Solved

ASA5510 not passing traffic

Posted on 2012-03-18
4
549 Views
Last Modified: 2012-03-23
I have an ASA 5510 that I can't seem to get to pass Internet traffic. It's not a complex config so I'm not sure where to look.  I'm not getting any error messages. Just timing out when trying to ping any external addresses, can't resolve DNS, can't bring up web pages.

Config attached:

ASA Version 8.0(5)
!
hostname ASA
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 1.1.1.250 255.255.255.224
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.40.0.10 255.255.0.0
 ospf priority 0
 ospf authentication message-digest
!
interface Ethernet0/2
 nameif Guest
 security-level 50
 ip address 10.41.0.1 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name company.net
object-group network COMPANY2
 network-object 10.40.0.0 255.255.0.0
access-list nonat extended permit ip 10.40.0.0 255.255.0.0 1.2.2.0 255.255.255.0
access-list TUNNEL standard permit 10.40.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq www
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq https
access-list OUT_GUEST extended permit ip any any
logging enable
logging timestamp
logging buffer-size 50000
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging asdm errors
logging host Inside 10.200.1.48
logging debug-trace
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any unreachable Outside
icmp permit any time-exceeded Outside
icmp permit any Inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.40.0.0 255.255.0.0
nat (Inside) 1 10.41.0.0 255.255.0.0
access-group OUTSIDE_IN in interface Outside
!
router ospf 100
 router-id 4.4.4.2
 network 10.40.0.0 255.255.0.0 area 4
 area 4 authentication message-digest
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.40.0.0 255.255.0.0 Inside
dhcpd dns 4.2.2.2 8.8.8.8
!
dhcpd address 10.41.0.100-10.41.0.200 Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.40.0.1 source Inside
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 50
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec
 password-storage enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TUNNEL
 default-domain value company.net
 split-dns value company.net
 user-authentication enable
 ip-phone-bypass enable
 nem enable
!
class-map INSPECTION
 match default-inspection-traffic
!
!
policy-map type inspect dns DNS
 parameters  
  message-length maximum 1500
policy-map POLICY
 class INSPECTION
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
  inspect icmp
  inspect icmp error
  inspect dns DNS
!
service-policy POLICY global
prompt hostname context
0
Comment
Question by:ascendmax26
  • 3
4 Comments
 

Author Comment

by:ascendmax26
ID: 37735389
Update. Traffic is passing successfully from clients on the Inside interface. It's the Guest interface that is not passing traffic. Here's a capture on the Guest interface:

   6: 13:23:39.220539 10.41.0.6 > 4.2.2.2: icmp: echo request
   7: 13:23:41.219349 10.41.0.6 > 4.2.2.2: icmp: echo request
   8: 13:23:43.224063 10.41.0.6 > 4.2.2.2: icmp: echo request
  10: 13:23:45.228946 10.41.0.6 > 4.2.2.2: icmp: echo request
  11: 13:23:47.233767 10.41.0.6 > 4.2.2.2: icmp: echo request

As you can see the request is sent but no replies are received. The Inside interface looks much better:

 260: 13:25:41.121545 10.40.1.50 > 4.2.2.1: icmp: echo request
 261: 13:25:41.142204 4.2.2.1 > 10.40.1.50: icmp: echo reply
 262: 13:25:42.131646 10.40.1.50 > 4.2.2.1: icmp: echo request
 263: 13:25:42.152396 4.2.2.1 > 10.40.1.50: icmp: echo reply
 264: 13:25:43.135704 10.40.1.50 > 4.2.2.1: icmp: echo request
 265: 13:25:43.156287 4.2.2.1 > 10.40.1.50: icmp: echo reply
 266: 13:25:44.140877 10.40.1.50 > 4.2.2.1: icmp: echo request
 267: 13:25:44.161368 4.2.2.1 > 10.40.1.50: icmp: echo reply
0
 

Accepted Solution

by:
ascendmax26 earned 0 total points
ID: 37735513
I had the wrong nat config:
nat (Inside) 1 10.41.0.0 255.255.0.0

Needed to be:
nat (Guest) 1 10.41.0.0 255.255.0.0
0
 
LVL 16

Expert Comment

by:btassure
ID: 37735623
All sorted now?
0
 

Author Closing Comment

by:ascendmax26
ID: 37756290
Self-solved.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now