ASA internet

ASA 5505 question.

How do I get this working on the internet. I am having a DNS issue and possible routing issue. I can PING my internal server's IP and the ISP GW IP, but that is it (not by name either). What the heck am I missing or where am I screwing up? This config may look a little messed up because I was messing with the ASDM, but I am fine bringing back to factory default if need be...

Here's my CLI:

interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.66
interface Vlan5
 nameif dmz
 security-level 50
 ip address
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit inter-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500  
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1
route outside XX.XX.XX.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd dns interface inside
dhcpd domain interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both interface inside
dhcpd dns interface outside
dhcpd update dns both interface outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password VPhFqo.2YIUEerIU encrypted privilege 15
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Basic steps first:

From the ASA's CLI:
1) Can you ping an internal Host/PC?
2) Can you ping the IP of the ISP Gateway?
3) Can you ping beyond the ISP Gateway?  i.e. ping
4) Can an internal PC ping the ASA internal interface?  
5) Can an internal PC hit 
lahma35Author Commented:
1) Can you ping an internal Host/PC? YES
2) Can you ping the IP of the ISP Gateway? YES
3) Can you ping beyond the ISP Gateway?  NO
4) Can an internal PC ping the ASA internal interface?   YES
5) Can an internal PC hit NO
lahma35Author Commented:
Added to my last comment. I can't ping anything by name only IP. So, I probably have 2 issues. DNS and routing?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

>>2) Can you ping the IP of the ISP Gateway? YES
>>3) Can you ping beyond the ISP Gateway?  NO

This is troublesome.   If your CLI can hit the GW but can't get past the ISP gateway, I would call them up immediately and report an issue.

Without this step working, DNS would also be failing since all forwarding lookups could not get to the external DNS servers either.
Who is the ISP anyway?   Is this a DSL service? PPPoE?  MPLS?   Is there ISP router equipment at your site?  
lahma35Author Commented:
We have a different router in place and the internet is fine, that's where I am confused too. As soon as we put in an ASA, routing goes south. Like I said, I don't mind doing a factory reset and starting over, but I would like to know where it is breaking...

That's just it.  It doesn't look to me like the ASA code is coming into play here.   Since we try this from the CLI and the external interface and we can ping the GW, this tells me all layer 1 and layer 2 is ok between you and the ISP drop.    So now when you try to route outbound, the ISP refuses your connection.   This is not the ASA's fault here IMHO.     There are many many ISPs that only allow 1 MAC on a connection.  If you switch networking equipment, you have to call the ISP to 'reset' the allowed MAC address.   I have a site in Vancouver that had to do this twice after I had to upgrade a router and replace a dead router.     They had to call the ISP each time for a reset before traffic flowed again.  

Sounds to me like that's what you have here....
I suppose, as a test of that, you could drop a laptop in place of the ASA and router.   Try getting outbound on a laptop and see what you get.
Oh... 1 other thought.    Is the ASA getting the SAME ip as the router you are removing?     Is it all static routes or are there any routing protocols coming into play.   (I can't imagine there are, but just wanted to ask)
lahma35Author Commented:
It is a cable internet connection. I've never heard of this before for Time Warner Cable. I will try that. How do I get DNS working internally? I can only ping the servers by IP.
lahma35Author Commented:
yes, the router is pulling an IP from the ISP (I have DHCP setup for the WAN interface). And I am using the same internal IP.
Which servers are you trying to ping?   Are they internal or external?  Do you have internal dns?  I imagine they nees external forwarders which would be down anyway until traffic is restored
lahma35Author Commented:
Internal. Yes, I have internal DNS setup. Like I said, internet is fine. I can plug in my laptop without the router and it works. It has to be something with the config.
>>I can plug in my laptop without the router

Do you mean ASA here?  Or is there a router in front of the ASA we should be looking at?  

I'll assume its ASA for now.   If you can plug in a laptop into the same cable the ASA's external interface uses and get outbound, then I'm confused.   Above you mention that you plug in the router and have it DHCP an address from the ISP, yet when you plug in the ASA I see no DHCP config on the interface.  I see you've assigned a static IP in the config

If you use the same ISP provided cable drop for both the laptop test and the ASA test and the laptop works but ASA fails, then signs point to ASA....   We could have a look at the ASA's logs after an attempt. from CLI and from inside.   SHOW LOGGING and a SHOW XLATE (for inside test) might give a clue.

I think I'm missing something here.....

lahma35Author Commented:
I'll give that a try tomorrow. Thanks!
Do you have a router between the ASA and the ISP drop?
I notice that you do not have DHCP enabled on your outside interface.

You are defining your IP and default Route statically.  I assume you did this becasue it was what was in the last router.  I have seen with at least one ISP, static IPs associated to hardware MAC addresses.  When you try to swich an edge device, you do often have to call the ISP to have them reassociate the IP to the new MAC.  I woud definitly reach out to the ISP.  To further test, you can confirm internet connectivity with a laptop driectly in your cable modem, and you can also set vlan 2 to ip address dhcp setroute, to see if it will pull an IP address.

I have seen with cable companies that you can get a dhcp address and restore internet connectivity, but staticly assigning the old IP will kill connectivity.  The ISP will need to re assocaite the IP for you if this is the case.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.