Solved

No Internet connection via ASA

Posted on 2014-04-12
21
944 Views
Last Modified: 2014-05-22
Hello,

I am implementing a Cisco ASA 5515 and having trouble connecting to my outside interface (VSAT Internet). I am rather rusty at this, I am sure I missing something simple, but cannot seem to get it to work. I am not good with the command line interface, I am using the ASDM so would appreciate advice on how to fix using the ASDM interface.

I have the following interfaces;

1. Outside, security level 100, IP: 212.96.xx.xxx
2. Inside, security level 100, IP: 10.16.1.1

On my firewall setup, I have created a rule to permit traffic from Inside to outside for services ip, tcp, http and the same for the outside to inside

Am I missing a specific general rule to allow internet traffic to my inside interface?

Thank you for your help.
0
Comment
Question by:MattNiemeyer
  • 11
  • 9
21 Comments
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39995938
your outside security level should be 0 NOT 100
0
 

Author Comment

by:MattNiemeyer
ID: 39995942
OK, I did try that but same result.
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39995943
could you please give me the result for #show run
command
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39995944
make sure also you have default route
0
 

Author Comment

by:MattNiemeyer
ID: 39995947
Following are the results of #show run;

Result of the command: "show run"

: Saved
:
ASA Version 9.1(1)
!
hostname ESSGASA01
domain-name ESS-GABON
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 nameif outside
 security-level 0
 ip address 212.96.20.150 255.255.255.248
!
interface GigabitEthernet0/2
 nameif inside
 security-level 100
 ip address 10.16.1.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 security-level 15
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 8.8.8.8
 name-server 4.2.2.2
 domain-name ESS-GABON
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network WebrootHost1
 host 174.129.28.79
 description Webroot Host1
object network WebrootHost10
 host 50.16.199.22
 description WebrootHost10
object network WebrootHost11
 host 50.16.199.29
 description WebrootHost11
object network WebrootHost12
 host 50.16.199.30
 description WebrootHost12
object network WebrootHost13
 host 174.129.28.79
 description WebrootHost13
object network WebrootHost14
 host 174.129.209.130
 description WebrootHost14
object network WebrootHost15
 host 174.129.209.149
 description WebrootHost15
object network WebrootHost16
 host 174.129.243.180
 description WebrootHost16
object network WebrootHost17
 host 184.169.161.31
 description WebrootHost17
object network WebrootHost18
 host 54.208.19.179
 description WebrootHost18
object network WebrootHost19
 host 54.208.8.241
 description WebrootHost19
object network WebrootHost2
 host 79.125.8.156
 description Webroot Host 2
object network WebrootHost3
 host 79.125.119.170
 description Webroot Host 3
object network WebrootHost4
 host 174.129.28.79
 description WebrootHost4
object network WebrootHost5
 host 174.129.209.149
 description WebrootHost5
object network WebrootHost6
 host 174.129.209.130
 description WebrootHost6
object network WebrootHost7
 host 174.129.209.149
 description WebrootHost7
object network WebrootHost8
 host 174.129.243.180
 description WebrootHost8
object network WebrootHost9
 host 175.41.133.17
 description WebrootHost9
object network WebrootRange1
 range 208.87.136.0 208.87.136.255
 description Webroot Range 1
object network WebrootRange2
 range 208.87.137.0 208.87.137.255
 description Webroot Range 2
object network WebrootRange3
 range 194.116.198.0 194.116.198.255
 description Webroot Range 3
object network WebrootRange4
 range 194.116.199.0 194.116.199.255
 description Webroot Range 4
object network WebrootRange5
 range 175.107.77.1 175.107.77.30
 description Webroot Range 5
object network WebrootRange6
 range 79.125.21.75 79.125.21.79
 description Webroot Range 6
object network WebrootRange7
 range 184.169.163.152 184.169.163.155
 description WebrootRange7
object network WebrootRange8
 range 54.241.1.209 54.241.1.212
 description WebrootRange8
object network Gateway
 host 10.16.1.1
object-group service Webroot tcp
 description Webroot TCP Port
 port-object eq 3128
 port-object eq 8080
 port-object eq www
 port-object eq https
object-group network WebrootTCPIP
 description WebrootTCPIP
 network-object object WebrootHost1
 network-object object WebrootHost10
 network-object object WebrootHost11
 network-object object WebrootHost12
 network-object object WebrootHost13
 network-object object WebrootHost14
 network-object object WebrootHost15
 network-object object WebrootHost16
 network-object object WebrootHost17
 network-object object WebrootHost18
 network-object object WebrootHost19
 network-object object WebrootHost2
 network-object object WebrootHost3
 network-object object WebrootHost4
 network-object object WebrootHost5
 network-object object WebrootHost6
 network-object object WebrootHost7
 network-object object WebrootHost8
 network-object object WebrootHost9
 network-object object WebrootRange1
 network-object object WebrootRange2
 network-object object WebrootRange3
 network-object object WebrootRange4
 network-object object WebrootRange5
 network-object object WebrootRange6
 network-object object WebrootRange7
 network-object object WebrootRange8
object-group service DM_INLINE_SERVICE_1
 service-object ip
 service-object tcp
 service-object tcp-udp destination eq www
object-group service DM_INLINE_SERVICE_2
 service-object ip
 service-object tcp destination eq www
 service-object tcp destination eq https
 service-object udp destination eq www
access-list VSAT_access_in extended permit tcp 212.96.20.144 255.255.255.248 object-group Webroot interface inside object-group Webroot inactive
access-list VSAT_access_in extended permit object-group DM_INLINE_SERVICE_2 212.96.20.144 255.255.255.248 10.16.1.0 255.255.255.0
access-list ESSLan_access_in extended permit object-group DM_INLINE_SERVICE_1 10.16.1.0 255.255.255.0 212.96.20.144 255.255.255.248
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static any any unidirectional
access-group VSAT_access_in in interface outside
access-group ESSLan_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.16.1.3 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd dns 8.8.8.8 4.2.2.2
dhcpd update dns both override
!
dhcpd address 10.16.1.220-10.16.1.254 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd update dns both override interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username ESSAdmin password P46xnOa3rkCvbKE4 encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1cfa579a9a30c1438a12b1a0e4d869cc
: end
0
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 500 total points
ID: 39995955
route outside 0.0.0.0 0.0.0.0 (YOUR DEFAULT GATEWAY)

OR

In ASDM :

http://supportforums.cisco.com/sites/default/files/legacy/2/5/3/72352-Capture.JPG

but replace it with your gateway ip
0
 

Author Comment

by:MattNiemeyer
ID: 39995975
OK, this is where I get a little confused, I have the router that the VSAT vendor provided to us and is acting as the gateway 10.16.1.1, I was hoping to replace this router with the ASA and have the modem connecting directly to the ASA for the outside interface. What would the default gateway be in this case as it seems I cannot use an IP that is on an ASA interface?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39995983
OK How is the old router is connected to your VSAT vendor? is it PPPOE  via modem ? if so you need to get your pppoe username/password from your vsat vendor , and here is an example to apply the config on ASA:

http://www.petenetlive.com/KB/Article/0000831.htm
0
 

Author Comment

by:MattNiemeyer
ID: 39996100
Currently the Evolution iDirect Satellite Router is connected to the vendor supplied Cisco 1941 router, I assume that the PPPOE is handled by the iDirect router/modem?

I have attached a diagram to make it more clear what I am trying to do.
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39996105
OK so can you get me the result of #show run command on the router ?

P.S: i can't see any attached files?
0
Do email signature updates give you a headache?

Do you spend too much time managing email signatures? Hate visiting every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Well, let Exclaimer give your company the email signature it deserves!

 

Author Comment

by:MattNiemeyer
ID: 39996164
Please find following #Show run for router;



Current configuration : 1439 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FGL154722QM
!
!
username cisco privilege 15 password 0 cisco
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 212.96.20.150 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 10.16.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 212.96.20.149

Router#urrent configuration : 1439 bytes
        ^
% Invalid input detected at '^' marker.

Router#!
Router#! No configuration change since last restart
Router#version 15.1
          ^
% Invalid input detected at '^' marker.

Router#service timestamps debug datetime msec
               ^
% Invalid input detected at '^' marker.

Router#service timestamps log datetime msec
               ^
% Invalid input detected at '^' marker.

Router#no service password-encryption
          ^
% Invalid input detected at '^' marker.

Router#!
Router#hostname Router
        ^
% Invalid input detected at '^' marker.

Router#!
Router#boot-start-marker
Translating "boot-start-marker"...domain server (255.255.255.255)

% Bad IP address or host name
Translating "boot-start-marker"...domain server (255.255.255.255)
 (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
Router#boot-end-marker
Translating "boot-end-marker"...domain server (255.255.255.255)

% Bad IP address or host name
Translating "boot-end-marker"...domain server (255.255.255.255)
 (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
Router#!
Router#!
Router#!
Router#no aaa new-model
          ^
% Invalid input detected at '^' marker.

Router#!
Router#no ipv6 cef
          ^
% Invalid input detected at '^' marker.

Router#ip source-route
        ^
% Invalid input detected at '^' marker.

Router#ip cef
        ^
% Invalid input detected at '^' marker.

Router#!
Router#!
Router#!
Router# -Current configuration : 1439 bytes
        ^
% Invalid input detected at '^' marker.

Router#!
Router#! No configuration change since last restart
Router#version 15.1
          ^
% Invalid input detected at '^' marker.

Router#service timestamps debug datetime msec
               ^
% Invalid input detected at '^' marker.

Router#service timestamps log datetime msec
               ^
% Invalid input detected at '^' marker.

Router#no service password-encryption
          ^
% Invalid input detected at '^' marker.

Router#!
Router#hostname Router
        ^
% Invalid input detected at '^' marker.

Router#!
Router#boot-start-marker
% Bad IP address or host name
% Unknown command or computer name, or unable to find computer address
Router#boot-end-marker
% Bad IP address or host name
% Unknown command or computer name, or unable to find computer address
Router#!
Router#!
Router#!
Router#no aaa new-model
          ^
% Invalid input detected at '^' marker.

Router#!
Router#no ipv6 cef
          ^
% Invalid input detected at '^' marker.

Router#ip source-route
        ^
% Invalid input detected at '^' marker.

Router#ip cef
        ^
% Invalid input detected at '^' marker.

Router#!
Router#!
Router#!
Router# -Current configuration : 1439 bytes
        ^
% Invalid input detected at '^' marker.

Router#!
Router#! No configuration change since last restart
Router#version 15.1
          ^
% Invalid input detected at '^' marker.

Router#service timestamps debug datetime msec
               ^
% Invalid input detected at '^' marker.

Router#service timestamps log datetime msec
               ^
% Invalid input detected at '^' marker.

Router#no service password-encryption
          ^
% Invalid input detected at '^' marker.

Router#!
Router#hostname Router
        ^
% Invalid input detected at '^' marker.

Router#!
Router#boot-start-marker
Translating "boot-start-marker"...domain server (255.255.255.255)

% Bad IP address or host name
Translating "boot-start-marker"...domain server (255.255.255.255)
 (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
Router#boot-end-marker
Translating "boot-end-marker"...domain server (255.255.255.255)

% Bad IP address or host name
Translating "boot-end-marker"...domain server (255.255.255.255)
 (255.255.255.255)
% Unknown command or computer name, or unable to find computer address
Router#!
Router#!
Router#!
Router#no aaa new-model
          ^
% Invalid input detected at '^' marker.

Router#!
Router#no ipv6 cef
          ^
% Invalid input detected at '^' marker.

Router#ip source-route
        ^
% Invalid input detected at '^' marker.

Router#ip cef
        ^
% Invalid input detected at '^' marker.

Router#!
Router#!
Router#!
Router# -
Visio-Proposed-Network-diagram.pdf
0
 
LVL 6

Assisted Solution

by:Hassan Besher
Hassan Besher earned 500 total points
ID: 39996240
that's OK , i see all you need beside your previous config in your ASA is to add default route to 212.96.20.149, like i show you before

try to add it and test internet connectivity ?
0
 

Author Comment

by:MattNiemeyer
ID: 39996249
Thanks, I added the static route from the 'outside' interface with gateway IP 212.96.20.149. I can ping 8.8.8.8 from within the packet tracer in ASDM, however, I still can't access the internet from the inside network?
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39996262
I think it's your NAT config, let me check!
0
 

Author Comment

by:MattNiemeyer
ID: 39996267
For now, just open access to the internet for users inside. I plan on a site to site VPN later, but for now, just want to put the ASA in place of the existing router.
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39996273
so every thing is working now?!!

you can reach to internet from ASA and from internal network?
0
 

Author Comment

by:MattNiemeyer
ID: 39996276
From the ASA yes, but no for the internal network. Can't figure out why?
0
 
LVL 6

Accepted Solution

by:
Hassan Besher earned 500 total points
ID: 39996283
add the following commands:
no nat (outside,inside) source static any any unidirectional
object network Inernal-10.16.1.0
 subnet 10.16.1.0 255.255.255.0
 nat (inside,outside) dynamic interface
0
 

Author Comment

by:MattNiemeyer
ID: 39996292
It Works! Thank you so very much!
0
 
LVL 6

Expert Comment

by:Hassan Besher
ID: 39996301
You're welcome Glad i could help :)
0
 

Expert Comment

by:ScreenFox
ID: 40083079
Hi:

I have the same problema. I can ping internet just from the device, but not from my LAN.

I have no Access rules or NAT rules configured.

If I'm not wrong you did not mention that an Access rule was needed, right?

How should I setup the NAT rule?
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Introduction Ever had certain email messages or responses that you find yourself using over and over again? Do you use Google's Gmail system? If so, then this article is here to help you save time by teaching you how to create email templates from …
Microsoft goes to great lengths to ensure that the users don’t encounter issues while working with MS Outlook. But errors are inevitable and can occur when you least expect them. One of such errors which are encountered in Outlook is Error 0x800ccc1…
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now