Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

No connection to the outside from ASA 5510

I have just put an ASA5510 in place and have the following setup:

Interface Ethernet0/0

    nameif outside

    security-level 0

    ip address dhcp setroute

Interface Ethernet0/1

    nameif inside

    security-level 100

    ip address 192.168.15.1 255.255.255.0

dhcpd address 192.168.15.40-192.168.15.254 inside

dhcpd enable inside

I have connected my stations to an ESW540 inside of the Int Eth0/1 and am able to get ip addresses to the stations as well as DNS addresses.  I cannot however connect to the outside connection in any way.  From a computer connected to the ESW540 with a DHCP assigned IP address, I can ping the computer's IP, the ESW540's IP, and even 192.168.15.1.  But I cannot ping the ip address from the Int Eth0/0, nor anything beyond 192.168.15.1. 

From inside of the console of the ASA, I can ping all addresses of all ports as well as devices outside of the building and inside of ESW540.  I guess I am just at a loss of what to do next.  Any help would be appreciated.

Respectfully,

me

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

No connection to the outside from ASA 5510

Hello Ronald,

Here are the reasons why this is not working?

1- You cannot ping a distant interface, this as a security approach from the ASA.

Example: 192.168.10.1----asa------211.1.1.1-------211.1.1.1Router----Internet

From the 211.1.1.1 network you would be able to ping the directed connected interface (211.1.1.1) but you will not be able to ping the inside interface no matter what.

Same thing would happen from the inside. you will be able to ping outside ip addresses except the ip address of the Outside interface of the ASA.

2-ICMP protocol is not statefully inspected by the ASA by default.

Example: 192.168.10.1----asa------211.1.1.1-------211.1.1.1Router----Internet----4.2.2.2

Ping from 192.168.10.2 to 4.2.2.2

When you try to ping the ICMP request will go to the inside interface, then it will go out to the outside interface going to the destination, the ICMP reply will come to the outside interface and unless there is an ACL allowing the communication the packet will be dropped but do not worry there is an option to statefully inspect the ICMP protocol and this is the Inspect ICMP command.

     - Fixup protocol ICMP

3-You will need to nat the inside users in order to be able to reach outside (Internet hosts)

Nat (inside)  1 0 0

global  (outside) 1 interface

Hope this helps,

Please do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES
Hall of Fame Super Silver

No connection to the outside from ASA 5510

We'd need more than the 1/10th of your ASA config you posted above to weigh in with any substantive suggestions. Can you post your whole configuration (sanitized)?

First questions that come to my mind are:

Why would you not make your outside interface static? What are your NAT rules? ACLs? etc., etc.

New Member

No connection to the outside from ASA 5510

Sorry for the information underload.

Our ISP is currently providing our external IP address via DHCP.  They will not be able to change that until after Christmas.  Here is the config file as it stands.

ASA Version 8.2(1)

!

hostname ciscoasa

enable password

passwd

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.15.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!            

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

access-list 101 extended permit icmp any any

access-list 101 extended permit ip any any

access-list any extended permit ip any any

pager lines 24

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group any in interface outside

access-group any in interface inside

route outside 0.0.0.0 0.0.0.0 98.101.250.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet 192.168.1.0 255.255.255.0 management

telnet 192.168.15.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 192.168.15.40-192.168.15.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username rlsj password CzwimrfqLMj7M0Ua encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:56f11d20d06789d8caa1e1e56a4bcf95

No connection to the outside from ASA 5510

Hello Ronald,

Can you check my post, there is what you are missing on your config,

Do rate helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

No connection to the outside from ASA 5510

Hello Ronald,

Here are the reasons why this is not working?

1- You cannot ping a distant interface, this as a security approach from the ASA.

Example: 192.168.10.1----asa------211.1.1.1-------211.1.1.1Router----Internet

From the 211.1.1.1 network you would be able to ping the directed connected interface (211.1.1.1) but you will not be able to ping the inside interface no matter what.

Same thing would happen from the inside. you will be able to ping outside ip addresses except the ip address of the Outside interface of the ASA.

2-ICMP protocol is not statefully inspected by the ASA by default.

Example: 192.168.10.1----asa------211.1.1.1-------211.1.1.1Router----Internet----4.2.2.2

Ping from 192.168.10.2 to 4.2.2.2

When you try to ping the ICMP request will go to the inside interface, then it will go out to the outside interface going to the destination, the ICMP reply will come to the outside interface and unless there is an ACL allowing the communication the packet will be dropped but do not worry there is an option to statefully inspect the ICMP protocol and this is the Inspect ICMP command.

     - Fixup protocol ICMP

3-You will need to nat the inside users in order to be able to reach outside (Internet hosts)

Nat (inside)  1 0 0

global  (outside) 1 interface

Hope this helps,

Please do rate helpful posts,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

No connection to the outside from ASA 5510

The level of genius here is AWESOME!  Thanks for your help.  It's the smallest things that kill me.

Thanks again!

No connection to the outside from ASA 5510

Hello Ronald.

Thanks for the comments and the rating.

It is great to hear that now everything is working as expected, any other question I would be more than glad to help.

Hope you have a great day,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
818
Views
0
Helpful
6
Replies
CreatePlease login to create content