troubleshooting Question

ASA5510 not passing traffic

Avatar of ascendmax26
ascendmax26Flag for United States of America asked on
Hardware FirewallsNetworking Hardware-Other
4 Comments1 Solution612 ViewsLast Modified:
I have an ASA 5510 that I can't seem to get to pass Internet traffic. It's not a complex config so I'm not sure where to look.  I'm not getting any error messages. Just timing out when trying to ping any external addresses, can't resolve DNS, can't bring up web pages.

Config attached:

ASA Version 8.0(5)
!
hostname ASA
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 1.1.1.250 255.255.255.224
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.40.0.10 255.255.0.0
 ospf priority 0
 ospf authentication message-digest
!
interface Ethernet0/2
 nameif Guest
 security-level 50
 ip address 10.41.0.1 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name company.net
object-group network COMPANY2
 network-object 10.40.0.0 255.255.0.0
access-list nonat extended permit ip 10.40.0.0 255.255.0.0 1.2.2.0 255.255.255.0
access-list TUNNEL standard permit 10.40.0.0 255.255.0.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any source-quench
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq www
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq smtp
access-list OUTSIDE_IN extended permit tcp any host 1.1.1.250 eq https
access-list OUT_GUEST extended permit ip any any
logging enable
logging timestamp
logging buffer-size 50000
logging console errors
logging monitor errors
logging buffered errors
logging trap errors
logging asdm errors
logging host Inside 10.200.1.48
logging debug-trace
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip verify reverse-path interface Outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any unreachable Outside
icmp permit any time-exceeded Outside
icmp permit any Inside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 10.40.0.0 255.255.0.0
nat (Inside) 1 10.41.0.0 255.255.0.0
access-group OUTSIDE_IN in interface Outside
!
router ospf 100
 router-id 4.4.4.2
 network 10.40.0.0 255.255.0.0 area 4
 area 4 authentication message-digest
 log-adj-changes
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.40.0.0 255.255.0.0 Inside
dhcpd dns 4.2.2.2 8.8.8.8
!
dhcpd address 10.41.0.100-10.41.0.200 Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.40.0.1 source Inside
ssl encryption rc4-sha1
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 50
 vpn-idle-timeout 60
 vpn-tunnel-protocol IPSec
 password-storage enable
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value TUNNEL
 default-domain value company.net
 split-dns value company.net
 user-authentication enable
 ip-phone-bypass enable
 nem enable
!
class-map INSPECTION
 match default-inspection-traffic
!
!
policy-map type inspect dns DNS
 parameters  
  message-length maximum 1500
policy-map POLICY
 class INSPECTION
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect pptp
  inspect ftp
  inspect icmp
  inspect icmp error
  inspect dns DNS
!
service-policy POLICY global
prompt hostname context
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros