Unable to connect to internet

Posted on 2007-10-15
Last Modified: 2010-04-09
Hi, I´m having some issues with this new ASA 5505. It´s connected to an ADSL-modem and the ISP provides IP through DHCP. The ASA should then provide the internal LAN with DCHP from the range 192.168.1.x. The ASA receives its IP and the clients as well, but it stops there. The clients cannot connect to the internet and the ASA cannot ping public ip's.
Am I missing something basic here?

ASA Version 7.2(3)
hostname ciscoasa
domain-name customer
enable password zKA/m.Jc5AIGrhWx encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name customer
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
Question by:jilted
    LVL 5

    Accepted Solution

    It looks like you are missing your nat statements

    no nat-control
    nat (inside) 1
    global (outside) 1 interface

    Author Comment

    Humm, I´ll try that right away. What does the (no) nat-control statement mean?
    LVL 79

    Assisted Solution

    You need the nat-control in there. By entering "no nat-control" you have effectively turned off NAT, which is OK only if the upstream device (dsl modem/router) also does NAT.
    You do need the nat (inside) and the global (outside) commands.
    Are you getting a public IP address on the outside interface?
    Show interface outside
    show route
    Make sure you are getting a proper default route.
    LVL 5

    Expert Comment


    nat-control is an additional security feature that tells the that all packets passing from the inside interface to the outside interface on the ASA MUST match a NAT rule. I have never used this additial feature and if he is having trouble my recommendation would be to disable it.

    You do not need a default route as this will be suppled via DHCP per your current config.

    Author Comment

    I entered the nat statements but they made no difference (at first) and there was definitely something wrong with my default route. show route did not give me the usual 0.0.0...., it gave me a 127.0...
    This morning i erased the entire config and started over from the beginning, only setting the interface ip´s (vlan 1 --ip address and vlan 2 -- ip address dhcp setroute). I also entered the "dhcp-client client-id interface outside" for our ISP's dhcp to accept the ASA. That´s all and it worked!
    sh run gives me the global and nat (inside) lines and there is no nat-control to be found. Besides that the config is identical. I have no idea why it didn´t work when i removed nat-control and entered the global /nat lines but hey, it works and i´m happy...


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now