Solved: New ASA 5510 cannot access internet

jsublette · ‎08-06-2013

Hi,

I have a new Cisco ASA 5510 firewall, and I am fairly new to the firewall world. I have put a basic configuration on the firewall, but I am not able to access the internet (Trying from the 192.168.1.0 network). The network setup is:

192.168.1.x = Inside network

192.168.2.x = Connects to router that has internet connection (interface IP on the rotuer: 192.168.2.1)

192.168.3.x = Management Network

Internet Connection (Ethernet0/0) is not plugged in and is for future use.

I do not see any errors in the firewall or router. Router has static routes configured towards the firewall.

************ Current Config ************

: Saved

:

ASA Version 8.2(5)

!

hostname [Name]fw

domain-name [Name].local

enable password 8XNTGLJdYV5pjs2C encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif Internet

security-level 0

ip address [ISP_Gateway] 255.255.255.240

!

interface Ethernet0/1

nameif [Name]

security-level 100

ip address 192.168.1.11 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

nameif [Name]_Internet

security-level 100

ip address 192.168.2.2 255.255.255.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.3.11 255.255.255.0

management-only

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name [Name].local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list [Name]_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list [Name]_access_in_1 extended permit ip 192.168.1.0 255.255.255.0 any

access-list [Name]_Internet_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu Internet 1500

mtu [Name] 1500

mtu [Name]_Internet 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any [Name]

icmp permit any [Name]_Internet

no asdm history enable

arp timeout 14400

global (Internet) 1 interface

global ([Name]_Internet) 1 interface

nat ([Name]) 1 0.0.0.0 0.0.0.0

access-group [Name]_access_in_1 in interface [Name] control-plane

access-group [Name]_access_in in interface [Name]

access-group [Name]_Internet_access_in in interface [Name]_Internet

route [Name]_Internet 0.0.0.0 0.0.0.0 192.168.2.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.3.0 255.255.255.0 management

http 192.168.1.0 255.255.255.255 [Name]

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

management-access [Name]

dhcpd address 192.168.3.12-192.168.3.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:7bb58eec1eea620faab6d7eba493e842

: end

Any obvious faults in the config?

Thanks for any help.

James

Jouni Forss · ‎08-06-2013

Hi,

So seems you have some Internet router in front of the ASA doing the actual NAT to the public network.

With what are you testing? Some TCP connection or PING/ICMP?

Have you confirmed that your hosts networks settings (GW,Mask, DNS) are correct?

For ICMP you can add these to the ASA

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

View solution in original post

Julio Carvajal · ‎08-06-2013

Hello James,

Again add the following commands on the ASA:

fixup protocol icmp

fixup protocol icmp error

Then test the following from the ASA side

ping 192.168.2.1 (from the ASA)

ping 4.2.2.2 (From the ASA)

If this 2 pings fail then there is a communication problem between the router and the ASA....

If this works let's now do the following on the ASA

capture capin interface inside match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

Then ping 4.2.2.2 from the local PC and share the following outputs from the ASA (After the ping)

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

mvsheik123 · ‎08-06-2013

Hi,

Can you access internet from the router? What happens when you connect laptop directly to router interface and try to access internet? Can you post router config as well?

Thx

MS

Jouni Forss · ‎08-06-2013

Hi,

So seems you have some Internet router in front of the ASA doing the actual NAT to the public network.

With what are you testing? Some TCP connection or PING/ICMP?

Have you confirmed that your hosts networks settings (GW,Mask, DNS) are correct?

For ICMP you can add these to the ASA

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

- Jouni

jsublette · ‎08-06-2013

Router is temporary connection for testing before putting the firewall in place. Testing using Internet explorer and ping. Host settings look good. When I connect directly to the router it works fine (Both IE and Ping)

Julio Carvajal · ‎08-06-2013

Hello James,

Again add the following commands on the ASA:

fixup protocol icmp

fixup protocol icmp error

Then test the following from the ASA side

ping 192.168.2.1 (from the ASA)

ping 4.2.2.2 (From the ASA)

If this 2 pings fail then there is a communication problem between the router and the ASA....

If this works let's now do the following on the ASA

capture capin interface inside match icmp any host 4.2.2.2

cap capout interface outside match icmp any host 4.2.2.2

Then ping 4.2.2.2 from the local PC and share the following outputs from the ASA (After the ping)

show cap capin

show cap capout

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jsublette · ‎08-07-2013

Thanks for the replies. I added the ICMP lines and then pinged through and can get out now.