ASA not passing traffice from inside interface to outside

I can't get traffic from devices on the inside interface out of this ASA and on to the Internet.  The outside interface is on the Internet.  From the ASA console I can successfully ping 8.8.8.8.  

From a machine connected to the inside interface I can ping the inside interface but I can't ping 8.8.8.8 or anything else on the Internet.  I've also tried telnet to port 80 of various websites and can't reach those either so both ICMP and IP are failing.

show access-list doesn't show any hits on the Inside_access_in ACLs.

This config started out as an 8.2(5) config and was morphed to 9.1(5) using the ADSM tool.  

Thanks one and all for you help.
LVL 1
labdunnAsked:
Who is Participating?
 
James HoodAssistant Technical Manager (IT Infrastructure)Commented:
Hi,
It looks like your dynamic NAT to translate inside to outside is mis-configured. Currently you have:

object network obj_any
 subnet 0.0.0.0 0.0.0.0

Open in new window

and
object network obj_any
 nat (inside,outside) dynamic interface

Open in new window


If you need to identify the object "obj-any" as 0.0.0.0 0.0.0.0 (i.e. everything) I would simply leave that "as-is" and put another network object entry in to manage the inside-to-outside dynamic NAT, something like this:

 object network inside-network
 subnet 172.16.190.0 255.255.255.0
 nat (inside,outside) dynamic interface

Open in new window


You'll see the difference in that your inside network is identified by its IP subnet and is therefore makes it "interesting" traffic that the firewall has to do something with.

Assuming your default route is correct this should sort the problem based on your current config.

Hope this helps.

James.
0
 
James HoodAssistant Technical Manager (IT Infrastructure)Commented:
Hi, please could you post a copy of your current config and I'll fault find it for you.

Cheers.
0
 
labdunnAuthor Commented:
Sorry,  I thought I had uploaded the file with my original question.  I'll do so now.  Thanks.5510-04162015.txt
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
labdunnAuthor Commented:
Hi James

Thank you for the help but I think I need more.  So I removed the subnet 0.0.0.0 0.0.0.0 and replaced it with subnet 172.16.160.0 255.255.255.0.  Still can't ping 8.8.8.8 from the inside interface.  I am able to ping 8.8.8.8 directly from the ASA so I think the default route is not the issue.

Here's the rest of the story.  I am not onsite with this ASA 5510.  The configuration I'm trying to setup is a remote ASA5505 that uses the EZVPN to connect to the ASA5510.  All traffic from the 5505 is being tunneled to the 5510.  I am testing from the inside interface of the remote 5505.   My subnet on inside interface of the 5505 is 172.20.120.148/29.  

I have tried both subnet 172.16.190.0 255.255.255.0 and subnet 172.20.120.48 255.255.255.248 but can't get traffic through the outside interface with either.

I am able to reach other devices on inside interface of the 5510 across the VPN tunnel.

Bill
0
 
labdunnAuthor Commented:
James your solution didn't fix the problem (because I didn't give you the full details) but it did get me headed in the right direction.  I added an object network for the subnet assigned to the inside interface of the 5505's and nat (outside,outside) dynamic interface and that got it working as desired.

Thank you for your help.
0
 
James HoodAssistant Technical Manager (IT Infrastructure)Commented:
Glad you git it working in the end! :)

All the best, James.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.