dmwynne
asked on
Internal hosts cannot get to the internet - Cisco Asa 5510
I've included the relevant info from a show run. Can you tell me why internal hosts on 10.10.0.0 /16 can't get out the internet. The ASA can ping external sites and the internal hosts can ping the asa.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.02.10 12:30:21 =~=~=~=~=~=~=~=~=~=~=~=
sjho o ho run
: Saved
:
ASA Version 8.2(1)11
!
hostname 5510
domain-name
dns-guard
!
interface Ethernet0/0
description Internal Port
speed 100
duplex full
nameif Inside0
security-level 100
ip address 10.10.1.3 255.255.0.0
!
interface Ethernet0/1
no nameif
security-level 0
no ip address
!
interface Ethernet0/2
nameif DMZ
security-level 0
ip address 172.16.2.1 255.255.255.0
!
interface Ethernet0/3
description External Port
speed 100
duplex full
nameif outside3
security-level 0
ip address
!
interface Management0/0
description MGMT port
shutdown
nameif MGMT0
security-level 100
no ip address
management-only
!
boot system disk0:/asa821-11-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside0
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_4
network-object 10.10.0.0 255.255.0.0
network-object 192.168.128.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object 10.10.0.0 255.255.0.0
network-object 10.10.101.0 255.255.255.0
network-object 192.168.128.0 255.255.255.0
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3
access-list Inside0_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0
pager lines 50
logging enable
logging buffered debugging
logging asdm errors
logging device-id ipaddress Inside0
mtu Inside0 1500
mtu DMZ 1500
mtu outside3 1500
mtu MGMT0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (Inside0) 10 interface
global (outside3) 10 interface
nat (Inside0) 0 access-list Inside0_nat0_outbound
nat (Inside0) 10 192.168.128.0 255.255.255.0
nat (Inside0) 10 10.10.0.0 255.255.0.0
nat (Inside0) 10 0.0.0.0 0.0.0.0
access-group Inside0_access_in in interface Inside0
access-group outside3_access_in in interface outside3
route outside3 0.0.0.0 0.0.0.0 10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server protocol nt
aaa-server (Inside0) host
nt-auth-domain-controller
aaa-server (Inside0) host
nt-auth-domain-controller
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication ssh console LOCAL
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set pfs
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dynmap 1 set reverse-route
crypto map outside3_map 1 match address outside3_1_cryptomap
crypto map outside3_map 1 set pfs group1
crypto map outside3_map 1 set peer
crypto map outside3_map 1 set transform-set ESP-3DES-SHA
crypto map outside3_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside3_map interface outside3
crypto isakmp enable outside3
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 Inside0
telnet timeout 60
ssh timeout 60
console timeout 0
management-access Inside0
vpn load-balancing
interface lbpublic Inside0
interface lbprivate Inside0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source Inside0 prefer
ntp server source outside3
ntp server source outside3
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy internal
group-policy attributes
banner value
dns-server value
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
pfs disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value
split-dns value
group-policy SitetoSitePolicy internal
group-policy SitetoSitePolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group type remote-access
tunnel-group general-attributes
address-pool
authentication-server-group
default-group-policy
tunnel-group ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy SitetoSitePolicy
tunnel-group ipsec-attributes
pre-shared-key *
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map inspection-default
class inspection_default
inspect dns
inspect ftp
inspect netbios
inspect rsh
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect pptp
inspect ipsec-pass-thru
inspect rtsp
inspect sip
inspect skinny
policy-map global-policy
class global-class
inspect pptp
!
service-policy inspection-default global
prompt hostname context
Cryptochecksum:3eb206ea7caeb47c6fd368ff96de0d5c
: end
ASKER
I did omit it. It is configured.
I did not see the public IP configured on the external port eth0/3, also in route "route outside3 0.0.0.0 0.0.0.0 10"?
sincerely
sincerely
sorry, i see your answer, so have you tried this:
packet-tracer input Inside0 icmp 10.10.1.x 8 0 72.14.204.147
10.10.1.x is any of your internal workstation, 72.14.204.147 is google.com
please post the output from that command
sincerely
packet-tracer input Inside0 icmp 10.10.1.x 8 0 72.14.204.147
10.10.1.x is any of your internal workstation, 72.14.204.147 is google.com
please post the output from that command
sincerely
You can remove these commands:
no global (Inside0) 10 interface
(no need to add a global for Inside)
no access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any
(this is your killer line, why you can't get out now)
no access-group Inside0_access_in in interface Inside0
( I don't see an acl defined, and is not necessary)
no global (Inside0) 10 interface
(no need to add a global for Inside)
no access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any
(this is your killer line, why you can't get out now)
no access-group Inside0_access_in in interface Inside0
( I don't see an acl defined, and is not necessary)
ASKER
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside3
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Inside0
input-status: up
input-line-status: up
output-interface: outside3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside3
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Inside0
input-status: up
input-line-status: up
output-interface: outside3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This fixed the issue. Thanks alot.
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
where x.x.x.x is your default gateway