• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 361
  • Last Modified:

Unable to connect to internet

Hi, I´m having some issues with this new ASA 5505. It´s connected to an ADSL-modem and the ISP provides IP through DHCP. The ASA should then provide the internal LAN with DCHP from the range 192.168.1.x. The ASA receives its IP and the clients as well, but it stops there. The clients cannot connect to the internet and the ASA cannot ping public ip's.
Am I missing something basic here?

ASA Version 7.2(3)
!
hostname ciscoasa
domain-name customer
enable password zKA/m.Jc5AIGrhWx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name customer
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.100 inside
dhcpd dns 195.7.64.3 195.7.64.131 interface inside
dhcpd enable inside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2ead0f1d5ab39139525ab5e5bf96ad73
: end
0
jilted
Asked:
jilted
  • 2
  • 2
2 Solutions
 
Darkstriker69Commented:
It looks like you are missing your nat statements

no nat-control
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
0
 
jiltedAuthor Commented:
Humm, I´ll try that right away. What does the (no) nat-control statement mean?
0
 
lrmooreCommented:
You need the nat-control in there. By entering "no nat-control" you have effectively turned off NAT, which is OK only if the upstream device (dsl modem/router) also does NAT.
You do need the nat (inside) and the global (outside) commands.
Are you getting a public IP address on the outside interface?
Show interface outside
show route
Make sure you are getting a proper default route.
0
 
Darkstriker69Commented:
Um...

nat-control is an additional security feature that tells the that all packets passing from the inside interface to the outside interface on the ASA MUST match a NAT rule. I have never used this additial feature and if he is having trouble my recommendation would be to disable it.

You do not need a default route as this will be suppled via DHCP per your current config.
0
 
jiltedAuthor Commented:
Hi!
I entered the nat statements but they made no difference (at first) and there was definitely something wrong with my default route. show route did not give me the usual 0.0.0...., it gave me a 127.0...
This morning i erased the entire config and started over from the beginning, only setting the interface ip´s (vlan 1 --ip address 192.168.1.254 255.255.255.0 and vlan 2 -- ip address dhcp setroute). I also entered the "dhcp-client client-id interface outside" for our ISP's dhcp to accept the ASA. That´s all and it worked!
sh run gives me the global and nat (inside) lines and there is no nat-control to be found. Besides that the config is identical. I have no idea why it didn´t work when i removed nat-control and entered the global /nat lines but hey, it works and i´m happy...

Thank´s!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now