Cisco Firewall :: ASA 5505 - Nat Can't Ping Internet
Jun 17, 2012
I am trying to configure Nat on a clean ASA 5505, but can't get it to work. I ran the commands below. On the ASA I can ping the internet and inside vlan ip. On my laptop I can ping the ASA inside vlan ip, but I can't ping the outside vlan ip. From another network I can ping the ASA outside public ip. Is there an access-list that denies inside from accessing outside?
I am running version 8.4(3) and I erased the existing configuration.
I have setup 5505 ASA for Testing purposes. It has static route to layer 3 switch on outside interface that goes to the internet.
ciscoasa# sh route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
I have a ASA 5505. I want to be able to ping from my workstation to some address, lets say [URL]. My workstation is connected to Ethernet 0/2. I have tried playing around with the ACL but am not able to accomplish this.
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasadomain-name home.7vnmotorsports.com
We want to use an ASA as a pure routing device. Our network has several internal subnets (10.1.x.0/24), and we want to be able to reach them from outside and to allow access between them.
We have a defined a VLAN for each subnet range with the same security-level, added it to an Ethernet port and made the Ethernet that acts as outside as a trunk, and defined it as the global routing.
We cannot ping any of the subnet IPs defined in the ASA from outside nor we can ping it from the internal IP addresses.
I have 2 ASA and would like to build a Side-to-Side VPN between these ASA. So I can learn something about configure a ASA for different thinks. But now I don`t can Ping from a Client to the Internet-Router.My Configuration is:
I have been tasked with replacing our company eSoft router with a Cisco ASA 5505 with the upgraded security license. I have been working on the configuration for a couple of weeks now, after reading hundreds of forum posts, watching youtube videos, and endless google searching, and despite my best efforts I am still having an issue I can’t figure out.
I have a couple of subnets, that when the ASA is connected, I cannot ping, nor can they get to the internet or our Exchange server. At this point I’m not sure if it’s an access rule issue, NAT issue, or DNS issue.
Here is the network layout:
ASA: 192.168.0.2 (Primary Gateway) 192.168.0.0 (Primary facility, ASA is the gateway) 192.168.2.0 (Second facility, connected via Verizon point-to-point) 192.168.3.0 (Third facility, connected via Verizon point-to-point)
I am trying to troubleshoot an ASA5505 connectivity issue. My initial tests are to ping the Internet router from the ASA This is failing and also a sh arp only shows internal addresses.
I have to go to site to check this out to confirm the following.
1: Should I be able to ping the Internet router from the ASA?
2: Do I need to permit any icmp to do this?
3: Should a sh arp show the address of the internet router?
I tried entering the command permit icmp any outside
However I got the error route already exists 0.0.0.0/0.0.0.0
I have a Cisco ASA 5505, the problem is I am not able to ping to outside natted interface (ip: 172.88.188.123 and 124 and 125) from inside network I have looked for ASA documentation through the internet and still got nothing.
I have a new ASA 5505 and all is working fine, I can CLI and ASDM into it, but just can't ping the inside interface, do I need to enable a feature to make this work somehow?
I've configured a 5505 but internal clients can't ping external ip. To test I've connect a pc with the ip of the default router on the Outside int the ASA can ping the PC and the PC can ping the ASA, but internal clients can't ping the PC
PC config 195.12.23.241/28
Here's the ASA config, so far I've wiped the ASA and started with a blank sonfig and built it up but still not working.
I configured a new Asa 5505 with Ios 8.44-1-k8.bin and when I installed the Asa the client's after about 1 hour were unable to ping or map drives to the Asa. I got the following error,%ASA-2-106007: Deny inbound UDP from XXXX to XXXX due to DNS Query. I added the command same-security-traffic permit intra-interface they were then able to ping the server and connect to the Internet, but still unable to map drives i could see the connections from the Pc's to the server in a show conn with was tcp port 445 with Saa? I reverted back to Ios 8.25 and everything works.
I have an ASA 5505 that I'm trying to set up a guest network on. I've configured an interface as a trunk and allowed the 2 vlans but I'm not getting any layer 3 to it. The switch connected to it is a 3560 and port is configured as a trunk with the same vlans.
I can't ping the ASA inside interface but I see its MAC address in the swtich's table.
Before upgrading to 8.4(4)1 I was able to ping our inside interface accross the VPN. Now I cannot. Because ping is not working, my SNMP server thinks that the device is offline however I know the VPN tunnel is still up and the remote branch office is working fine. Here is the config of the branch office ASA 5505 in question. How to get icmp working again?
ASA Version 8.4(4)1 ! hostname BranchASA5505 domain-name houston.deh
I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
Internet ISP -> Juniper SRX 210 Ge-0/0/0 Juniper fe0/0/2 -> Cisco ASA 5505 Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30) 2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA. 2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop. 3. Allowed all services in untrust zone in bound traffic in Juniper SRX. 4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I have recently made some chages to my ASA 5510 (not sure what) I was previously able to ping url... and I am now not able to ping anything on the Internet, but The Internet connectivity work perfectly.
Switching out a 5510 as our primary firewall with a 5520. I've essentially copied the working config from the 5510, and put it on to the 5520, making small changes where necessary. Plug everything. I cannot get out to the internet.
Facts:
-All interfaces have no shut on them -No machine can ping out to the internet gateway -All machines can ping out to the inside interface of the firewall -It's not a problem with the internet because I can take a laptop, enter in our outside interface information, plug it into the internet gateway, and I can get out to the internet just fine.
I am trying to configure DMZ on ASA 5505, basic license. After changes I have made I cannot access Internet from DMZ. I think I am missing an access list for DMZ, but I am not sure.
I have basically started fresh, from a clean image. We bought these with the expectation that we would be able to configure them using the GUI for what we need, which up till this point doesn’t seem to be the case.I will tell you how I have this setup, I have our ADSL going to a modem acting as a bridge with a static IP supplied by the ISP. If i connect a laptop to that modem and set the static ip on the laptop, I get internet access fine.So I then connect the modem to ethernet0/0 and the laptop to ethernet 0/1 I connect to the ASDM and run the startup wizard with the following:
· Outside ip : 87.87.87.87 255.255.252.0 (this works on the lappy straight to the modem) · Inside ip : 192.168.10.1 255.255.255.0 · No dmz
I have a 5505 ver 8.2 connected to a router with a T1 internet connection. There was a problem with the internet service and when it was resolved the ASA did not pass traffic to the internet until it was power-cycled. Unfortunately that's all the info I have, as I was not onsite and couldn't access the ASA.
I have not been having much success configuring my 5505 for Internet access, and I'm sure there are a few small things I'm missing. At times I believe I got it to the point where I could ping, but still not pass through the Internet traffic. At this point, I reset the 5505 and only changed a couple of settings. I have an external range with these characteristics: Network Address 67.139.113.16 (.17 is Gateway), SM: 255.255.255.248, available IP: 67.139.113.218 The external connection is through a T1 modem, and when I put those settings in my laptop, I can access just fine. When I went through the startup wizard in the ADSM, I maded the internal interface 10.209.0.3, subnet mask: 255.255.255.0 I selected PAT in the Wizard, but don't know if I should have, or if the NAT rules I tried to put in are fine. Eventually I want to add a Site to Site VPN to the rest of the 10.0.0.0 network, but I can't even pass the Internet through to the inside. Also, this will eventually be behind another hosted firewall, so I'm not worried about restricting access, even currently. However, I suspect the problem is that traffic is being blocked with the NAT rules or Access rules.I wish I could just disable those inherent deny rules Outside of pings to 10.209.0.3, all pings come back as request timed out.
I have an ASA 5505 behind my internet router. i have got only one public ip configured on the router outside interface.192.168.20.0/24 subnet is configured between ASA and router and inside network is 192.168.10.0/24 (Refer the attached diagram).
I have exposed my mail server and ftp server to public through static PAT in router and ASA with the same public on router outside interface. Iam facing issue some of the machines inside my network internet is not working(actually DNS is not resolving) some of the PC's internet is working fine some of the PC's randomly working. i have attached the diagram and ASA config , after this issue is sorted out i need to configure a L2L VPN to my head office.
I have a Cisco ASA 5505 that has been configured to act as a router as well. I have configured 3 VLANS that have access to the internet. For some reason the "InsideWifi" and the "Guest" VLANS have very slow internet speeds and sometime web pages wont finish loading properly. The "Inside" VLAN gets the speeds that are expected. The DNS server does reside on the "Inside" VLAN. Is there anything wrong with my configuration that would cause the internet speeds on the other VLANS to be slow? My config is attached.
We currently use a linux software based firewall called IPCop that sits between our network and router (This is in bridged mode) IPCop conects over PPPoE and everything works fine.
However the system is not reliable and I fear not that secure so have purchased an ASA5505 now I have added the PPPoE info to the device using the ADSM software however although it picks up my external static IP I'm unable to access the internet. On IPCop I only had to enter the broadband credentials and it worked however I feel like I may have to add more to the Cisco, for example do I have to specify DNS servers and do I have to set a static route?
Here is my config file so far (Note I think I have turned on the ability to ping from internal to external). My config I have done through the ADSM as opposed to the CLI
I'm trying to allow SSH traffic from the Internet to my DMZ. I gave my remote guy my ip and he can see the ASA 5505 but not get into the DMZ. The outside is 70.165.19.137. The DMZ server is 192.168.60.2. I have the inside talking to the DMZ fine. [code]