Can't Browse the Internet with ASA5505

Posted on 2011-03-07
Last Modified: 2012-05-11
I have a new ASA 5505 that I thought was all setup, but when I put it in place, although I can ping the inside int and run ASDM to see it's configuration, I cannot browse or connect through it to the Internet. The outside interface was setup to use DHCP, and I could see that it had aquired a legitimate IP address.  I'll paste the running config below... preference would be given to IDing the solution via the ASDM gui.. I want to learn to use that...

ASA Version 8.2(1)
hostname ciscoasa
domain-name GettoWork
enable password fhBiljvtJfXQfzkR encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name imagine
access-list name extended permit icmp any interface outside
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username alan password 7oy/1PcLK9T5X6MY encrypted
prompt hostname context
: end
Question by:jab56
  • 5
  • 4

Expert Comment

ID: 35062819
FYI asdm is awful.  from a quick look as I am about to leave it looks good.  You might try to ping and see what happens.. if you get a reply you have a DNS issue.
On another quick glance it appears you created the inside vlan but did not assign it to any ports.

Author Comment

ID: 35063007

Does DNS need to be setup within the firewall?? No I can't ping anything beyond the inside interface.. not the outside interface, not the internet.  I have seen some kind of DNS error, but cannot tell you now, as the box is at home..

Expert Comment

ID: 35064368
you havn't applied that access-list to the outside interface.
logon to your asa cli

#conf t
#int vlan 2
#access-group name in

You might need to add an access list to the inside before is starts passing traffic.

#access-list inside permit ip any any
#int vlan 1
#access-group inside in

DNS does not need to be setup with the firewall. Your local computer or a web proxy should be doing that. Do you have a dns server set in your ipv4 connection?
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.


Author Comment

ID: 35065790

I'll try that question01.. I put that acl in because someone asked me to, but I don't know what it does...  Can you explain it for me please...

Expert Comment

ID: 35090079
The ACL determines what traffic can pass through the interface it is applied to.  It is a way to restrict traffic.

So for example  

The following ACL applied the outside interface inbound

deny ip host host
deny ip host host
deny ip host host
permit ip any any

Would deny the three hosts, and from talking to the inside host but permit all other traffic.

So if you want to open up all traffic for the interface you apply the access list

permit ip any any

So permit any host to talk to any host on the protocol IP.

This would allow all traffic to flow through that interface.

Does that make sense?


Author Comment

ID: 35105924

I think I'm getting this...but not totally.
In my case, the firewall is the boundry to my home.. I want everything outside kept OUT - so what I want to say is deny any outside followed by permit any inside? Is that right?
Now, how do I say that in CLI.

And just a comment too -  when I wrote "access-list name extended permit icmp any interface outside " I took someone literally. In place of name above wouldn't it be more appropriate, and still syntactically correct to say "access-list keepout extended permit icmp any interface outside ". And frankly, I really don't care about icmp. I just want the outside kept out.

I appreciate the feedback.. much thanks.

Accepted Solution

question01 earned 250 total points
ID: 35161408
Hi Jab,

Sorry for the late reply.
Yep you are correct 'name' can be any word. It is what the list is named.  

On the outside interface you want the following.

firewall(config)# access-list keepout deny ip any any*
This creates an access list with one entry which denies all traffic which originates from the outside

firewall(config#access-group keepout in interface outside*
This applies access list 'keepout' to the outside interface. Now all traffic orginating from the outside of the firewall will be blocked.  Note: Return traffic will be allowed to return into the firewall. So if you visit a web server from a computer on the inside, the return traffic will be allowed despite the outside access list saying deny all traffic. This is because the firewall keeps a connection table and allows return traffic on sessions established from the inside.

Have you got it all working?

One other thing I noticed is that you might need a route in there.
firewall(config)#route outside next hop.
This will say ' route all traffic to the outside via nexthop. The means any network. You have to enter the next hop ip address of your ISP.
Because your internal network is connected and connected routes overide static routes it will route appropriate traffic to the inside and the rest to the outside.

The other thing is what are you connecting to? The firewall won't connect to a DSL or Cable connection or anything like that. You will need a router to do that.



Author Comment

ID: 35161458

Great reply... On the other hand I'm quite surprised. I'm connecting to a DSL modem, so the IP address on the outside comes from my ISP (And has been successful at receiving that)..

i've been so swamped that I haven't had the time to do anything, but I have 3 off days coming up, so I hope to get some time for that this weekend...
Thanks Question

Expert Comment

ID: 35162816
no worries.

With the connection I mean the firewall wont connect straight to a a dsl connection as into the socket in the wall. That connection needs to be terminated by a modem and your firewall is plugged into the modem which I think you have obviously figured out ;)

Author Comment

ID: 35184880
I'm gonna just award points and officially finish this post, although, I still haven't had the chance to do more work on the configuration.. If I still have problems I'll post here again...
thanks again

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Firewall setup within a managed office 8 92
Etherchannel trunking 10 53
CCNA lab 6 34
Guest Wi-Fi Time out 3 20
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now