Can't Browse the Internet with ASA5505

Posted on 2011-03-07
Last Modified: 2012-05-11
I have a new ASA 5505 that I thought was all setup, but when I put it in place, although I can ping the inside int and run ASDM to see it's configuration, I cannot browse or connect through it to the Internet. The outside interface was setup to use DHCP, and I could see that it had aquired a legitimate IP address.  I'll paste the running config below... preference would be given to IDing the solution via the ASDM gui.. I want to learn to use that...

ASA Version 8.2(1)
hostname ciscoasa
domain-name GettoWork
enable password fhBiljvtJfXQfzkR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name imagine
access-list name extended permit icmp any interface outside
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username alan password 7oy/1PcLK9T5X6MY encrypted
prompt hostname context
: end
Question by:jab56
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4

Expert Comment

ID: 35062819
FYI asdm is awful.  from a quick look as I am about to leave it looks good.  You might try to ping and see what happens.. if you get a reply you have a DNS issue.
On another quick glance it appears you created the inside vlan but did not assign it to any ports.

Author Comment

ID: 35063007

Does DNS need to be setup within the firewall?? No I can't ping anything beyond the inside interface.. not the outside interface, not the internet.  I have seen some kind of DNS error, but cannot tell you now, as the box is at home..

Expert Comment

ID: 35064368
you havn't applied that access-list to the outside interface.
logon to your asa cli

#conf t
#int vlan 2
#access-group name in

You might need to add an access list to the inside before is starts passing traffic.

#access-list inside permit ip any any
#int vlan 1
#access-group inside in

DNS does not need to be setup with the firewall. Your local computer or a web proxy should be doing that. Do you have a dns server set in your ipv4 connection?
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 35065790

I'll try that question01.. I put that acl in because someone asked me to, but I don't know what it does...  Can you explain it for me please...

Expert Comment

ID: 35090079
The ACL determines what traffic can pass through the interface it is applied to.  It is a way to restrict traffic.

So for example  

The following ACL applied the outside interface inbound

deny ip host host
deny ip host host
deny ip host host
permit ip any any

Would deny the three hosts, and from talking to the inside host but permit all other traffic.

So if you want to open up all traffic for the interface you apply the access list

permit ip any any

So permit any host to talk to any host on the protocol IP.

This would allow all traffic to flow through that interface.

Does that make sense?


Author Comment

ID: 35105924

I think I'm getting this...but not totally.
In my case, the firewall is the boundry to my home.. I want everything outside kept OUT - so what I want to say is deny any outside followed by permit any inside? Is that right?
Now, how do I say that in CLI.

And just a comment too -  when I wrote "access-list name extended permit icmp any interface outside " I took someone literally. In place of name above wouldn't it be more appropriate, and still syntactically correct to say "access-list keepout extended permit icmp any interface outside ". And frankly, I really don't care about icmp. I just want the outside kept out.

I appreciate the feedback.. much thanks.

Accepted Solution

question01 earned 250 total points
ID: 35161408
Hi Jab,

Sorry for the late reply.
Yep you are correct 'name' can be any word. It is what the list is named.  

On the outside interface you want the following.

firewall(config)# access-list keepout deny ip any any*
This creates an access list with one entry which denies all traffic which originates from the outside

firewall(config#access-group keepout in interface outside*
This applies access list 'keepout' to the outside interface. Now all traffic orginating from the outside of the firewall will be blocked.  Note: Return traffic will be allowed to return into the firewall. So if you visit a web server from a computer on the inside, the return traffic will be allowed despite the outside access list saying deny all traffic. This is because the firewall keeps a connection table and allows return traffic on sessions established from the inside.

Have you got it all working?

One other thing I noticed is that you might need a route in there.
firewall(config)#route outside next hop.
This will say ' route all traffic to the outside via nexthop. The means any network. You have to enter the next hop ip address of your ISP.
Because your internal network is connected and connected routes overide static routes it will route appropriate traffic to the inside and the rest to the outside.

The other thing is what are you connecting to? The firewall won't connect to a DSL or Cable connection or anything like that. You will need a router to do that.



Author Comment

ID: 35161458

Great reply... On the other hand I'm quite surprised. I'm connecting to a DSL modem, so the IP address on the outside comes from my ISP (And has been successful at receiving that)..

i've been so swamped that I haven't had the time to do anything, but I have 3 off days coming up, so I hope to get some time for that this weekend...
Thanks Question

Expert Comment

ID: 35162816
no worries.

With the connection I mean the firewall wont connect straight to a a dsl connection as into the socket in the wall. That connection needs to be terminated by a modem and your firewall is plugged into the modem which I think you have obviously figured out ;)

Author Comment

ID: 35184880
I'm gonna just award points and officially finish this post, although, I still haven't had the chance to do more work on the configuration.. If I still have problems I'll post here again...
thanks again

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Manage ASA using outside IP 14 79
Creating a new VRF on Cisco Nexus 5596UP 8 63
New CLI Commands Needed for Cisco ASA 5506 5 21
ASA NAT rule change 3 29
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question