Solved

Cisco ASA5510 Cannot connect to internet

Posted on 2008-06-09
5
847 Views
Last Modified: 2008-06-09
I have a Cisco ASA 5510 that I am installing for a network.

This network currently has a SonicWall firewall. Their ISP has them with 1 static IP.

When I install the firewall I cannot get onto the internet.

While logged into the ASA's ASDM I noticed on the logs the following items. (There are more I just posted 2 for now)

Failed to locate egress interface for USP from inside: 192.168.10.x/1189 to xxx.xxx.xxx.xxx/53
Failed to locate egress interface for TCP from iniside: 192.168.10.x/3495 to xxx.xxx.xxx.xxx/110


I tried restarting the firewall, and the ISP router but still had no luck. Here is the running config of the ASA.

ASA Version 8.0(3)
!
hostname EBSC
domain-name xxxx.local
enable password xxxxxxx encrypted
names
name 192.168.10.5 NTMAIN
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.xxx.xxx.182 255.255.255.252
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.2 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd xxxxxxxxxxx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 object-group DM_IN
LINE_NETWORK_1
access-list out extended permit ip any any
access-list out extended permit tcp any host NTMAIN eq pptp
access-list out extended permit udp any host NTMAIN eq isakmp
access-list out extended permit tcp any host NTMAIN eq smtp
access-list out extended permit tcp any host NTMAIN eq https
access-list out extended permit tcp any host NTMAIN eq pop3
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 obje
ct-group DM_INLINE_NETWORK_2
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.3.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.4.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.6.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.0.0 255.255.252.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.5.0 255.255.255.0
access-list outside extended permit icmp any any
access-list OUT extended permit ip any any
access-list EBSC_splitTunnelAcl standard permit any
access-list EBSC_splitTunnelAcl_1 standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteEBSC 192.168.10.125-192.168.10.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group out in interface outside
route outside 0.0.0.0 255.255.255.255 66.xxx.xxx.181 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTMAIN protocol radius
aaa-server NTMAIN host NTMAIN
 timeout 5
 key 2899382771839
http server enable
http 192.168.10.6 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http NTMAIN 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set my-set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 68.93.159.245
crypto map mymap 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA ESP-3
DES-SHA ESP-AES-256-MD5 ESP-AES-256-SHA ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-
128-MD5 ESP-AES-128-SHA
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 68.93.159.245
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DE
S-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cryptomap 20 match address outside_cryptomap
crypto map outside_cryptomap 20 set peer 68.93.159.245
crypto map outside_cryptomap 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map outside_cryptomap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
P
crypto map outside_cryptomap interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 address-pools value RemoteEBSC
group-policy EBSC internal
group-policy EBSC attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EBSC_splitTunnelAcl
 default-domain value ebsc.local
group-policy EBSC_1 internal
group-policy EBSC_1 attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EBSC_splitTunnelAcl_1
 default-domain value ebsc.local
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 68.93.xxx.xxx type ipsec-l2l
tunnel-group 68.93.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group EBSC type remote-access
tunnel-group EBSC general-attributes
 address-pool RemoteEBSC
 authentication-server-group NTMAIN
 default-group-policy EBSC_1
tunnel-group EBSC ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
EBSC(config)#
0
Comment
Question by:FNBCT
  • 3
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21745423
Your default route is formatted incorrectly.

Try this:

no route outside 0.0.0.0 255.255.255.255 66.xxx.xxx.181
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.181
0
 

Author Comment

by:FNBCT
ID: 21745526
Well if it helps at all, I do remember changing the subnet from 255.255.255.255 to 0.0.0.0 through the ASDM but still had no luck.

I have a window of opportunity tonight to try this again. Just incase that does not work, is there anything else that might cause it or are you 100% certain that is the issue?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21745578
That is all that stands out.  Everything else looks okay.  The egress error means it had no route...
0
 

Author Comment

by:FNBCT
ID: 21745583
Right-O

I'll try it tonight and let you know how it goes.
0
 

Author Comment

by:FNBCT
ID: 21747410
You are the bombdiggity.

Problem solved.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now