Solved

ASA5510 not passing traffic

Posted on 2012-03-18
4
556 Views
Last Modified: 2012-03-23
I have an ASA 5510 that I can't seem to get to pass Internet traffic. It's not a complex config so I'm not sure where to look.  I'm not getting any error messages. Just timing out when trying to ping any external addresses, can't resolve DNS, can't bring up web pages.

Config attached:

ASA Version 8.0(5)
!
hostname ASA
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 1.1.1.250 255.255.255.224
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.40.0.10 255.255.0.0
 ospf priority 0
 ospf authentication message-digest
!
interface Ethernet0/2
 nameif Guest
 security-level 50
 ip address 10.41.0.1 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name company.net
object-group network COMPANY2
 network-object 10.40.0.0 255.255.0.0
access-list nonat extended permit ip 10.40.0.0 255.255.0.0 1.2.2.0 255.255.255.0
access-list TUNNEL standard permit 10.40.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq www
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq https
access-list OUT_GUEST extended permit ip any any
logging enable
logging timestamp
logging buffer-size 50000
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging asdm errors
logging host Inside 10.200.1.48
logging debug-trace
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any unreachable Outside
icmp permit any time-exceeded Outside
icmp permit any Inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.40.0.0 255.255.0.0
nat (Inside) 1 10.41.0.0 255.255.0.0
access-group OUTSIDE_IN in interface Outside
!
router ospf 100
 router-id 4.4.4.2
 network 10.40.0.0 255.255.0.0 area 4
 area 4 authentication message-digest
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.40.0.0 255.255.0.0 Inside
dhcpd dns 4.2.2.2 8.8.8.8
!
dhcpd address 10.41.0.100-10.41.0.200 Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.40.0.1 source Inside
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 50
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec
 password-storage enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TUNNEL
 default-domain value company.net
 split-dns value company.net
 user-authentication enable
 ip-phone-bypass enable
 nem enable
!
class-map INSPECTION
 match default-inspection-traffic
!
!
policy-map type inspect dns DNS
 parameters  
  message-length maximum 1500
policy-map POLICY
 class INSPECTION
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
  inspect icmp
  inspect icmp error
  inspect dns DNS
!
service-policy POLICY global
prompt hostname context
0
Comment
Question by:ascendmax26
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 

Author Comment

by:ascendmax26
ID: 37735389
Update. Traffic is passing successfully from clients on the Inside interface. It's the Guest interface that is not passing traffic. Here's a capture on the Guest interface:

   6: 13:23:39.220539 10.41.0.6 > 4.2.2.2: icmp: echo request
   7: 13:23:41.219349 10.41.0.6 > 4.2.2.2: icmp: echo request
   8: 13:23:43.224063 10.41.0.6 > 4.2.2.2: icmp: echo request
  10: 13:23:45.228946 10.41.0.6 > 4.2.2.2: icmp: echo request
  11: 13:23:47.233767 10.41.0.6 > 4.2.2.2: icmp: echo request

As you can see the request is sent but no replies are received. The Inside interface looks much better:

 260: 13:25:41.121545 10.40.1.50 > 4.2.2.1: icmp: echo request
 261: 13:25:41.142204 4.2.2.1 > 10.40.1.50: icmp: echo reply
 262: 13:25:42.131646 10.40.1.50 > 4.2.2.1: icmp: echo request
 263: 13:25:42.152396 4.2.2.1 > 10.40.1.50: icmp: echo reply
 264: 13:25:43.135704 10.40.1.50 > 4.2.2.1: icmp: echo request
 265: 13:25:43.156287 4.2.2.1 > 10.40.1.50: icmp: echo reply
 266: 13:25:44.140877 10.40.1.50 > 4.2.2.1: icmp: echo request
 267: 13:25:44.161368 4.2.2.1 > 10.40.1.50: icmp: echo reply
0
 

Accepted Solution

by:
ascendmax26 earned 0 total points
ID: 37735513
I had the wrong nat config:
nat (Inside) 1 10.41.0.0 255.255.0.0

Needed to be:
nat (Guest) 1 10.41.0.0 255.255.0.0
0
 
LVL 16

Expert Comment

by:btassure
ID: 37735623
All sorted now?
0
 

Author Closing Comment

by:ascendmax26
ID: 37756290
Self-solved.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question