Cisco ASA 5505 VLANs Can't Access the Internet but the Primary Inside interface Can

I have 2 major goal first is to get all VLANs to access the internet, though not necessarily talk to each other and second for ICMP to work on each individual VLAN so I can test connectivity by pinging internet servers. Here is the config:

: Saved
ASA Version 8.2(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Vlan3
 nameif Client
 security-level 100
 ip address
interface Vlan5
 nameif Crest
 security-level 100
 ip address
interface Vlan6
 nameif GuestAcc
 security-level 100
 ip address
interface Vlan7
 nameif Trunkall
 security-level 100
 ip address
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
 switchport access vlan 3
interface Ethernet0/3
 switchport access vlan 5
interface Ethernet0/4
 switchport access vlan 6
interface Ethernet0/5
 switchport access vlan 7
 switchport trunk allowed vlan 1,3,5-7
 switchport trunk native vlan 1
 switchport mode trunk
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa822-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
access-list outside_in_acl extended permit icmp any any echo-reply
access-list outside_in_acl extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Client 1500
mtu Crest 1500
mtu GuestAcc 1500
mtu Trunkall 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
icmp permit any Client
icmp permit any Crest
icmp permit any GuestAcc
icmp permit any Trunkall
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
access-group outside_in_acl in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
dhcpd address Client
dhcpd enable Client
dhcpd address Crest
dhcpd dns interface Crest
dhcpd enable Crest
dhcpd address GuestAcc
dhcpd dns interface GuestAcc
dhcpd enable GuestAcc

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
: end
asdm image disk0:/asdm-631.bin
no asdm history enable
Who is Participating?
I'm slow today....   sorry...  

Its failing because you are only natting the inside interface....  

global (outside) 1 interface
nat (inside) 1

Add the following:
nat (Client) 1
nat (Crest) 1
nat (GuestAcc) 1
nat (TrunkAll) 1

1st, can you confirm that you have the 5505 sec plus, not the 5505 base.    A Base license only gives you 3 vlans with restrictions.  

2nd,  Add the following to your outside_in ACL:
     access-list outside_in_acl extended permit icmp any any source-quench
     access-list outside_in_acl extended permit icmp any any unreachable  

3rd, Assuming that all VLAN PCs can already ping the ASA interface on the vlan, make sure that the ASA can ping it's 1st hop gateway.   You'll see the gateway IP after the ASA get's its outside ip via DHCP.    

4th, if the ASA can ping outbound, then try it from an internal PC  to the same address and you should see a reply.    

Check the logging to see if any packets are being dropped if the result is no-reply.
sclark4appliedAuthor Commented:
I have added the two lines but it still doesn't work. I can ping the inside interface of every VLAN and from the INSIDE vlan or LAN (192.168.1.X) I can ping out onto the internet. The ASA can Always ping out from its outside interface it just doesn't get back to the other vlans but neither does internet traffic so it must be a NAT issue is my guess.  I do have a Sec Plus license please see below:

Licensed features for this platform:
Maximum Physical Interfaces    : 8        
VLANs                          : 20, DMZ Unrestricted
Inside Hosts                   : 50        
Failover                       : Active/Standby
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
SSL VPN Peers                  : 2        
Total VPN Peers                : 25        
Dual ISPs                      : Enabled  
VLAN Trunk Ports               : 8        
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled  
AnyConnect for Cisco VPN Phone : Disabled  
AnyConnect Essentials          : Disabled  
Advanced Endpoint Assessment   : Disabled  
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled  

This platform has an ASA 5505 Security Plus license.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

From the ASA, can you ping a PC on one of the vlans and can the PC on the VLAN ping the ASA interface?   I want to be certain it's not a switch/vlan/tagging type of issue.    

When you try the ping, on the ASDM look at the logging panel, or to a SHOW LOGGING on the CLI and see if anything is being dropped.
sclark4appliedAuthor Commented:
Yes the subnets are working perfectly as is the VLAN tagging. Because the way it is configured I can actually isolate that by plugging directly into one of the untagged VLAN ports on the back of the ASA itself.

for example when i connect to the crestron (VLAN 5) and get and address 192.168.5.X it pings perfectly back and forth i just can't browse the internet or ping.

My gut tell me that the last time i ran into this a year ago was that the other subnets weren't allowed out/in because the NAT translation wasn't setup right so they couldn't use the outside interface/IP address. I don't want us to get to caught up on the ping/ICMP command because that can fail because of a rule/access list whereas web browsing won't.
sclark4appliedAuthor Commented:
AHH!! That seams so simple when you see it! That worked perfectly thanks!!
sclark4appliedAuthor Commented:
Great job!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.