Cisco Firewall :: Unable To Connect To Internet With ASA5505
Mar 13, 2011
Recently, I have bought an ASA 5505 firewall which I have tried to connect to my ADSL router (Modem).It is now more than a week that I am trying to get internet connection through the firewall but I still can't succeed. I have tried many advices I get from this community but I still don't know what is wrong with my ASA Firewall configuration. From inside I am able to ping the inside and outside interface with a great success. and from my laptop which is connected to the firewall, I am able to ping the both interfaces (inside and outside) but still I can't access the internet.
As I don't have a static IP address from my ISP, I have configured the outside interface to pick up the ip address dynamically. Most of the time, the outside interface get the 192.168.1.2 ip address. [code]
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
hostname Firewall
interface Ethernet0/0 description Connected To Internet Router switchport access vlan 10
Internet ISP -> Juniper SRX 210 Ge-0/0/0 Juniper fe0/0/2 -> Cisco ASA 5505 Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (8.8.8.8).
Issue:
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30) 2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA. 2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop. 3. Allowed all services in untrust zone in bound traffic in Juniper SRX. 4. Viewed the logs when I was trying the ping 8.8.8.8 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
However, whenever I try and run the ASDM client, I get the following error:
"Your ASA image has a version number 8.4(4)1 which is not supported by ASDM 6.2(1)."
How do I get the latest version installed on my Mac desktop? I know that I can connect via the web interface and run the ASDM client, but the same error persists. I have the asdm-649-103.bin file, but cannot connect to the ASA to install (I don't recall ever setting up SSH).
I've been struggling with gaining access to the inter through our Comcast business gateway. We have had Comcast configure the device fro true static IP subnetting. Turned of local DHCP on the device etc. Here is my config.
I have an unusual issue, for which I can find nothing on the net similar.
Setup:
ASA5505 = > CISCO3524 => Windows 2012 server
ASA is internet edge with ACL / NAT implemented.
We are wanting to implement inbound NATs for this server - 3389. We have many other servers on the internal side of this ASA that we are NATing to. Creating NATs using the same outside IP to another server is fine, no issues. This other test server resides on the same VLAN as the windows 2012 server. All IPv6 is turned off on the W2012 server, and it can web-browse out via the ASA as well. No matter what I do, however I cannot get iinbound NAT, on ANY port to this server working. Internally from another server to this server on any port is fine, i.e. we can RDP to this server without issue, so we know this works - the firewall on this server is turned off too. This is our ONLY w2012 server on the internal side. When we run a wireshark on the server whilst testing the NAT there is no traffic, so its getting blocked somewhere.
The config of the ASA is fairly big to to santize it and remove all customer reference would take a while to make display of this secure difficult.
I have an ASA5505 running ver 8.0(2). I have configured the ssh timeout, ssh host commands and did the crypt o key gen. I am unable to access the device from the host I am allowing. Is there like ca save all command required? I am trying to use the default pix and telnet password. Do those still work?
I'm unable to have any internet connection for my new setup.
here's the overview.
Current setup is
Internet -> Router -> PIX 501 -> Switch -> clients
Internet -> static ip given is 210.193.34.1 - 210.193.34.6 Router -> Static ip assigned for NAT/External is 210.193.34.1, Local ip is 192.168.1.246 PIX 501 setting -> IP to Router, According to router screen is 210.193.34.2, but not sure what settings are done in the PIX itself as I'm unable to access it.
local ip is 192.168.1.1 Clients - > 192.168.1.0
Old setup is working fine and connected to internet. for the new setup, as i do not want any downtime for the old setup. As you can see, there are two firewalls connected concurrently to the router. I've configured it this way.
Internet -> Router -> ASA 5505 -> Switch -> clients
ASA 5505 setting -> IP to Router NAT/External/ Outside Interface, 210.193.34.6 (Or do i set as 192.168.1.0?), local ip/ Inside Interface is 192.168.2.1 Clients - > 192.168.2.0
some setup details. security policy, NAT, set to default. routing is route outside 0.0.0.0 0.0.0.0 210193.34.6
I'm unable to access after a week of troubleshooting.
Ths only hapeens at one location. All the other locations are working the difference is this location goes through the firewall. If I bypass the firewall at this location it works.
Recently installed an ASA5505 for a client. They have Verizon DSL (7mb down, 384up package). So my config is Verizon (Westell) DSL modem connected to e0/0 (VLAN2) of ASA. From there I have e0/1 (VLAN1) connected to a 3COM 2250 Plus 50 port switch.
Since installing the ASA client has been complaining of a major slow down in Internet speed. Contacted ISP and they had me remove the firewall from the equation and hook modem directly to laptop. With this setup I get between 6-7mb download speeds. When I put the ASA back into the mix though, the speed drops significantly. The speed will varry but 90% of the time they do not even get 1mb download speeds.
The configuration is pretty straight forward, not doing a whole lot with the box other then using it for VPN (IPSEC).
I have the below configuration for a cisco asa 5505. There is a ADSL router in front of the ASA which has a static IP. I set up a remote-access VPN (using the wizard), but I cannot connect to the ASA firewall as the attached VPN client log shows. My only concern is that there might be something missing, ie a static route that goes to the inside interface. [code]
There is web server at the internet. The firewall ASA5505 is located at the inside edge of the edge router and the internet is at the outside edge router of the edge router. The router has already been configured can route the outside network of firewall to internet. [code]
1. I have a host at the DMZ zone of firewall and if it wants to access this web server by http, the following command lines to be added to ASA5505 good enough and anything wrong with them? [code]
2.I have a doubt here that do I need to add any command line related to the Static Mapped address of 192.168.20.10/24 like below?
access-list Outside_DMZ extend permit tcp any 192.168.20.10 255.255.255.0 eq 80.whereby the 192.168.20.10 is the static mapped address of the Host at the DMZ to Outside Nertwork. Or, any other command related with the Static Mapped address have to be added?
I would hereby like to inform if it is possible to configure the Cisco ASA5505 firewall to route internet via an external VPN, while a laptop and smartphone connect to the firewall via Cisco AnyConnect VPN.
The configuration would result into: Laptop on public internet -> Cisco ASA5505 VPN -> External VPN (Unix server) -> internet.
I am a beginner to ASA. I am trying to connect the ASA 5505 behind the netgear ADSL router which is getting dynamic IP address from the ISP. How to configure the ASA5505 outside interface for SSL VPN connectivity?
I have been working on a configuration for single IP address (on outside ) of ASA5505.I am trying to utilize the outside address 192.168.0.249 to PAT/NAPT to 10 inside machines [code]
What I am not sure of (actually that could be considered all encompassing) is the mapped services/real services.Any constructive comments assistance?
I have a ASA5505 and I'm having trouble to achieve the following setup, block any kind of connection from outside except for IIS on port 80 and 443 but allow from the server to access any outside address, by domain or ip. Right now apps writen in C# on the server are throughing socket errors and Teamviewer remote control is not working, I would like it to replace remote desktop.
How can I get DMZ hosts to be able to access the Internet via the Outside interface of my ASA5505.I am using the DMZ to allow temp guest acces to the Internet.
Here is my configuration and it can be changed as needed.
User Access Verification Password:Type '?' for a list of available commands.ciscoasa> enaPassword: *******ciscoasa# sho run: Saved:ASA Version 8.0(4)! interface Vlan1nameif insidesecurity-level 100ip address 192.168.100.39 255.255.255.0!interface Vlan8no forward interface Vlan1nameif dmzsecurity-level 50ip address 172.31.10.1 255.255.255.0!interface Vlan11nameif outsidesecurity-level 0ip address 24.172.82.xxx 255.255.255.252!interface Ethernet0/0!interface Ethernet0/1switchport access vlan 11!interface Ethernet0/2!interface Ethernet0/3switchport access vlan 8!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!boot system disk0:/asa804-k8.binftp mode passivedns server-group DefaultDNSdomain-name asaobject-group protocol DM_INLINE_PROTOCOL_1protocol-object udpprotocol-object
I am trying to provide internet access to public and private SSID's on Cisco AP541n using VLAN's connected directly to ASA5505. VLAN1 is inside interface (private) and VLAN12 is wlan interface (public SSID). The AP541n is plugged into switch port 0/7 on an ASA 5505.Port 0/7 is configured as trunk mode. I have internet access when connected to private SSID but no internet access when connected to public SSID. why I can't access internet on public SSID?
logging class ip history emergencies mtu inside 1500 mtu outside 1500
I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
Few days ago I started to get the following error message while trying to connect to the internet using Chrome and IE:"Unable to connect to the proxy server..."I don't have a proxy server configured - nothing is checked in the LAN settings page.In Firefox I don't have that problem - it seems it gets the proxy configuration from elsewhere.
In my device I am able to browse through & connect to my HOME wifi network ; But after connecting it says 'No Internet Access'.I tried connecting with my SONY Bluray , iphone , ipad , laptops -- everywhere same story.I am able to plug in the ethernet cable directly from modem & able to connect to network.I am not able to open the http://192.168.0.1 -- ( When I am plugged in the modem directly)
Following are my router details
FCCID - KA2DIR601A1 IC : 4216A-IR601 H/W Ver:A1 F.W Ver:1.00 NA
We have a cisco asa 5505 on which we have setup a group VPN. The VPN connections from all cisco vpn clients works fine except one. The keep getting the below error
"Secure VPN Connection terminated locally by the client. Reason 412: The remote peer is no longer responding. Connection Terminated".
Not sure why only one client won't be able to connect. The version we are using is 5.0.02 for VPN client.
I am testing VPN tunnels in a lab. I have the following (simple) setup:
-one ASA5505 has an "inside" interface with address 192.16.99.40/24 and an "outside" interface with address 205.192.0.2/24 -one computer with address 192.16.99.1/24 ("Client") is connected to the "inside" interface -one ASA5510 has an "inside" interface with address 192.0.99.40/24 and an "outside" interface with address 205.192.0.1/24 -one computer with address 192.0.99.1/24 ("Server") is connected to the "inside" interface -both "outside" interfaces are connected through a layer 2 switch
I had a VPN tunnel between them using "Main mode", and that worked without a problem.But in my target system, the ASA5505 will be connected to a router with a dynamic IP address, and so I need to use "Aggressive mode", where the ASA5510 will have a static address on the "outside" interface. The ASA5505 will therefore initiate the VPN session.
I am using the ASDM, by the way.I have the VPN tunnel established, but I am unable to ping from either side.When I ping the Server from the Client, the ASA5505 gives me the expected "Built/Teardown ICMP connection...", but the ASA5510 says "IKE Initiator unable to find policy: Intf inside, Src: 192.0.99.1, Dst: 192.16.99.1". So the ping makes it to the Server, but the reply can't find its way back out.When I ping the client from the Server, I get the same message on the ASA5510: "IKE Initiator unable to find policy: Intfc inside, Src: 192.0.99.1, Dst: 192.16.99.1".I attach the configuration on the ASA5510.
we are not able to connect to a outside PPTP vpn server;The scenario is this :Connections are started from inside netwok to a VPN server on the outside zone.
I have add these configs and still not working.policy-map global_policy class inspection_defaultinspect pptp ?i also have a acess-list for it.access-list inside_access_in extended permit tcp object inside-network any eq pptp access-list inside_access_in extended permit gre object inside-network any access-group inside_access_in in interface inside? I am missing something or this is all configs i have to get done ?
My company is using catalyst 3650G which we configured to route between vlans.ports 1-12 on the switch are configured to be in vlan 50 which serves as our servers vlan,port 13-20 are configured to be in vlan 100 in which the CE500 switch connected to (end users are connected here). we have two CE500 swithces and they linked each other via the gigabit uplink port.port 24 is configured as a routed port and connects to a 2811 router.We want to change the Internet connection from Leased Line to Broad Band.Currently we are using the(Leased Line) primary network.Whenever we are try to change the (Broad Band)secondary network,It's not happening the internet[CODE]
I come here today with a problem that has been plaguing this laptop forever and a day. You see, about two or so years ago on this very laptop, it was just another day where I booted up my laptop and was going to get a good day of wasting time on the internet underway. I tried to open Firefox, and I got prompted to download an apparent update for the browser. Obviously I went along with it because it seemed pretty routine and identical to how Firefox had updated in the past.
After the update was all done and dusted, I found myself unable to connect to the internet through Firefox. I would just get a constant stream of "Unable to connect" messages. I thought it might have been a problem on my end since back then I had rather wishy washy internet. So I let it settle for a while. Later on that day I talked to a few of my buddies over Xbox Live and asked if they'd had any similar issues with the new Firefox update because at the time, we all used it and hadn't quite jumped ship to Chrome just yet. But no matter who I asked, I always got the same response "I didn't get any update." Which as you can imagine, confused me quite thoroughly.
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
Simply what happens when I attempt to connect to the wireless network (Home network). I'll click 'Connect', it will start attempting to connect, it will keep attempting to connect for a good few minutes and then just stop, no error message, no 'unable to connect', it will just stop and I'll be back to square one, the home wireless connection will still be there but not connected.
The connection displays as full signal all the time, but will not connect. In the house we have also got 3 other laptops running from the same connection from time to time, these all connect fine without any hassle.
