Learn how to a build a cloud-first strategyRegister Now


Can't Browse the Internet with ASA5505

Posted on 2011-03-07
Medium Priority
Last Modified: 2012-05-11
I have a new ASA 5505 that I thought was all setup, but when I put it in place, although I can ping the inside int and run ASDM to see it's configuration, I cannot browse or connect through it to the Internet. The outside interface was setup to use DHCP, and I could see that it had aquired a legitimate IP address.  I'll paste the running config below... preference would be given to IDing the solution via the ASDM gui.. I want to learn to use that...

ASA Version 8.2(1)
hostname ciscoasa
domain-name GettoWork
enable password fhBiljvtJfXQfzkR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name imagine
access-list name extended permit icmp any interface outside
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username alan password 7oy/1PcLK9T5X6MY encrypted
prompt hostname context
: end
Question by:jab56
  • 5
  • 4

Expert Comment

ID: 35062819
FYI asdm is awful.  from a quick look as I am about to leave it looks good.  You might try to ping and see what happens.. if you get a reply you have a DNS issue.
On another quick glance it appears you created the inside vlan but did not assign it to any ports.

Author Comment

ID: 35063007

Does DNS need to be setup within the firewall?? No I can't ping anything beyond the inside interface.. not the outside interface, not the internet.  I have seen some kind of DNS error, but cannot tell you now, as the box is at home..

Expert Comment

ID: 35064368
you havn't applied that access-list to the outside interface.
logon to your asa cli

#conf t
#int vlan 2
#access-group name in

You might need to add an access list to the inside before is starts passing traffic.

#access-list inside permit ip any any
#int vlan 1
#access-group inside in

DNS does not need to be setup with the firewall. Your local computer or a web proxy should be doing that. Do you have a dns server set in your ipv4 connection?
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 35065790

I'll try that question01.. I put that acl in because someone asked me to, but I don't know what it does...  Can you explain it for me please...

Expert Comment

ID: 35090079
The ACL determines what traffic can pass through the interface it is applied to.  It is a way to restrict traffic.

So for example  

The following ACL applied the outside interface inbound

deny ip host host
deny ip host host
deny ip host host
permit ip any any

Would deny the three hosts, and from talking to the inside host but permit all other traffic.

So if you want to open up all traffic for the interface you apply the access list

permit ip any any

So permit any host to talk to any host on the protocol IP.

This would allow all traffic to flow through that interface.

Does that make sense?


Author Comment

ID: 35105924

I think I'm getting this...but not totally.
In my case, the firewall is the boundry to my home.. I want everything outside kept OUT - so what I want to say is deny any outside followed by permit any inside? Is that right?
Now, how do I say that in CLI.

And just a comment too -  when I wrote "access-list name extended permit icmp any interface outside " I took someone literally. In place of name above wouldn't it be more appropriate, and still syntactically correct to say "access-list keepout extended permit icmp any interface outside ". And frankly, I really don't care about icmp. I just want the outside kept out.

I appreciate the feedback.. much thanks.

Accepted Solution

question01 earned 1000 total points
ID: 35161408
Hi Jab,

Sorry for the late reply.
Yep you are correct 'name' can be any word. It is what the list is named.  

On the outside interface you want the following.

firewall(config)# access-list keepout deny ip any any*
This creates an access list with one entry which denies all traffic which originates from the outside

firewall(config#access-group keepout in interface outside*
This applies access list 'keepout' to the outside interface. Now all traffic orginating from the outside of the firewall will be blocked.  Note: Return traffic will be allowed to return into the firewall. So if you visit a web server from a computer on the inside, the return traffic will be allowed despite the outside access list saying deny all traffic. This is because the firewall keeps a connection table and allows return traffic on sessions established from the inside.

Have you got it all working?

One other thing I noticed is that you might need a route in there.
firewall(config)#route outside next hop.
This will say ' route all traffic to the outside via nexthop. The means any network. You have to enter the next hop ip address of your ISP.
Because your internal network is connected and connected routes overide static routes it will route appropriate traffic to the inside and the rest to the outside.

The other thing is what are you connecting to? The firewall won't connect to a DSL or Cable connection or anything like that. You will need a router to do that.



Author Comment

ID: 35161458

Great reply... On the other hand I'm quite surprised. I'm connecting to a DSL modem, so the IP address on the outside comes from my ISP (And has been successful at receiving that)..

i've been so swamped that I haven't had the time to do anything, but I have 3 off days coming up, so I hope to get some time for that this weekend...
Thanks Question

Expert Comment

ID: 35162816
no worries.

With the connection I mean the firewall wont connect straight to a a dsl connection as into the socket in the wall. That connection needs to be terminated by a modem and your firewall is plugged into the modem which I think you have obviously figured out ;)

Author Comment

ID: 35184880
I'm gonna just award points and officially finish this post, although, I still haven't had the chance to do more work on the configuration.. If I still have problems I'll post here again...
thanks again

Featured Post

The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question