Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Unable to connect to internet

Posted on 2007-10-15
Medium Priority
Last Modified: 2010-04-09
Hi, I´m having some issues with this new ASA 5505. It´s connected to an ADSL-modem and the ISP provides IP through DHCP. The ASA should then provide the internal LAN with DCHP from the range 192.168.1.x. The ASA receives its IP and the clients as well, but it stops there. The clients cannot connect to the internet and the ASA cannot ping public ip's.
Am I missing something basic here?

ASA Version 7.2(3)
hostname ciscoasa
domain-name customer
enable password zKA/m.Jc5AIGrhWx encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name customer
same-security-traffic permit intra-interface
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address inside
dhcpd dns interface inside
dhcpd enable inside

class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end
Question by:jilted
  • 2
  • 2

Accepted Solution

Darkstriker69 earned 1200 total points
ID: 20082023
It looks like you are missing your nat statements

no nat-control
nat (inside) 1
global (outside) 1 interface

Author Comment

ID: 20083293
Humm, I´ll try that right away. What does the (no) nat-control statement mean?
LVL 79

Assisted Solution

lrmoore earned 300 total points
ID: 20084579
You need the nat-control in there. By entering "no nat-control" you have effectively turned off NAT, which is OK only if the upstream device (dsl modem/router) also does NAT.
You do need the nat (inside) and the global (outside) commands.
Are you getting a public IP address on the outside interface?
Show interface outside
show route
Make sure you are getting a proper default route.

Expert Comment

ID: 20085391

nat-control is an additional security feature that tells the that all packets passing from the inside interface to the outside interface on the ASA MUST match a NAT rule. I have never used this additial feature and if he is having trouble my recommendation would be to disable it.

You do not need a default route as this will be suppled via DHCP per your current config.

Author Comment

ID: 20085499
I entered the nat statements but they made no difference (at first) and there was definitely something wrong with my default route. show route did not give me the usual 0.0.0...., it gave me a 127.0...
This morning i erased the entire config and started over from the beginning, only setting the interface ip´s (vlan 1 --ip address and vlan 2 -- ip address dhcp setroute). I also entered the "dhcp-client client-id interface outside" for our ISP's dhcp to accept the ASA. That´s all and it worked!
sh run gives me the global and nat (inside) lines and there is no nat-control to be found. Besides that the config is identical. I have no idea why it didn´t work when i removed nat-control and entered the global /nat lines but hey, it works and i´m happy...


Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question