We help IT Professionals succeed at work.

ASA can't connect to the internet

ibtaya
ibtaya asked
on
I can't see it, maybe another set of eyes will tell me why this 5505 won't let internal traffic hit the internet.
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password AIcksG3fLJsdvdQfdUsrks34334fnx encrypted
passwd NyvjsmOfivAsKofZ7sSSn encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.5 255.255.255.0
!
interface Vlan2
 nameif Outside
 security-level 0
 ip address 17x.xx.xx.x1 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DNS
dns server-group DefaultDNS
 name-server 68.87.68.162
 name-server 192.168.10.202
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 log
access-list 101 extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 log
access-list 101 extended permit tcp any host 173.xx.xx.x4 eq www log
pager lines 24
logging enable
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 1xx.xx.xx.x
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp 173.1xx.xx.x4 www 192.168.10.126 www netmask 255.255.255.255
access-group 101 in interface Outside
route Outside 0.0.0.0 0.0.0.0 173.xx.xx.x6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community smc
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 10
ssh version 2
console timeout 0

username admin password EiPHasldkjflskjfdlsQOoy1.jIg7G encrypted privilege 10
tunnel-group vpn type ipsec-ra
!
!
prompt hostname context
Cryptochecksum:004c0005594b85376a550d4ab259847d
: end
ciscoasa#

Open in new window

Comment
Watch Question

Cyclops3590Sr Software Engineer

Commented:
First, let's make sure the asa can communicate. Try pinging 4.2.2.2 from on the Asa. If that works, then turn on logging on the Asa. Now from an internal client run the following command

Nslookup www.google.com 4.2.2.2

If that works then you're Asa is passing traffic just fine and we'll need more info on what type of traffic isn't working

Commented:
Try adding a permit access-list for ur outboud internet connection.
Justin EllenbeckerIT Director

Commented:
You NAT statments are off a bit here is guide that should point you in the right direction on getting it working for what you want.  
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml
 
Your NAT inside cannot be 0.0.0.0 you will need it to be:
nat inside 1 192.168.10.0 0.0.0.255
Cyclops3590Sr Software Engineer

Commented:
you don't need to apply an access-list.  by default, high security level to low security level is allowed.

you don't need to switch your nat inside either.  Having a 0.0.0.0 0.0.0.0 allows any IP on the inside.  Granted as a security measure, you should ALWAYS specify the exact IPs that are intended to be NAT'ed.  However, as a technical limitation, this is not required.
Hello Cyclops, long time bud :-)

Yep, I'd go with what Cyclops mentioned. Trying first pinging outside to see if anything gets out, if not then at least try pinging your gateway. If that also doesn't work then it is time to call your ISP.

Your config looks good.

Cheers,
rsivanandan

Author

Commented:
I can ping from the asa to the internet, but not from inside the network to the internet. I can however ping the internal interface.
From an internal machine can you do a trace route to 4.2.2.2 and post the output here along with ipconfig/all?

Cheers,
rsivanandan
Cyclops3590Sr Software Engineer

Commented:
While you the test that rsivanandan mentioned I would have debug logging turned on within the Asa as well. This will give us good information as well

Author

Commented:
can you give me the debug command you want me to collect.
Justin EllenbeckerIT Director

Commented:
You are going to need to debug the nat to make sure the translations are being built when a packet hits the ASA for starters and I know you mentioned the 0.0.0.0 0.0.0.0 for the nat statement should work fine but i have never seen it or a piece of cisco documentation that says its ok.  From my understanding without sepcifying the traffic that it is looking for there would be issues inside the ASA even if it is on different adapter because of the 0.0.0.0 route.  
logging enabled
logging buffered debugging
Then a show logging will show you tour TCP buildups and teardowns for NAT
Justin EllenbeckerIT Director

Commented:
You should then see something like this:
Built dynamic TCP translation from inside:192.168.1.50/1107 to outside:172.22.1.254/1025
%ASA-6-302013: Built outbound TCP connection 90 for outside:172.22.1.1/80 (172.22.1.1/80) to inside:192.168.1.50/1107 (172.22.1.254/1025)
IT Director
Commented:
Cyclops3590Sr Software Engineer

Commented:
Trust me. It's fine. When you use the nat command you are asked to specIfy what traffic you want to match. So if you give a 0 IP and a 0 subnet then it will match any IP it sees. That is why you generally want to specify the addresses because otherwise someone might be able to abuse your network. Of course there's still the return routing that has to be considered, but that's a different topic

btw. Thanks for posting the logging commands. Hopping between airports at the moment and couldn't reply