic for protocol 17 src inside:192.168.10.28/51810 dst outside:212.217.0.1/53, licensed host limit of 10 exceeded.

Moving forward, you'll need to upgrade your Cisco ASA 5505 to either ASA5505-50-BUN-K9 license or ASA5505-UL-BUN-K9 license or ASA5505-SEC-BUN-K9 license (this is preferred).

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

ASA5505-50-BUN-K9 license = 50 Users

ASA5505-UL-BUN-K9 license = Unlimited Users

ASA5505-SEC-BUN-K9 license  = Unlimited Users

Warm regards,
Ramraj Sivagnanam Sivajanam

View solution in original post

8 Replies 8

mvsheik123
Level 7
Level 7

Hi Shanil,

"some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working"

Assuming all the PC configs (IP/Subnet/DNS/physical connectivity etc) is correct, does ASA have required license or any limited hosts (50) license?

I had seen posting related to L2L config scenarios similar to yours, pls search the forum. Feel free to post any questions to resolve any issue though.

hth

MS

Hi Bro

With regards to your issue, is there any show logging that you could paste here, at the time of the issue? By the way, if I were you, I would remain the Cisco ASA as a pure Firewall and run the NAT, VPN etc on the Cisco Router instead.

Please do paste the show version output as well. How many LAN users do you have behind the FW?

Warm regards,
Ramraj Sivagnanam Sivajanam

Dear Ramraj/MS

The internet router is not CISCO ,its segam from Morocco telecom and wont support L2L VPN(thats makes things difficult). and if i remove ASA and directly connect my network to this internet router ecerything is working fine,(this is the current setup).

partial L2L configuration is there in ASA for connecting to my HO. but first we need to resolve this issue ,then have to proceed with Site-to-Site VPN.

i will post the sh logging shortly, Apreciate your help to resolve the issue..

Thanks

Shanil

Dear All,

Please find the below  sh logging output

could find some relevant logs for license limitation and some deny due to asymmetric NAT. please advice...

      

Thanks

Shanil

Hi Bro

mvsheik123 is correct. Your Cisco ASA 5505 currently comes with a 10-User Bundle license. I believe you've more than 10 IP Addresses from your LAN that passes through the Cisco ASA 5505. For this reason, you're currently facing intermittent network connectivity issues with regards to DNS. I know this because of the error message seen in your show logging output, that you provided;

%ASA-4-450001: Deny traffic for protocol 17 src inside:192.168.10.28/51810 dst outside:212.217.0.1/53, licensed host limit of 10 exceeded.

Moving forward, you'll need to upgrade your Cisco ASA 5505 to either ASA5505-50-BUN-K9 license or ASA5505-UL-BUN-K9 license or ASA5505-SEC-BUN-K9 license (this is preferred).

P/S: If you think this comment is useful, please do rate it nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

Thank you very much MVsheik and Ramraj..could you please tell me how many users the below mentioned licenses will support?

Regards

Shanil

ASA5505-50-BUN-K9 license = 50 Users

ASA5505-UL-BUN-K9 license = Unlimited Users

ASA5505-SEC-BUN-K9 license  = Unlimited Users

Warm regards,
Ramraj Sivagnanam Sivajanam

Thank you Ramraj..i will get back if require anymore help ..

Regards

Shanil

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: