Cisco ASA 5505 VLANs Can't Access the Internet but the Primary Inside interface Can

I have 2 major goal first is to get all VLANs to access the internet, though not necessarily talk to each other and second for ICMP to work on each individual VLAN so I can test connectivity by pinging internet servers. Here is the config:

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif Client
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Vlan5
 nameif Crest
 security-level 100
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan6
 nameif GuestAcc
 security-level 100
 ip address 192.168.6.1 255.255.255.0
!
interface Vlan7
 nameif Trunkall
 security-level 100
 ip address 192.168.7.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 5
!
interface Ethernet0/4
 switchport access vlan 6
!
interface Ethernet0/5
 switchport access vlan 7
 switchport trunk allowed vlan 1,3,5-7
 switchport trunk native vlan 1
 switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Client 1500
mtu Crest 1500
mtu GuestAcc 1500
mtu Trunkall 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any Client
icmp permit any Crest
icmp permit any GuestAcc
icmp permit any Trunkall
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd enable inside
!
dhcpd address 192.168.3.2-192.168.3.99 Client
dhcpd enable Client
!
dhcpd address 192.168.5.2-192.168.5.99 Crest
dhcpd dns 4.2.2.1 4.2.2.2 interface Crest
dhcpd enable Crest
!
dhcpd address 192.168.6.2-192.168.6.99 GuestAcc
dhcpd dns 4.2.2.1 4.2.2.2 interface GuestAcc
dhcpd enable GuestAcc
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:5ac6235b57e03ac06fa5cd8757d859aa
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
sclark4appliedAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
1st, can you confirm that you have the 5505 sec plus, not the 5505 base.    A Base license only gives you 3 vlans with restrictions.  


2nd,  Add the following to your outside_in ACL:
     access-list outside_in_acl extended permit icmp any any source-quench
     access-list outside_in_acl extended permit icmp any any unreachable  

3rd, Assuming that all VLAN PCs can already ping the ASA interface on the vlan, make sure that the ASA can ping it's 1st hop gateway.   You'll see the gateway IP after the ASA get's its outside ip via DHCP.    

4th, if the ASA can ping outbound, then try it from an internal PC  to the same address and you should see a reply.    

Check the logging to see if any packets are being dropped if the result is no-reply.
0
sclark4appliedAuthor Commented:
I have added the two lines but it still doesn't work. I can ping the inside interface of every VLAN and from the INSIDE vlan or LAN (192.168.1.X) I can ping out onto the internet. The ASA can Always ping out from its outside interface it just doesn't get back to the other vlans but neither does internet traffic so it must be a NAT issue is my guess.  I do have a Sec Plus license please see below:


Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : 50        
Failover                       : Active/Standby
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 25        
Dual ISPs                      : Enabled  
VLAN Trunk Ports               : 8        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  

This platform has an ASA 5505 Security Plus license.
0
MikeKaneCommented:
From the ASA, can you ping a PC on one of the vlans and can the PC on the VLAN ping the ASA interface?   I want to be certain it's not a switch/vlan/tagging type of issue.    


When you try the ping, on the ASDM look at the logging panel, or to a SHOW LOGGING on the CLI and see if anything is being dropped.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

sclark4appliedAuthor Commented:
Yes the subnets are working perfectly as is the VLAN tagging. Because the way it is configured I can actually isolate that by plugging directly into one of the untagged VLAN ports on the back of the ASA itself.

for example when i connect to the crestron (VLAN 5) and get and address 192.168.5.X it pings perfectly back and forth i just can't browse the internet or ping.

My gut tell me that the last time i ran into this a year ago was that the other subnets weren't allowed out/in because the NAT translation wasn't setup right so they couldn't use the outside interface/IP address. I don't want us to get to caught up on the ping/ICMP command because that can fail because of a rule/access list whereas web browsing won't.
0
MikeKaneCommented:
I'm slow today....   sorry...  

Its failing because you are only natting the inside interface....  

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0


Add the following:
nat (Client) 1 0.0.0.0 0.0.0.0
nat (Crest) 1 0.0.0.0 0.0.0.0
nat (GuestAcc) 1 0.0.0.0 0.0.0.0
nat (TrunkAll) 1 0.0.0.0 0.0.0.0

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sclark4appliedAuthor Commented:
AHH!! That seams so simple when you see it! That worked perfectly thanks!!
0
sclark4appliedAuthor Commented:
Great job!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.