ASA can ping outside, but internal users cannot access internet

What am I missing here? The ASA 5512 can ping 8.8.8.8, but anyone on the inside interface cannot get out. I am rather new to the 8.3+ syntax, so I was wondering if anyone could help me out?


!
hostname AO
domain-name DOAMIN.COM
names
!
interface GigabitEthernet0/0
 shutdown
 nameif outside
 security-level 0
 ip address OUTSIDEIP 255.255.255.252
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.47.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.40.25
 name-server 8.8.8.8
 domain-name DOMAINNAME
object network obj-192.168.40.0
 subnet 192.168.40.0 255.255.255.128
object network obj-192.168.40.128
 subnet 192.168.40.128 255.255.255.128
object network obj-192.168.47.0
 subnet 192.168.47.0 255.255.255.0
object network obj-172.26.13.16
 subnet 172.26.13.16 255.255.255.240
object network obj-172.26.13.32
 subnet 172.26.13.32 255.255.255.240
object network obj-172.26.13.64
 subnet 172.26.13.64 255.255.255.240
object network obj-172.26.13.112
 subnet 172.26.13.112 255.255.255.240
object network obj-172.26.13.128
 subnet 172.26.13.128 255.255.255.240
object network obj-172.26.13.192
 subnet 172.26.13.192 255.255.255.240
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
 host 0.0.0.0
object network obj-remote
 subnet 172.26.13.16 255.255.255.240
object network obj-inside
 subnet 192.168.47.0 255.255.255.0
access-list inside_NAT_outbound extended permit ip 192.168.47.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list 130 extended permit ip 192.168.47.0 255.255.255.128 192.168.40.128 255.255.255.128
access-list 145 extended permit ip 192.168.47.0 255.255.255.0 192.168.40.0 255.255.255.128
access-list 146 extended permit ip 192.168.47.0 255.255.255.0 192.168.40.128 255.255.255.128
access-list 147 extended permit ip 192.168.40.0 255.255.255.128 192.168.47.0 255.255.255.0
access-list 148 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.16 255.255.255.240
access-list 149 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.32 255.255.255.240
access-list 150 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.64 255.255.255.240
access-list 151 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.112 255.255.255.240
access-list 152 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.128 255.255.255.240
access-list 153 extended permit ip 192.168.40.0 255.255.255.128 172.26.13.192 255.255.255.240
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-inside obj-inside destination static obj-remote obj-remote
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-192.168.40.0 obj-192.168.40.0
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-192.168.40.128 obj-192.168.40.128
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.16 obj-172.26.13.16
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.32 obj-172.26.13.32
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.64 obj-172.26.13.64
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.112 obj-172.26.13.112
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.128 obj-172.26.13.128
nat (inside,outside) source static obj-192.168.47.0 obj-192.168.47.0 destination static obj-172.26.13.192 obj-172.26.13.192
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 OUTSIDEGATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set MYSET esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set MYSET
crypto dynamic-map dynamic-map-ipsec 1 set ikev2 ipsec-proposal ESP-3DES-MD5
crypto dynamic-map dynamic-map-ipsec 1 set reverse-route
crypto map TUNNEL_MAP 43 match address 145
crypto map TUNNEL_MAP 43 set peer IP
crypto map TUNNEL_MAP 43 set ikev1 transform-set MYSET
crypto map TUNNEL_MAP 44 match address 146
crypto map TUNNEL_MAP 44 set peer IP
crypto map TUNNEL_MAP 44 set ikev1 transform-set MYSET
crypto map TUNNEL_MAP 65535 ipsec-isakmp dynamic dynamic-map-ipsec
crypto map TUNNEL_MAP interface outside
crypto isakmp identity address
crypto ikev2 policy 1
 encryption 3des
 integrity sha
 group 2
 prf sha
 lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.47.50-192.168.47.90 inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
username admini password jBFrHOlRmYIzGm8t encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group IP type ipsec-l2l
tunnel-group IP ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group IP type ipsec-l2l
tunnel-group IP ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:b3bd363ad798db6f186e13b731fda513
: end
j_crow1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cat6509Commented:
in 8.2 and earlier you needed to have something like:

nat (inside) 1 0.0.0.0 0.0.0.0


not sure about 8.3 and newer.

and also

interface GigabitEthernet0/0
 shutdown

that will not help you get out - but I am assuming that you knew that was there.
0
j_crow1Author Commented:
Yeah I fixed the 0/0 port shutdown. The NAT commands are all different now...very frustrating.
0
Henk van AchterbergSr. Technical ConsultantCommented:
nat (inside,outside) after-auto source dynamic obj-192.168.47.0 interface
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

j_crow1Author Commented:
Hevnkva - so it will look like the following?

obj-obj-192.168.47.0
nat (inside,outside) auto source dynamic

Is that correct?
0
Henk van AchterbergSr. Technical ConsultantCommented:
No, just enter the line as one in the config mode.
0
fgasimzadeCommented:
Here is a good guide for new NAT configuration for ASA 8.3 >

https://supportforums.cisco.com/docs/DOC-9129
0
j_crow1Author Commented:
Alright the ping works from the internal interface, but I do not get a reponse. Meaning I can ping google.com and it does a DNS lookup, but the pings fail - why would this be?
0
Henk van AchterbergSr. Technical ConsultantCommented:
you will have to inspect ICMP :)

http://www.fir3net.com/Cisco-PIX/pix-asa-how-to-enable-icmp-inspect.html

http://jklogic.net/cisco-asa-and-icmp-configurations/ Solution 3:

Solution 3: This is a bit more complex, but will allow higher security level interfaces to ping/trace route lower security level interfaces without the use of access-lists. To do this, we will tell the ASA to inspect icmp in a service policy. If you are using a ASA, you should have a default policy in the base config called global_policy.
global_policy:

FW-ASA(config)# policy-map global_policy
FW-ASA(config-pmap)# class inspection_default
FW-ASA(config-pmap-c)# inspect icmp
0
j_crow1Author Commented:
The other issue was due to me trying to route all of my traffic to 8.8.8.8

Thank you!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.