new ASA 5520 can't connect to internet

Hi all,

I am not sure why I am having so much trouble with this.  

I have a new 5520, my ISP gave me 2 sets of IPs.  One set 38.xx4.xxx.x29/30 is is my outside interface and gateway.  My public range is 38.xx5.xxx.224/27.  I am not sure if this is where the issue is.

I can access my outside interface from the internet (I just turned on HTTPS/ASDM for my home pc to manage on the outside interface and it worked fine)

I set my global to use the first IP of the /27 public network.  (which is different than the interface IP).  I also tried using the interface for global, but that didnt seem to work either.  

I am just using inside and outside for now.  I haven't even gotten into DMZ yet.

Here is my config.  Anything obvious missing?  I have tired removing and adding acces-lists, nats, etc along the way.  Nothing seems to work yet.

Thanks all.
hostname inn5520
domain-name domain.com
enable password xhnfMm64H2K/L6s6 encrypted
names
dns-guard
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 38.xx4.xx.30 255.255.255.252 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.5.0.6 255.255.0.0 
!
interface GigabitEthernet0/2
 shutdown
 nameif dmz
 security-level 50
 ip address 10.55.1.1 255.255.0.0 
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd TC1uwpZC5.v.59Uk encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name domain.com
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 38.xx5.xxx.225 netmask 255.255.255.255
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 38.xx4.xx.29 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy

Open in new window

toomanyserversAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

the_b1ackfoxCIOCommented:
How old is this 5520?  You got it with at least a year of smart net right?
0
toomanyserversAuthor Commented:
its brand new as in got it today.  smart net not activated/delivered yet!
0
the_b1ackfoxCIOCommented:
doesn't matter... Cisco will see that it is new and open a case under warrantee
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

toomanyserversAuthor Commented:
also FYI i upgrade the software  to 8.3
0
toomanyserversAuthor Commented:
i guess i could call them,, was hoping someone can see something obvious with teh config.
0
the_b1ackfoxCIOCommented:
lol, I had them work on mine the day it got in, before the smartnet kicked in...   Totally awesome
0
the_b1ackfoxCIOCommented:
you can start with pinging the next hop via tcp/ip... I am a lil put off by the ip config though
0
the_b1ackfoxCIOCommented:
so can you ping the gateway?
0
toomanyserversAuthor Commented:
from the firewall, I just pinged am MCI DNS server

Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
0
the_b1ackfoxCIOCommented:
and you can ping something on your inside subnet?  
0
toomanyserversAuthor Commented:
yes

Sending 5, 100-byte ICMP Echos to 10.5.0.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
0
the_b1ackfoxCIOCommented:
k, go to ur security policy, make sure there is a rule allowing any from insde to any destination (permit)
0
toomanyserversAuthor Commented:
there is an access rule - on inside interace (implied)  source any, detination any less secure network permit ip
0
the_b1ackfoxCIOCommented:
if inside is set to 100, and outside to 0, traffic should flow....   can you ping 4.2.2.2 from a pc with its gateway pointing to the inside interface of the fw?
0
batry_boyCommented:
Issue the following commands:

no nat (inside) 10 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0

See if that helps...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
toomanyserversAuthor Commented:
ping fails.  I see on the ASDM page that the pix is seeing the requests,. my guess is that it is being blocked on the way backk?

i know the line works.  I had a dlink firewall set up while waiting for the ASA to come and the conenction worked fine.

Also like I mentioned, I can connect to the ASA from home now.
0
toomanyserversAuthor Commented:
batry boy that was it!  I used 10 because the quick start guide used that.  unreal.!

blackfox, thanks for helping me rule out stuff
0
the_b1ackfoxCIOCommented:
what error message are you seeing in the logfile?
0
the_b1ackfoxCIOCommented:
Ah cool!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.