• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

new ASA 5520 can't connect to internet

Hi all,

I am not sure why I am having so much trouble with this.  

I have a new 5520, my ISP gave me 2 sets of IPs.  One set 38.xx4.xxx.x29/30 is is my outside interface and gateway.  My public range is 38.xx5.xxx.224/27.  I am not sure if this is where the issue is.

I can access my outside interface from the internet (I just turned on HTTPS/ASDM for my home pc to manage on the outside interface and it worked fine)

I set my global to use the first IP of the /27 public network.  (which is different than the interface IP).  I also tried using the interface for global, but that didnt seem to work either.  

I am just using inside and outside for now.  I haven't even gotten into DMZ yet.

Here is my config.  Anything obvious missing?  I have tired removing and adding acces-lists, nats, etc along the way.  Nothing seems to work yet.

Thanks all.
hostname inn5520
domain-name domain.com
enable password xhnfMm64H2K/L6s6 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 38.xx4.xx.30 255.255.255.252 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.5.0.6 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 nameif dmz
 security-level 50
 ip address 10.55.1.1 255.255.0.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd TC1uwpZC5.v.59Uk encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 38.xx5.xxx.225 netmask 255.255.255.255
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 38.xx4.xx.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

Open in new window

0
toomanyservers
Asked:
toomanyservers
  • 10
  • 8
2 Solutions
 
the_b1ackfoxCommented:
How old is this 5520?  You got it with at least a year of smart net right?
0
 
toomanyserversAuthor Commented:
its brand new as in got it today.  smart net not activated/delivered yet!
0
 
the_b1ackfoxCommented:
doesn't matter... Cisco will see that it is new and open a case under warrantee
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
toomanyserversAuthor Commented:
also FYI i upgrade the software  to 8.3
0
 
toomanyserversAuthor Commented:
i guess i could call them,, was hoping someone can see something obvious with teh config.
0
 
the_b1ackfoxCommented:
lol, I had them work on mine the day it got in, before the smartnet kicked in...   Totally awesome
0
 
the_b1ackfoxCommented:
you can start with pinging the next hop via tcp/ip... I am a lil put off by the ip config though
0
 
the_b1ackfoxCommented:
so can you ping the gateway?
0
 
toomanyserversAuthor Commented:
from the firewall, I just pinged am MCI DNS server

Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
0
 
the_b1ackfoxCommented:
and you can ping something on your inside subnet?  
0
 
toomanyserversAuthor Commented:
yes

Sending 5, 100-byte ICMP Echos to 10.5.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
 
the_b1ackfoxCommented:
k, go to ur security policy, make sure there is a rule allowing any from insde to any destination (permit)
0
 
toomanyserversAuthor Commented:
there is an access rule - on inside interace (implied)  source any, detination any less secure network permit ip
0
 
the_b1ackfoxCommented:
if inside is set to 100, and outside to 0, traffic should flow....   can you ping 4.2.2.2 from a pc with its gateway pointing to the inside interface of the fw?
0
 
batry_boyCommented:
Issue the following commands:

no nat (inside) 10 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0

See if that helps...
0
 
toomanyserversAuthor Commented:
ping fails.  I see on the ASDM page that the pix is seeing the requests,. my guess is that it is being blocked on the way backk?

i know the line works.  I had a dlink firewall set up while waiting for the ASA to come and the conenction worked fine.

Also like I mentioned, I can connect to the ASA from home now.
0
 
toomanyserversAuthor Commented:
batry boy that was it!  I used 10 because the quick start guide used that.  unreal.!

blackfox, thanks for helping me rule out stuff
0
 
the_b1ackfoxCommented:
what error message are you seeing in the logfile?
0
 
the_b1ackfoxCommented:
Ah cool!
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 10
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now