Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA5510 Cannot connect to internet

Posted on 2008-06-09
5
861 Views
Last Modified: 2008-06-09
I have a Cisco ASA 5510 that I am installing for a network.

This network currently has a SonicWall firewall. Their ISP has them with 1 static IP.

When I install the firewall I cannot get onto the internet.

While logged into the ASA's ASDM I noticed on the logs the following items. (There are more I just posted 2 for now)

Failed to locate egress interface for USP from inside: 192.168.10.x/1189 to xxx.xxx.xxx.xxx/53
Failed to locate egress interface for TCP from iniside: 192.168.10.x/3495 to xxx.xxx.xxx.xxx/110


I tried restarting the firewall, and the ISP router but still had no luck. Here is the running config of the ASA.

ASA Version 8.0(3)
!
hostname EBSC
domain-name xxxx.local
enable password xxxxxxx encrypted
names
name 192.168.10.5 NTMAIN
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 66.xxx.xxx.182 255.255.255.252
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.2 255.255.255.0
 ospf cost 10
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.5.1 255.255.255.0
 ospf cost 10
 management-only
!
passwd xxxxxxxxxxx encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxxx.local
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network DM_INLINE_NETWORK_2
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.255.0
 network-object 192.168.3.0 255.255.255.0
 network-object 192.168.4.0 255.255.255.0
 network-object 192.168.6.0 255.255.255.0
access-list 101 extended permit ip 192.168.10.0 255.255.255.0 object-group DM_IN
LINE_NETWORK_1
access-list out extended permit ip any any
access-list out extended permit tcp any host NTMAIN eq pptp
access-list out extended permit udp any host NTMAIN eq isakmp
access-list out extended permit tcp any host NTMAIN eq smtp
access-list out extended permit tcp any host NTMAIN eq https
access-list out extended permit tcp any host NTMAIN eq pop3
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 obje
ct-group DM_INLINE_NETWORK_2
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.3.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.4.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.6.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.0.0 255.255.252.0
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.
168.5.0 255.255.255.0
access-list outside extended permit icmp any any
access-list OUT extended permit ip any any
access-list EBSC_splitTunnelAcl standard permit any
access-list EBSC_splitTunnelAcl_1 standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteEBSC 192.168.10.125-192.168.10.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0
access-group out in interface outside
route outside 0.0.0.0 255.255.255.255 66.xxx.xxx.181 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTMAIN protocol radius
aaa-server NTMAIN host NTMAIN
 timeout 5
 key 2899382771839
http server enable
http 192.168.10.6 255.255.255.255 inside
http 192.168.10.0 255.255.255.0 inside
http NTMAIN 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set my-set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 20 match address 101
crypto map mymap 20 set peer 68.93.159.245
crypto map mymap 20 set transform-set ESP-3DES-MD5 ESP-DES-MD5 ESP-DES-SHA ESP-3
DES-SHA ESP-AES-256-MD5 ESP-AES-256-SHA ESP-AES-192-MD5 ESP-AES-192-SHA ESP-AES-
128-MD5 ESP-AES-128-SHA
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 68.93.159.245
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DE
S-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cryptomap 20 match address outside_cryptomap
crypto map outside_cryptomap 20 set peer 68.93.159.245
crypto map outside_cryptomap 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map outside_cryptomap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
P
crypto map outside_cryptomap interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 15
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 address-pools value RemoteEBSC
group-policy EBSC internal
group-policy EBSC attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EBSC_splitTunnelAcl
 default-domain value ebsc.local
group-policy EBSC_1 internal
group-policy EBSC_1 attributes
 wins-server value 192.168.10.5
 dns-server value 192.168.10.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EBSC_splitTunnelAcl_1
 default-domain value ebsc.local
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group 68.93.xxx.xxx type ipsec-l2l
tunnel-group 68.93.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group EBSC type remote-access
tunnel-group EBSC general-attributes
 address-pool RemoteEBSC
 authentication-server-group NTMAIN
 default-group-policy EBSC_1
tunnel-group EBSC ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
EBSC(config)#
0
Comment
Question by:FNBCT
  • 3
  • 2
5 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 21745423
Your default route is formatted incorrectly.

Try this:

no route outside 0.0.0.0 255.255.255.255 66.xxx.xxx.181
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.181
0
 

Author Comment

by:FNBCT
ID: 21745526
Well if it helps at all, I do remember changing the subnet from 255.255.255.255 to 0.0.0.0 through the ASDM but still had no luck.

I have a window of opportunity tonight to try this again. Just incase that does not work, is there anything else that might cause it or are you 100% certain that is the issue?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 21745578
That is all that stands out.  Everything else looks okay.  The egress error means it had no route...
0
 

Author Comment

by:FNBCT
ID: 21745583
Right-O

I'll try it tonight and let you know how it goes.
0
 

Author Comment

by:FNBCT
ID: 21747410
You are the bombdiggity.

Problem solved.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question