No internet access from LAN on ASA5512-X

Posted on 2014-02-24
Last Modified: 2014-02-27
I installed a Cisco ASA 5512-x from factory default. From what i am told nothing special should be required to make the LAN users browse the internet when using security levels. Or am i wrong?

What is wrong with this config?

If i use ping in ASDM i can ping fro WAN interface to external IP, but not from the LAN interface to a public IP.
Using the packet tracer to establish www connection outbound shows no errors.

Thanks in advance.

- - - - - - -

ASA Version 8.6(1)2
hostname ASA5512
enable password crFWG3V1wby.t0u8HC encrypted
passwd 2KasDFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0/0
 nameif WAN
 security-level 0
 ip address 91.X.X.XX
interface GigabitEthernet0/1
 nameif LAN
 security-level 99
 ip address
interface GigabitEthernet0/2
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/4
 no nameif
 no security-level
 no ip address
interface GigabitEthernet0/5
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup WAN
dns domain-lookup LAN
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ISP_gateway
 host 91.X.X.1
pager lines 24
logging asdm informational
mtu management 1500
mtu WAN 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 91.X.X.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http management
http LAN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp WAN
sysopt noproxyarp LAN
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
: end
no asdm history enable
Question by:Jabony
1 Comment
LVL 20

Accepted Solution

rauenpc earned 500 total points
ID: 39885730
The newer code versions of the ASA (8.3+) do not have NAT configured by default. As it stands, you packets are making it to the internet, but with a source of 10.x.x.x they are being dropped. The quickest and simplest way to get your devices on the internet would be:

object network DEFAULTNAT-1
description Object used for the default nat to primary outside
nat (LAN,WAN) dynamic interface

As a small suggestion, name your LAN "inside" and your WAN "outside". If you ever do any copy/pasting of config in the future, 99% of all config examples use these names and you won't have to trudge through the configs making name changes. This is a purely asthetic recommendation; there is no performance or functionality difference. It is also most common to have the inside/LAN interface set to a security-level of 100.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
small, multi network, problem 3 82
Possible RST Flood on IF X0 Sonicwall 6 139
BGP Code 12 41
By pass website on ASA for Websense 4 50
Hello All, I have been training on Multicast for a while now and whenever I start the topic , I find out that my friends /  Colleagues mention that they do not know how to test Multicast Joins. As most of the multicast would be video traffic and …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now