asked on ASA5510 not passing traffic
I have an ASA 5510 that I can't seem to get to pass Internet traffic. It's not a complex config so I'm not sure where to look. I'm not getting any error messages. Just timing out when trying to ping any external addresses, can't resolve DNS, can't bring up web pages.
Config attached:
ASA Version 8.0(5)
!
hostname ASA
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.250 255.255.255.224
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.40.0.10 255.255.0.0
ospf priority 0
ospf authentication message-digest
!
interface Ethernet0/2
nameif Guest
security-level 50
ip address 10.41.0.1 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name company.net
object-group network COMPANY2
network-object 10.40.0.0 255.255.0.0
access-list nonat extended permit ip 10.40.0.0 255.255.0.0 1.2.2.0 255.255.255.0
access-list TUNNEL standard permit 10.40.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq www
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq https
access-list OUT_GUEST extended permit ip any any
logging enable
logging timestamp
logging buffer-size 50000
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging asdm errors
logging host Inside 10.200.1.48
logging debug-trace
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any unreachable Outside
icmp permit any time-exceeded Outside
icmp permit any Inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.40.0.0 255.255.0.0
nat (Inside) 1 10.41.0.0 255.255.0.0
access-group OUTSIDE_IN in interface Outside
!
router ospf 100
router-id 4.4.4.2
network 10.40.0.0 255.255.0.0 area 4
area 4 authentication message-digest
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.40.0.0 255.255.0.0 Inside
dhcpd dns 4.2.2.2 8.8.8.8
!
dhcpd address 10.41.0.100-10.41.0.200 Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.40.0.1 source Inside
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 50
vpn-idle-timeout 60
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TUNNEL
default-domain value company.net
split-dns value company.net
user-authentication enable
ip-phone-bypass enable
nem enable
!
class-map INSPECTION
match default-inspection-traffic
!
!
policy-map type inspect dns DNS
parameters
message-length maximum 1500
policy-map POLICY
class INSPECTION
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ftp
inspect icmp
inspect icmp error
inspect dns DNS
!
service-policy POLICY global
prompt hostname context
Config attached:
ASA Version 8.0(5)
!
hostname ASA
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 1.1.1.250 255.255.255.224
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.40.0.10 255.255.0.0
ospf priority 0
ospf authentication message-digest
!
interface Ethernet0/2
nameif Guest
security-level 50
ip address 10.41.0.1 255.255.0.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name company.net
object-group network COMPANY2
network-object 10.40.0.0 255.255.0.0
access-list nonat extended permit ip 10.40.0.0 255.255.0.0 1.2.2.0 255.255.255.0
access-list TUNNEL standard permit 10.40.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq www
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq https
access-list OUT_GUEST extended permit ip any any
logging enable
logging timestamp
logging buffer-size 50000
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging asdm errors
logging host Inside 10.200.1.48
logging debug-trace
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any unreachable Outside
icmp permit any time-exceeded Outside
icmp permit any Inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.40.0.0 255.255.0.0
nat (Inside) 1 10.41.0.0 255.255.0.0
access-group OUTSIDE_IN in interface Outside
!
router ospf 100
router-id 4.4.4.2
network 10.40.0.0 255.255.0.0 area 4
area 4 authentication message-digest
log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.40.0.0 255.255.0.0 Inside
dhcpd dns 4.2.2.2 8.8.8.8
!
dhcpd address 10.41.0.100-10.41.0.200 Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.40.0.1 source Inside
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 50
vpn-idle-timeout 60
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TUNNEL
default-domain value company.net
split-dns value company.net
user-authentication enable
ip-phone-bypass enable
nem enable
!
class-map INSPECTION
match default-inspection-traffic
!
!
policy-map type inspect dns DNS
parameters
message-length maximum 1500
policy-map POLICY
class INSPECTION
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ftp
inspect icmp
inspect icmp error
inspect dns DNS
!
service-policy POLICY global
prompt hostname context
Hardware FirewallsNetworking Hardware-Other
Last Comment
ascendmax26
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
All sorted now?
ASKER
Self-solved.
6: 13:23:39.220539 10.41.0.6 > 4.2.2.2: icmp: echo request
7: 13:23:41.219349 10.41.0.6 > 4.2.2.2: icmp: echo request
8: 13:23:43.224063 10.41.0.6 > 4.2.2.2: icmp: echo request
10: 13:23:45.228946 10.41.0.6 > 4.2.2.2: icmp: echo request
11: 13:23:47.233767 10.41.0.6 > 4.2.2.2: icmp: echo request
As you can see the request is sent but no replies are received. The Inside interface looks much better:
260: 13:25:41.121545 10.40.1.50 > 4.2.2.1: icmp: echo request
261: 13:25:41.142204 4.2.2.1 > 10.40.1.50: icmp: echo reply
262: 13:25:42.131646 10.40.1.50 > 4.2.2.1: icmp: echo request
263: 13:25:42.152396 4.2.2.1 > 10.40.1.50: icmp: echo reply
264: 13:25:43.135704 10.40.1.50 > 4.2.2.1: icmp: echo request
265: 13:25:43.156287 4.2.2.1 > 10.40.1.50: icmp: echo reply
266: 13:25:44.140877 10.40.1.50 > 4.2.2.1: icmp: echo request
267: 13:25:44.161368 4.2.2.1 > 10.40.1.50: icmp: echo reply