Unable to Access Internet (Cisco ASA 5515)

I am setting up a new to me Cisco ASA 5515 Firewall and I am experiencing issues getting the internet to work, I can see data going outbound with the proper dynamic IP address but nothing comes back in, I have been fighting this for over a week with no success, I have posted my cleansed running config below, if anybody has any ideas what might be wrong it would be great!  Thanks in advance.

Result of the command: "show running-config"

: Saved
ASA Version 9.0(1)
hostname ciscoasa
domain-name mcdonaldwhsl.com
enable password 8CGtiyM0FKPXXGmn encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
 description Internet Access
 nameif outside
 security-level 0
 ip address 173.8.xxx.xxx
interface GigabitEthernet0/1
 description Internal LAN
 nameif inside
 security-level 100
 ip address xxx.xxx.1.253
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/4
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/5
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address xxx.xxx.100.1
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server xxx.168.1.106
 name-server xxx.168.1.3
 domain-name someone.com
object network mapped_IP_pool
object network internal_lan_xxx.xxx.1.100
 range xxx.xxx.1.0 xxx.xxx.1.250
object network mcd_inside_net
 subnet xxx.xxx.1.0
 description Lan1
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit object-group TCPUDP any any eq www
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit icmp any4 any4
access-list outside_access_in extended permit object-group TCPUDP any any eq domain
access-list outside_access_in extended permit object-group TCPUDP any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network mcd_inside_net
 nat (inside,outside) dynamic pat-pool mapped_IP_pool interface dns
nat (outside,inside) after-auto source static any any unidirectional no-proxy-arp
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 173.x.xxx.206 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http xxx.xxx.100.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address xxx.xxx.100.2-xxx.xxx.100.254 management
dhcpd enable management
dhcpd address xxx.xxx.1.100-xxx.xxx.1.250 inside
dhcpd dns interface inside
dhcpd domain mcdonaldwhsl.com interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server prefer
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
: end
Who is Participating?
object network mcd_inside_net
 nat (inside,outside) dynamic pat-pool mapped_IP_pool interface dns

The above seems redundant. this says that for object group mcd_inside_net, nat this from the inside to the outside using pat-pool mapped_IP_pool AND the outside interface with the dns rewrite option selected.

I would think you could change this to

object network mcd_inside_net
 nat (inside,outside) dynamic pat-pool mapped_IP_pool dns

and be good to go. This assumes that your ISP is indeed statically routing addresses contained within the mapped_IP_pool object to your ASA.
Can you ping your next hop router?

FoodcomanAuthor Commented:
Unable to ping my next hop router 173.x.xxx.206

Made change to read as follows, no help

object network mcd_inside_net
 nat (inside,outside) dynamic pat-pool mapped_IP_pool dns
If you're unable to ping your next-hop router, that would be the first place I'd look in to.
FoodcomanAuthor Commented:
I found the issue, apparently our ISP router is not supporting Dynamic address translation, I will have to call them to find out why, after telling the asa to just use the outside ip address all is working now.

Thanks for your assistance, it got me looking at other reasons why.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.