Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Internal hosts cannot get to the internet - Cisco Asa 5510

Posted on 2011-02-10
8
Medium Priority
?
497 Views
Last Modified: 2012-08-13
I've included the relevant info from a show run.  Can you tell me why internal hosts on 10.10.0.0 /16 can't get out the internet.  The ASA can ping external sites and the internal hosts can ping the asa.


 
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.02.10 12:30:21 =~=~=~=~=~=~=~=~=~=~=~=
sjho   o ho run
: Saved
:
ASA Version 8.2(1)11 
!
hostname 5510
domain-name 

dns-guard
!
interface Ethernet0/0
 description Internal Port
 speed 100
 duplex full
 nameif Inside0
 security-level 100
 ip address 10.10.1.3 255.255.0.0 

!
interface Ethernet0/1
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/2
 nameif DMZ
 security-level 0
 ip address 172.16.2.1 255.255.255.0 
!
interface Ethernet0/3
 description External Port
 speed 100
 duplex full
 nameif outside3
 security-level 0
 ip address  

!
interface Management0/0
 description MGMT port
 shutdown
 nameif MGMT0
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa821-11-k8.bin

ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside0
dns server-group DefaultDNS
 name-server 
 name-server 
 domain-name 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_4
 network-object 10.10.0.0 255.255.0.0
 network-object 192.168.128.0 255.255.255.0
object-group network DM_INLINE_NETWORK_7
 network-object 10.10.0.0 255.255.0.0
 network-object 10.10.101.0 255.255.255.0
 network-object 192.168.128.0 255.255.255.0  
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_3 
access-list Inside0_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_5 
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any  
access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0 
pager lines 50
logging enable
logging buffered debugging
logging asdm errors
logging device-id ipaddress Inside0
mtu Inside0 1500
mtu DMZ 1500
mtu outside3 1500
mtu MGMT0 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (Inside0) 10 interface
global (outside3) 10 interface
nat (Inside0) 0 access-list Inside0_nat0_outbound
nat (Inside0) 10 192.168.128.0 255.255.255.0
nat (Inside0) 10 10.10.0.0 255.255.0.0
nat (Inside0) 10 0.0.0.0 0.0.0.0

access-group Inside0_access_in in interface Inside0
access-group outside3_access_in in interface outside3
route outside3 0.0.0.0 0.0.0.0  10
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server  protocol nt
aaa-server  (Inside0) host 
 nt-auth-domain-controller 
aaa-server  (Inside0) host 
 nt-auth-domain-controller 
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set pfs 
crypto dynamic-map dynmap 1 set transform-set ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dynmap 1 set reverse-route
crypto map outside3_map 1 match address outside3_1_cryptomap
crypto map outside3_map 1 set pfs group1
crypto map outside3_map 1 set peer 
crypto map outside3_map 1 set transform-set ESP-3DES-SHA
crypto map outside3_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside3_map interface outside3
crypto isakmp enable outside3
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.0.0.0 Inside0
telnet timeout 60
ssh timeout 60
console timeout 0
management-access Inside0
vpn load-balancing 
 interface lbpublic Inside0
 interface lbprivate Inside0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source Inside0 prefer
ntp server source outside3
ntp server source outside3
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value 
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 5
 vpn-idle-timeout none
 vpn-tunnel-protocol l2tp-ipsec webvpn
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
svc dpd-interval gateway none
  customization value DfltCustomization
group-policy  internal
group-policy  attributes
 banner value 
 dns-server value
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 pfs disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 
 default-domain value 
 split-dns value 
group-policy SitetoSitePolicy internal
group-policy SitetoSitePolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool 
 authentication-server-group 
 default-group-policy 
tunnel-group  ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group type ipsec-l2l
tunnel-group  general-attributes
 default-group-policy SitetoSitePolicy
tunnel-group ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map inspection-default
 class inspection_default
  inspect dns 
  inspect ftp 
  inspect netbios 
  inspect rsh 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect pptp 
  inspect ipsec-pass-thru 
  inspect rtsp 
  inspect sip  
  inspect skinny  
policy-map global-policy
 class global-class
  inspect pptp 
!
service-policy inspection-default global
prompt hostname context 
Cryptochecksum:3eb206ea7caeb47c6fd368ff96de0d5c
: end

Open in new window

0
Comment
Question by:dmwynne
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:csaroli
ID: 34865070
Have you omitted your default gateway for security reasons?  If not you need to change your outside route

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

where x.x.x.x is your default gateway
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34865185
I did omit it.  It is configured.
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 34865370
I did not see the public IP configured on the external port eth0/3, also in route  "route outside3 0.0.0.0 0.0.0.0  10"?

sincerely
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 2

Expert Comment

by:mwblsz
ID: 34865398
sorry, i see your answer, so have you tried this:

packet-tracer input Inside0 icmp 10.10.1.x 8 0 72.14.204.147

10.10.1.x is any of your internal workstation, 72.14.204.147 is google.com

please post the output from that command

sincerely
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34865650
You can remove these commands:

no global (Inside0) 10 interface
(no need to add a global for Inside)

no access-list Inside0_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 any  
(this is your killer line, why you can't get out now)

no access-group Inside0_access_in in interface Inside0
( I don't see an acl defined, and is not necessary)
0
 
LVL 14

Author Comment

by:dmwynne
ID: 34865652
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside3

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: Inside0
input-status: up
input-line-status: up
output-interface: outside3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
0
 
LVL 2

Accepted Solution

by:
mwblsz earned 2000 total points
ID: 34865781
as you can see the problem is with access-list in phase 4, according to your config, you have the following access-list set up for interface:

access-group Inside0_access_in in interface Inside0
access-group outside3_access_in in interface outside3

I did not see the config for  Inside0_access_in or  outside3_access_in

I would suggest do

no access-group Inside0_access_in in interface Inside0

and do the packet tracer again, see if that resolve the problem.

sincerely
0
 
LVL 14

Author Closing Comment

by:dmwynne
ID: 34865881
This fixed the issue.  Thanks alot.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question