Cisco ASA 5510 config issue 8.0(2) - No internet traffic

Hello,

I'm trying to configure a Cisco ASA 5510 so the inside clients can access the web.

The setup is a ADSL2+ connection --> Cisco 877 in full bridge mode --> Cisco ASA 5510

I can ping the internal PC's, I can ping the Gateway IP but I cant ping the outside world or access the web.

Here is my config:

--------------------------------------------------------------------------------------
!
ASA Version 8.0(2)
!
hostname FIREWALL
domain-name TEST.COM
enable password AAAAAAAAAAAAAAAAA encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address aaa.aaa.aaa.aaa 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.252 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 no ip address
 management-only
!
passwd AAAAAAAAAAAAAAA encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name TEST.COM
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 aaa.aaa.aaa.aaa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:57f86d842dcccb502adfbf5961315320
: end
--------------------------------------------------------------------------------------

Thanks for the help.
LVL 1
joe90kaneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

InteraXCommented:
Hello joe90kane,

You don't have any ACL on the outside interface. As ICMP is a connectionless protocol, you need to allow the ICMP echo-reply traffic back through the firewall.

Try the following.
access-list OutsideIn extended permit icmp any any echo-reply
access-group OutsideIn in interface outside

Regards,

InteraX
0
InteraXCommented:
Hold on. You can ping the inside and gateway from the firewall, yes? Can you pint the firewall from the inside? Can you ping the firewall from the gateway?
I don't know if Cisco have changed the default settings, but have you tried creating an ACL from the inside allowing you DNS servers to send DNS requests out, then allowing any inside host to access HTTP and HTTPS?
0
joe90kaneAuthor Commented:
Thanks Guys, got it working - turned out to be the wrong Route and a loose connection on the 877 :-)

I now have a related issue.

I have 2 ASA's

ASA1 + 4mb least line (7 VPN's all connect back to head office)

subnets of sites are 192.168.1.*** / 2.*** / 3.*** / 4.*** / 5.***/ 6.*** / 7.***

------------

ASA2 + 4mb ADSL2+ (Simply config above)

------------

I use a squid proxy server on debian - If I change the Gateway on the proxy to the ASA2 all my sites cant access the web?

How can I enable traffic from ASA1 to ASA2 for all sites???

Thanks,


0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

InteraXCommented:
joe90kane,

You need to setup routing on the gateway to route traffic to the sites via ASA1 and a default route via ASA2. Sounds like a new question though. ;-)

InteraX
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
joe90kaneAuthor Commented:
The 2 ASA's are 192.168.1.253 & 252
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.