Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Suddenly Cannot Connect to the Internet - ASA 5505

Hi there

I have a test network after my firewall at home

Firewall -> ASA5505 -> My test network

I have internet from my Main firewall

I can ping 8.8.8.8 and 139.130.4.5 (NSL.telstra.net) from my console interface

but from rest of my ports (Vlan 2) I do not have access to the internet !!!!?

But I used to have access to the internet from all port on Vlan 2 (I connect to my test network yesterday from my office)

I already check my ip address, it has not changed since yesterday

Any idea?

Thank you in Advance for your time

my configuration is:

======================

CiscoASA5505(config)# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name xyz.net
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xyz.net
object network obj-192.168.20.0
 subnet 192.168.20.0 255.255.255.0
object network PC
 host 192.168.20.36
access-list outside_in remark allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
 nat (inside,outside) dynamic 192.168.1.6
object network PC
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fc5d8c2bd3023947da493a69b3f3700
: end

======================

  • Small Business Security
Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Hi,looking at your

Hi,

looking at your configuration i see that you're dynamically natting inside LAN to a specific ip address (192.168.1.6) and you're using outside vlan (vlan 2) as dhcp client. Probably your home firewall changed outside ip address so natting is not working anymore. Try to change nat configuration of inside lan in this way :

object-group obj-192.168.20.0

nat (inside,outside) dynamic interface

 

hope this helps.

regards

New Member

Supposing ,as probably is,

Supposing ,as probably is, that main router releases ip asdressess in /24 mask you can configure a static ip address with these commands:

conf t

int vlan 2

ip address 192.168.1.6 255.255.255.0

Write

 

When you assign an ip address to outside interface then you need to add a static ip route for internet traffic :

route outside 0.0.0.0 0.0.0.0 [main-firewall-ip-address]

where [main-firewall-ip-address] is the main firewall address facing your cisco ASA.

7 REPLIES
New Member

Hi,looking at your

Hi,

looking at your configuration i see that you're dynamically natting inside LAN to a specific ip address (192.168.1.6) and you're using outside vlan (vlan 2) as dhcp client. Probably your home firewall changed outside ip address so natting is not working anymore. Try to change nat configuration of inside lan in this way :

object-group obj-192.168.20.0

nat (inside,outside) dynamic interface

 

hope this helps.

regards

New Member

Tank you so much

I added it but still I do not have access to the internetangrycrying

I do not understand what is wrong, it was working!!!

As you mentioned it seems something is wrong in the IP address of my Firewall, please see the image below.

I think it used to be 192.168.1.6, but somehow it is 192.168.1.5 in my main Firewall

when I want to change

object network obj-192.168.20.0
 nat (inside,outside) dynamic 192.168.1.6 --> nat (inside,outside) dynamic 192.168.1.5

I receive the message below:

CiscoASA5505(config)# object network obj-192.168.20.0
CiscoASA5505(config-network-object)# nat (inside,outside) dynamic 192.168.1.5
ERROR: Address 192.168.1.5 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

 

I am not sure if I have to change the IP address to 192.168.20.5 

Please advise

===========================

CiscoASA5505# sho run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name xyz.net
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xyz.net
object network obj-192.168.20.0
 subnet 192.168.20.0 255.255.255.0
object network PC
 host 192.168.20.36
access-list outside_in remark allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj-192.168.20.0
 nat (inside,outside) dynamic 192.168.1.6

object network PC
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3fc5d8c2bd3023947da493a69b3f3700
: end

New Member

Wait a momentthe IP address

Wait a moment

the IP address of the firewall changed to 192.168.1.6 in my main firewall again, but it is inactive

I should find a solution to activate it.

 

New Member

OK I guess I figure out what

OK I guess I figure out what is wrong.

My ASA got its IP address from my main Firewall (Router) by DHCP, which is wrong, I should assign a static IP address to it. How? I do not know. my main firewall (Router) is MI24WR

and in the same time one of the laptops in my house got the 192.168.1.6

so the router changes the ip address of the ASA to 192.168.1.5 and make it disable

I should find out how to assign a static IP address to the port 0 of the ASA and if I do it what will happen to the configuration? Shall I change it? 

New Member

I excluded the range 192.168

I excluded the range 192.168.1.2 ~ 192.168.1.9 from my dhcp server in my main router

Now I do not know how to assign a static IP address (192.168.1.6) to my port 0 in the ASA5505?

 

New Member

Supposing ,as probably is,

Supposing ,as probably is, that main router releases ip asdressess in /24 mask you can configure a static ip address with these commands:

conf t

int vlan 2

ip address 192.168.1.6 255.255.255.0

Write

 

When you assign an ip address to outside interface then you need to add a static ip route for internet traffic :

route outside 0.0.0.0 0.0.0.0 [main-firewall-ip-address]

where [main-firewall-ip-address] is the main firewall address facing your cisco ASA.

New Member

Hello There,This Test network

Hello There,

This Test network is making me crazy

I know 

object network obj-192.168.20.0
 nat (inside,outside) dynamic 192.168.1.6

is missing in the configuration,

but when I try to add it I receive the message below:

ERROR: Address 192.168.1.6 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

what is wrong?

=====================

CiscoASA5505(config)# show run
: Saved
:
ASA Version 9.1(2)
!
hostname CiscoASA5505
domain-name xyz.net
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.6 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xyz.net
object network obj-192.168.20.0
 subnet 192.168.20.0 255.255.255.0
object network PC
 host 192.168.20.36
access-list outside_in remark allow RDP
access-list outside_in extended permit tcp any object PC eq 3389
access-list outside_in extended permit icmp any4 any4 echo-reply
access-list outside_in extended deny ip any4 any4 log
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network PC
 nat (inside,outside) static interface service tcp 3389 3389
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.20.5-192.168.20.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username sarparast password VXBc.HbZN0mmwbmL encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect icmp error
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6c99678fa047f3af952031ddd5a9dba1
: end

=====================

440
Views
0
Helpful
7
Replies