Cisco ASA 5505 - No Internet access
Hello -
I presently have a CIsco ASA 5505 (running ASA version 8.2(1) ) sitting behind my Comcast Business gateway. I have a static public IP through Comcast. The Comcast gateway is in pass-through mode (i.e. its LAN DHCP, WiFi, and MoCa are turned off).
I have configured my Cisco with the necessary VLANs and interfaces such that I have an inside network of 10.0.10.xxx and a DMZ of 192.168.10.xxx.
I am fairly certain that I have the correct NAT and ACL settings done.
From the ASA, I can successfully ping my Comcast static IP and the Comcast gateway address - but nothing else. And, of course, any client devices connected to either the ASA's inside interfaces or DMZ cannot access the Internet.
FWIW, I have also checked with Comcast to make sure there are no compatibility issues with their device and Cisco ASAs (because I'm only getting an orange LED on the Comcast gateway's Ethernet port - no green link light). The ASA is set to auto duplex and speed.
If I configure a laptop with the static IP and plug it directly into the Comcast gateway, it works fine.
I have attached a text file with my ASA configuration.
Can anyone suggest a possible fix?
Thanks much.
ASA5505_Config.txt
I presently have a CIsco ASA 5505 (running ASA version 8.2(1) ) sitting behind my Comcast Business gateway. I have a static public IP through Comcast. The Comcast gateway is in pass-through mode (i.e. its LAN DHCP, WiFi, and MoCa are turned off).
I have configured my Cisco with the necessary VLANs and interfaces such that I have an inside network of 10.0.10.xxx and a DMZ of 192.168.10.xxx.
I am fairly certain that I have the correct NAT and ACL settings done.
From the ASA, I can successfully ping my Comcast static IP and the Comcast gateway address - but nothing else. And, of course, any client devices connected to either the ASA's inside interfaces or DMZ cannot access the Internet.
FWIW, I have also checked with Comcast to make sure there are no compatibility issues with their device and Cisco ASAs (because I'm only getting an orange LED on the Comcast gateway's Ethernet port - no green link light). The ASA is set to auto duplex and speed.
If I configure a laptop with the static IP and plug it directly into the Comcast gateway, it works fine.
I have attached a text file with my ASA configuration.
Can anyone suggest a possible fix?
Thanks much.
ASA5505_Config.txt
Can you include the route statements in the configuration?
ASKER
That would be the output of a
sh route
command, yes?
I am away from the office now but can do it in the morning. Thanks.
sh route
command, yes?
I am away from the office now but can do it in the morning. Thanks.
Either "show route" or "show run | in route" should work, thanks
ASKER
Here is the output of show run | in route
show run | in route
ip address dhcp setroute
route outside 0.0.0.0 0.0.0.0 23.24.87.213 1
Hope this helps.
Thx.
show run | in route
ip address dhcp setroute
route outside 0.0.0.0 0.0.0.0 23.24.87.213 1
Hope this helps.
Thx.
Okay, I think that's your problem, you don't have any routes for your inside/dmz networks.
You should have statements like "route inside 10.0.10.xxx x.x.x.x" and "route dmz 192.168.10.xxx x.x.x.x" and so on.
ASKER
Aha! That does make sense.
I will add those routes and update the topic with the results shortly.
Thank you.
I will add those routes and update the topic with the results shortly.
Thank you.
ASKER
Okay, I have added the static routes you mentioned. Output of sh run | in route now looks like this:
sh run | in route
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.0.10.0 255.255.255.0 xx.xx.xx.xx 1
route dmz 192.168.10.0 255.255.255.0 xx.xx.xx.xx 1
I have redacted my public IP, but this is essentially what my route statements look like.
Still no Internet connection.
Any thoughts?
Thanks much! :-)
sh run | in route
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 10.0.10.0 255.255.255.0 xx.xx.xx.xx 1
route dmz 192.168.10.0 255.255.255.0 xx.xx.xx.xx 1
I have redacted my public IP, but this is essentially what my route statements look like.
Still no Internet connection.
Any thoughts?
Thanks much! :-)
Ya, you shouldn't be using your public IP as the gateway for these statements, it should be the next hop. so lets say your inside router had and ip address of 10.0.0.1 the statement would be "route inside 10.0.10.0 255.255.255.0 10.0.0.1 1
ASKER
Forgive my ignorance. I should probably be better at this than I am.
As my ASA sits behind a Comcast Gateway in pass-through mode, wouldn't the next hop be the outside interface of the ASA ( which is presently configured with the static public IP)?
As my ASA sits behind a Comcast Gateway in pass-through mode, wouldn't the next hop be the outside interface of the ASA ( which is presently configured with the static public IP)?
The Comcast is your gateway to the outside world, but it's not your gateway to your inside or dmz networks. Basically you have to tell your ASA how to get to those networks. So it needs to know the IP Address of the router to send the traffic to.
ASKER
Or, would it be Comcast's gateway address (the one whose last octet is one digit different than my static public IP)?
ASKER
Sorry, I am so confused.
So, my inside interface is 10.0.10.1 - thus the devices on my LAN all have addresses in the 10.0.10.0 network range.
My DMZ interface address is 192.168.10.1 - so any devices connected to the DMZ have addresses in the 192.168.10.0 network range.
Aside from the static public IP, which is being passed through to the outside interface of my ASA, there are no other addresses or address ranges in operation.
So I guess I'm just not sure what address I would list in the final position of the route statement.
Sorry... and thanks again for your patient tutelage.
So, my inside interface is 10.0.10.1 - thus the devices on my LAN all have addresses in the 10.0.10.0 network range.
My DMZ interface address is 192.168.10.1 - so any devices connected to the DMZ have addresses in the 192.168.10.0 network range.
Aside from the static public IP, which is being passed through to the outside interface of my ASA, there are no other addresses or address ranges in operation.
So I guess I'm just not sure what address I would list in the final position of the route statement.
Sorry... and thanks again for your patient tutelage.
what device is physically connected to the inside interface on your ASA?
ASKER
A 24 port switch to which all of the computers on my LAN are wired. Although, in the process of troubleshooting this, I have also removed the switch and connected my laptop directly - with its ethernet adapter set to obtain its address via DHCP.
From the laptop (or other connected devices when the switch is in place) I can ping my static public IP and Comcast gateway address... but no other public addresses. And I cannot access any websites.
Hope this helps.
From the laptop (or other connected devices when the switch is in place) I can ping my static public IP and Comcast gateway address... but no other public addresses. And I cannot access any websites.
Hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, this is solved. Woot woot!!!
Thank you for your patience and insight. I know just enough about hardcore networking and Cisco ASA configuration to be a danger to myself and my LAN! LOL!
Thecorrect route statement ended up being:
route inside 10.0.10.0 255.255.255.0 xx.xx.xx.xx 1
(where the redacted IP is that of Comcast's gateway address - i.e. not my static public IP but the GW address they provide to customers who order static IPs).
Thanks so much for all your insight. It really helped.
Thank you for your patience and insight. I know just enough about hardcore networking and Cisco ASA configuration to be a danger to myself and my LAN! LOL!
Thecorrect route statement ended up being:
route inside 10.0.10.0 255.255.255.0 xx.xx.xx.xx 1
(where the redacted IP is that of Comcast's gateway address - i.e. not my static public IP but the GW address they provide to customers who order static IPs).
Thanks so much for all your insight. It really helped.
ASKER
You rock!! Thanks. :-)
Glad it's working for you