Solved

Internal hosts cannot get to the internet - Cisco Asa 5510

Posted on 2011-02-10
8
489 Views
Last Modified: 2012-08-13
I've included the relevant info from a show run.  Can you tell me why internal hosts on 10.10.0.0 /16 can't get out the internet.  The ASA can ping external sites and the internal hosts can ping the asa.


 
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.02.10 12:30:21 =~=~=~=~=~=~=~=~=~=~=~=
sjho   o ho run
: Saved
:
ASA Version 8.2(1)11 
!
hostname 5510
domain-name 

dns-guard
!
interface Ethernet0/0
 description Internal Port
 speed 100
 duplex full
 nameif Inside0
 security-level 100
 ip address 10.10.1.3 255.255.0.0 

!
interface Ethernet0/1
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/2
 nameif DMZ
 security-level 0
 ip address 172.16.2.1 255.255.255.0 
!
interface Ethernet0/3
 description External Port
 speed 100
 duplex full
 nameif outside3
 security-level 0
 ip address  

!
interface Management0/0
 description MGMT port
 shutdown
 nameif MGMT0
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa821-11-k8.bin

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside0
dns server-group DefaultDNS
 name-server 
 name-server 
 domain-name 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_4
 network-object 10.10.0.0 255.255.0.0
 network-object 192.168.128.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
 network-object 10.10.0.0 255.255.0.0
 network-object 10.10.101.0 255.255.255.0
 network-object 192.168.128.0 255.255.255.0  
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3 
access-list Inside0_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5 
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any  
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0 
pager lines 50
logging enable
logging buffered debugging
logging asdm errors
logging device-id ipaddress Inside0
mtu Inside0 1500
mtu DMZ 1500
mtu outside3 1500
mtu MGMT0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (Inside0) 10 interface
global (outside3) 10 interface
nat (Inside0) 0 access-list Inside0_nat0_outbound
nat (Inside0) 10 192.168.128.0 255.255.255.0
nat (Inside0) 10 10.10.0.0 255.255.0.0
nat (Inside0) 10 0.0.0.0 0.0.0.0

access-group Inside0_access_in in interface Inside0
access-group outside3_access_in in interface outside3
route outside3 0.0.0.0 0.0.0.0  10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server  protocol nt
aaa-server  (Inside0) host 
 nt-auth-domain-controller 
aaa-server  (Inside0) host 
 nt-auth-domain-controller 
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set pfs 
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dynmap 1 set reverse-route
crypto map outside3_map 1 match address outside3_1_cryptomap
crypto map outside3_map 1 set pfs group1
crypto map outside3_map 1 set peer 
crypto map outside3_map 1 set transform-set ESP-3DES-SHA
crypto map outside3_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside3_map interface outside3
crypto isakmp enable outside3
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 Inside0
telnet timeout 60
ssh timeout 60
console timeout 0
management-access Inside0
vpn load-balancing 
 interface lbpublic Inside0
 interface lbprivate Inside0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source Inside0 prefer
ntp server source outside3
ntp server source outside3
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value 
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-tunnel-protocol l2tp-ipsec webvpn
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
svc dpd-interval gateway none
  customization value DfltCustomization
group-policy  internal
group-policy  attributes
 banner value 
 dns-server value
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 
 default-domain value 
 split-dns value 
group-policy SitetoSitePolicy internal
group-policy SitetoSitePolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool 
 authentication-server-group 
 default-group-policy 
tunnel-group  ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group type ipsec-l2l
tunnel-group  general-attributes
 default-group-policy SitetoSitePolicy
tunnel-group ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map inspection-default
 class inspection_default
  inspect dns 
  inspect ftp 
  inspect netbios 
  inspect rsh 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect rtsp 
  inspect sip  
  inspect skinny  
policy-map global-policy
 class global-class
  inspect pptp 
!
service-policy inspection-default global
prompt hostname context 
Cryptochecksum:3eb206ea7caeb47c6fd368ff96de0d5c
: end

Open in new window

0
Comment
Question by:dmwynne
8 Comments
 
LVL 1

Expert Comment

by:csaroli
Comment Utility
Have you omitted your default gateway for security reasons?  If not you need to change your outside route

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

where x.x.x.x is your default gateway
0
 
LVL 14

Author Comment

by:dmwynne
Comment Utility
I did omit it.  It is configured.
0
 
LVL 2

Expert Comment

by:mwblsz
Comment Utility
I did not see the public IP configured on the external port eth0/3, also in route  "route outside3 0.0.0.0 0.0.0.0  10"?

sincerely
0
 
LVL 2

Expert Comment

by:mwblsz
Comment Utility
sorry, i see your answer, so have you tried this:

packet-tracer input Inside0 icmp 10.10.1.x 8 0 72.14.204.147

10.10.1.x is any of your internal workstation, 72.14.204.147 is google.com

please post the output from that command

sincerely
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You can remove these commands:

no global (Inside0) 10 interface
(no need to add a global for Inside)

no access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any  
(this is your killer line, why you can't get out now)

no access-group Inside0_access_in in interface Inside0
( I don't see an acl defined, and is not necessary)
0
 
LVL 14

Author Comment

by:dmwynne
Comment Utility
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside3

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Inside0
input-status: up
input-line-status: up
output-interface: outside3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 2

Accepted Solution

by:
mwblsz earned 500 total points
Comment Utility
as you can see the problem is with access-list in phase 4, according to your config, you have the following access-list set up for interface:

access-group Inside0_access_in in interface Inside0
access-group outside3_access_in in interface outside3

I did not see the config for  Inside0_access_in or  outside3_access_in

I would suggest do

no access-group Inside0_access_in in interface Inside0

and do the packet tracer again, see if that resolve the problem.

sincerely
0
 
LVL 14

Author Closing Comment

by:dmwynne
Comment Utility
This fixed the issue.  Thanks alot.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now