ibtaya
asked on
ASA can't connect to the internet
I can't see it, maybe another set of eyes will tell me why this 5505 won't let internal traffic hit the internet.
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password AIcksG3fLJsdvdQfdUsrks34334fnx encrypted
passwd NyvjsmOfivAsKofZ7sSSn encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.5 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address 17x.xx.xx.x1 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DNS
dns server-group DefaultDNS
name-server 68.87.68.162
name-server 192.168.10.202
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 log
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 log
access-list 101 extended permit tcp any host 173.xx.xx.x4 eq www log
pager lines 24
logging enable
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 1xx.xx.xx.x
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp 173.1xx.xx.x4 www 192.168.10.126 www netmask 255.255.255.255
access-group 101 in interface Outside
route Outside 0.0.0.0 0.0.0.0 173.xx.xx.x6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community smc
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 10
ssh version 2
console timeout 0
username admin password EiPHasldkjflskjfdlsQOoy1.jIg7G encrypted privilege 10
tunnel-group vpn type ipsec-ra
!
!
prompt hostname context
Cryptochecksum:004c0005594b85376a550d4ab259847d
: end
ciscoasa#
Try adding a permit access-list for ur outboud internet connection.
You NAT statments are off a bit here is guide that should point you in the right direction on getting it working for what you want.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
Your NAT inside cannot be 0.0.0.0 you will need it to be:
nat inside 1 192.168.10.0 0.0.0.255
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
Your NAT inside cannot be 0.0.0.0 you will need it to be:
nat inside 1 192.168.10.0 0.0.0.255
you don't need to apply an access-list. by default, high security level to low security level is allowed.
you don't need to switch your nat inside either. Having a 0.0.0.0 0.0.0.0 allows any IP on the inside. Granted as a security measure, you should ALWAYS specify the exact IPs that are intended to be NAT'ed. However, as a technical limitation, this is not required.
you don't need to switch your nat inside either. Having a 0.0.0.0 0.0.0.0 allows any IP on the inside. Granted as a security measure, you should ALWAYS specify the exact IPs that are intended to be NAT'ed. However, as a technical limitation, this is not required.
Hello Cyclops, long time bud :-)
Yep, I'd go with what Cyclops mentioned. Trying first pinging outside to see if anything gets out, if not then at least try pinging your gateway. If that also doesn't work then it is time to call your ISP.
Your config looks good.
Cheers,
rsivanandan
Yep, I'd go with what Cyclops mentioned. Trying first pinging outside to see if anything gets out, if not then at least try pinging your gateway. If that also doesn't work then it is time to call your ISP.
Your config looks good.
Cheers,
rsivanandan
ASKER
I can ping from the asa to the internet, but not from inside the network to the internet. I can however ping the internal interface.
From an internal machine can you do a trace route to 4.2.2.2 and post the output here along with ipconfig/all?
Cheers,
rsivanandan
Cheers,
rsivanandan
While you the test that rsivanandan mentioned I would have debug logging turned on within the Asa as well. This will give us good information as well
ASKER
can you give me the debug command you want me to collect.
You are going to need to debug the nat to make sure the translations are being built when a packet hits the ASA for starters and I know you mentioned the 0.0.0.0 0.0.0.0 for the nat statement should work fine but i have never seen it or a piece of cisco documentation that says its ok. From my understanding without sepcifying the traffic that it is looking for there would be issues inside the ASA even if it is on different adapter because of the 0.0.0.0 route.
logging enabled
logging buffered debugging
Then a show logging will show you tour TCP buildups and teardowns for NAT
logging enabled
logging buffered debugging
Then a show logging will show you tour TCP buildups and teardowns for NAT
You should then see something like this:
Built dynamic TCP translation from inside:192.168.1.50/1107 to outside:172.22.1.254/1025
%ASA-6-302013: Built outbound TCP connection 90 for outside:172.22.1.1/80 (172.22.1.1/80) to inside:192.168.1.50/1107 (172.22.1.254/1025)
Built dynamic TCP translation from inside:192.168.1.50/1107 to outside:172.22.1.254/1025
%ASA-6-302013: Built outbound TCP connection 90 for outside:172.22.1.1/80 (172.22.1.1/80) to inside:192.168.1.50/1107 (172.22.1.254/1025)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Trust me. It's fine. When you use the nat command you are asked to specIfy what traffic you want to match. So if you give a 0 IP and a 0 subnet then it will match any IP it sees. That is why you generally want to specify the addresses because otherwise someone might be able to abuse your network. Of course there's still the return routing that has to be considered, but that's a different topic
btw. Thanks for posting the logging commands. Hopping between airports at the moment and couldn't reply
btw. Thanks for posting the logging commands. Hopping between airports at the moment and couldn't reply
Nslookup www.google.com 4.2.2.2
If that works then you're Asa is passing traffic just fine and we'll need more info on what type of traffic isn't working