Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No connection through ASA to internet

Hello - after having to replace our ASA 5520, I configured it and now no one behind it can access the Internet. I can ping internet IP's from the ASA but not from behind it. I can't see where the problem is, can anyone help? I am attaching the config.

12 REPLIES
Bronze

Re: No connection through ASA to internet

could you please post sh access-list Inside_access_in and also your sh xlate?

regards,

p.s. you can try removing that inside ACL as a troubleshooting step.

regards,

New Member

Re: No connection through ASA to internet

Here is the output

sho access-list Inside_access_in

access-list Inside_access_in; 2 elements

access-list Inside_access_in line 1 extended permit icmp any any (hitcnt=146) 0xb34531ad

access-list Inside_access_in line 2 extended permit ip any any (hitcnt=2639) 0xe42c5ef9

sh xlate

0 in use, 2 most used

Bronze

Re: No connection through ASA to internet

hi,

I would first try without the inside ACL and also try to use nat (inside)1 192.168.101.0 255.255.255.0 since it looks like that is your inside network. Though the existing command that you have should work.

There is no NAT taking place which makes wonder if we might have a routing problem somewhere in the network.

Do you have anything from your syslog server?

New Member

Re: No connection through ASA to internet

Thanks - ok I tried that but still no luck. The 192.168.101.0 subnet is one of two behind that ASA, the other is 192.168.100.0 which is named "inside-network" on the ASA.

The strange part is the clients are not getting a "page cannot be displayed" normal error, but they are getting a "503 Service Unavailable" error, regardless of what website they are going to.

Bronze

Re: No connection through ASA to internet

what do you get when you do a traceroute? did you try telnet www.google.com 80? Could you post your ASA log?

I am sure you already google that error but here is a link

http://www.checkupdown.com/status/E503.html

Re: No connection through ASA to internet

Hi,

Check whether a static route exists on your core switch (192.168.100.1), it should look like this:

ip route 0.0.0.0 0.0.0.0 192.168.100.2

regards.

Bronze

Re: No connection through ASA to internet

i also thought it could have been a routing problem earlier in one of my posting. I think a traceroute should confirm that.

New Member

Re: No connection through ASA to internet

Yes, that entry exists in 192.168.100.1. I have saved the config and restarted the ASA. Client computers no longer get the 503 error, just the regular page cannot be displayed error. Telnet on port 80 errors out as well.

Re: No connection through ASA to internet

Hi again,

How can you be sure that the issue is something wrong on the ASA not your core switch?

Can you plz shed more light on this?

Thx

Bronze

Re: No connection through ASA to internet

how about a traceroute? try it using IP address rather FQDN as I suspect a DNS issue.

tracert 72.14.205.100

telnet 72.14.205.100 80

New Member

Re: No connection through ASA to internet

tracert 72.14.205.100: gets to the default gateway (192.168.100.1), then dies

telnet 72.14.205.100 80: Connect failed

Bronze

Re: No connection through ASA to internet

it also sounds to me like you are dealing with a routing problem.

Please remove the inside access-list and try. Post your syslog output, post your switch config.

by the way did you remove the inside access-list on the firewall?

230
Views
0
Helpful
12
Replies
CreatePlease to create content