Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!
ASA cannot connect out to the internet
I've replaced my Pix with ASA.
I've configured it with the same IPs, NAT, global, and route however, the clients from the inside cannot connect out to the internet (DNS is configured correctly and internet works when using Pix).
Can you check my running-config and see if there's anything odd?
Below is my running-config.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name happyhour.com
enable password tvz3E7EeaZN4TVwU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 95.10.10.10 255.255.255.0
!
interface Vlan3
shutdown
no nameif
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd tvz3E7EeaZN4TVwU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name happyhour.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 95.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4ed215e2874
: end
I've configured it with the same IPs, NAT, global, and route however, the clients from the inside cannot connect out to the internet (DNS is configured correctly and internet works when using Pix).
Can you check my running-config and see if there's anything odd?
Below is my running-config.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name happyhour.com
enable password tvz3E7EeaZN4TVwU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 95.10.10.10 255.255.255.0
!
interface Vlan3
shutdown
no nameif
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd tvz3E7EeaZN4TVwU encrypted
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name happyhour.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 95.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4ed215e2874
: end
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
From the ASA, Make sure you can ping inside and outside from the CLI.
Check the XLATE, geneerate some traffic and then do a SHOW XLATE on the cli of the asa to see if the ips are getting Natted.
Check and CLEAR ARP on the ASA just to be sure.
What are the results of these?
Check the XLATE, geneerate some traffic and then do a SHOW XLATE on the cli of the asa to see if the ips are getting Natted.
Check and CLEAR ARP on the ASA just to be sure.
What are the results of these?
Thanks for the comments guys.
The inside interface is 0/1-0/7
The outside interface is 0/0
When I do xlate,
PAT Global 95.10.10.10 (1029) Local 192.168.10.11 (54212)
PAT Global 95.10.10.10 (1028) Local 192.168.10.11 (63215)
PAT Global 95.10.10.10 (1027) Local 192.168.10.11 (66936)
I can ping both the outside/inside interfaces from asa cli.
But I cannot ping the gateway router 95.10.10.1.
I don't know why. When using pix, it can and internet works fine and it has the same IP,nat, global, and route.
The Etherenet 0/0 well as all other ports are in a SwitchPort mode.
In ASDM, in NAT, I see one rule and its type is Dynamic. Source and Destination any, interface outside, address outside...
In ASDM, in Security Policy,
For inside, 2 implicit incoming rules:
1) source any, destination any less secure network networks, service IP, Action Permit
2) source any, destination any, service IP, Action Deny
For outside, 1 implicit incoming rules:
source any, destination any, service IP, Action Deny.
I didn't create any ACLs. Do I need to create ACLs to explicitly allow traffic to go out on ASA?
The inside interface is 0/1-0/7
The outside interface is 0/0
When I do xlate,
PAT Global 95.10.10.10 (1029) Local 192.168.10.11 (54212)
PAT Global 95.10.10.10 (1028) Local 192.168.10.11 (63215)
PAT Global 95.10.10.10 (1027) Local 192.168.10.11 (66936)
I can ping both the outside/inside interfaces from asa cli.
But I cannot ping the gateway router 95.10.10.1.
I don't know why. When using pix, it can and internet works fine and it has the same IP,nat, global, and route.
The Etherenet 0/0 well as all other ports are in a SwitchPort mode.
In ASDM, in NAT, I see one rule and its type is Dynamic. Source and Destination any, interface outside, address outside...
In ASDM, in Security Policy,
For inside, 2 implicit incoming rules:
1) source any, destination any less secure network networks, service IP, Action Permit
2) source any, destination any, service IP, Action Deny
For outside, 1 implicit incoming rules:
source any, destination any, service IP, Action Deny.
I didn't create any ACLs. Do I need to create ACLs to explicitly allow traffic to go out on ASA?
>>But I cannot ping the gateway router 95.10.10.1.
So we have to look at this 1st, nothing else should matter until this works. Double check the IP gateway subnet mask, make sure it matches with the ASA. Do you connect with a switch or hub? If its a hub, make sure that the port settings match. 10bt with 10bt, 100 with 100. If its a switch, make sure you get link lights with the ASA appliance.
So we have to look at this 1st, nothing else should matter until this works. Double check the IP gateway subnet mask, make sure it matches with the ASA. Do you connect with a switch or hub? If its a hub, make sure that the port settings match. 10bt with 10bt, 100 with 100. If its a switch, make sure you get link lights with the ASA appliance.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Also in ASDM's interface status, for both the inside and outside inteface,
IP Address/Mask = no ip address
Line = down
Link = up
But in cli when I do show interface:
Interface VLan1 "inside", is up, line protocol is up
InterfaceVlan2 "outside", is up, line protocol is up
IP Address/Mask = no ip address
Line = down
Link = up
But in cli when I do show interface:
Interface VLan1 "inside", is up, line protocol is up
InterfaceVlan2 "outside", is up, line protocol is up
Double check the IP gateway subnet mask, make sure it matches with the ASA.
> Yes they match.
Do you connect with a switch or hub?
> ASA's outside interface connects to > a hub > modem. Even when I connect ASA's outside interface directly to the modem bypassing the hub, it still can't ping the upstream ISP's router's gateway. The link light is on for both cases.
> Yes they match.
Do you connect with a switch or hub?
> ASA's outside interface connects to > a hub > modem. Even when I connect ASA's outside interface directly to the modem bypassing the hub, it still can't ping the upstream ISP's router's gateway. The link light is on for both cases.
Another thing I noticed is when I do show interface, the mac address for both the outside and inside are the same. And ASA mode is in routed mode, I'm not sure if that's got something to do with it.
I resolved it.
It was actually the modem. For some reason, it wasn't accepting the connection from ASA.
Restarted the modem and it began working.
It was actually the modem. For some reason, it wasn't accepting the connection from ASA.
Restarted the modem and it began working.
Good Morning.... Glad its working for you now....
If any of the suggestions above helped you out, please assign points as you see fit. Thanks.
If any of the suggestions above helped you out, please assign points as you see fit. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
vlan2=outside
Fine
e0/0=vlan2=outside
Fine.
Where is inside interface? which asa interface is inside??
e0/1/2/3/4/5/6/7 all seems to be shut down.