Hello - after having to replace our ASA 5520, I configured it and now no one behind it can access the Internet. I can ping internet IP's from the ASA but not from behind it. I can't see where the problem is, can anyone help? I am attaching the config.
could you please post sh access-list Inside_access_in and also your sh xlate?
p.s. you can try removing that inside ACL as a troubleshooting step.
Here is the output
sho access-list Inside_access_in
access-list Inside_access_in; 2 elements
access-list Inside_access_in line 1 extended permit icmp any any (hitcnt=146) 0xb34531ad
access-list Inside_access_in line 2 extended permit ip any any (hitcnt=2639) 0xe42c5ef9
0 in use, 2 most used
I would first try without the inside ACL and also try to use nat (inside)1 192.168.101.0 255.255.255.0 since it looks like that is your inside network. Though the existing command that you have should work.
There is no NAT taking place which makes wonder if we might have a routing problem somewhere in the network.
Do you have anything from your syslog server?
Thanks - ok I tried that but still no luck. The 192.168.101.0 subnet is one of two behind that ASA, the other is 192.168.100.0 which is named "inside-network" on the ASA.
The strange part is the clients are not getting a "page cannot be displayed" normal error, but they are getting a "503 Service Unavailable" error, regardless of what website they are going to.
Check whether a static route exists on your core switch (192.168.100.1), it should look like this:
ip route 0.0.0.0 0.0.0.0 192.168.100.2
Yes, that entry exists in 192.168.100.1. I have saved the config and restarted the ASA. Client computers no longer get the 503 error, just the regular page cannot be displayed error. Telnet on port 80 errors out as well.
How can you be sure that the issue is something wrong on the ASA not your core switch?
Can you plz shed more light on this?
how about a traceroute? try it using IP address rather FQDN as I suspect a DNS issue.
telnet 18.104.22.168 80
it also sounds to me like you are dealing with a routing problem.
Please remove the inside access-list and try. Post your syslog output, post your switch config.
by the way did you remove the inside access-list on the firewall?