Announcement

Collapse
No announcement yet.

No Internet Access ASA

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • No Internet Access ASA

    Hi all,
    I am missing something really stupid here I think, I have an asa 5505 running 9.1 software, I am trying to use BT infinity broadband with it using an openreach modem connected on port 0. I have tested a direct connect with the openreach modem and the laptop using a pppoe connection and it connects and I can browse the internet ok.
    The only changes I have made to the factory config is below, the ASA can ping google DNS but my laptop cannot get out to the internet.
    I know it is a route issue but I cannot figure out what i need to change. I do not have a static IP from BT so I have left it to ip address pppoe
    Do i need to add a route outside? I have tried this but when I know the ip address the openreach picks up the route outside command fails with "Invalid next hop address, it belongs to one of our interfaces"
    The only changes made to factory config is below.
    !
    hostname ASA-HOME
    enable password *****
    passwd *****
    names
    !
    username Test password ****** privilege 15
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    vpdn group BT request dialout pppoe
    vpdn group BT localname [email protected]
    vpdn group BT ppp authentication chap
    vpdn username [email protected] password ****
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group BT
    ip address pppoe
    !
    dhcpd dns 8.8.8.8 8.8.4.4
    !
    icmp permit any inside
    !
    icmp permit any outside
    !

    I am being stupid here but I can't see why I can't add the static route, I have tried to add "ip address pppoe setroute" but I then get an error of no route to host when trying to ping 8.8.8.8 from the ASA.
    Any help would be appreciated.
    Thanks!
    Last edited by Si_Pe; 7th January 2016, 14:47.
    Kind Regards,
    Simon

  • #2
    you might need something like "route add default vlan2"
    I also don't specifically see any nat enabling.. but i'm not up to dateon ASA specifically..
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Based on my understanding of your post... you are able to ping 8.8.8.8 from ASA. So that tells me that PPPOE is correctly configuring the default route on the ASA.

      The command "show route" should verify this.

      As tehcamel pointed out, I would check your NAT/PAT configuration. Also, if you are only using ICMP (ping) to validate your ASA configuration, then check the default

      global service policy and make sure it includes an "inspect" for ICMP traffic. Inspecting ICMP traffic is not configured by default. Without the ICMP inspect, ICMP reply traffic would be DENY'd on the outside interface. Even though it was initially permitted outbound from inside to outside and corectly NAT'd. The command "packet-tracer" should verify this.

      Below are a couple of snippits from some of my GNS3 ASA labs.

      ### EXAMPLE of a basic PAT configuration using outside interface IP address (in your case PPPOE) as the PAT address ####
      object network PAT-Inside2Outside
      subnet 192.168.1.0 255.255.255.0

      object network PAT-Inside2Outside
      nat (inside,outside) dynamic interface

      ### Default inpsection policy. NOTE: ICMP is not listed as an inspect method ####

      class-map inspection_default
      match default-inspection-traffic
      !
      !
      policy-map type inspect dns preset_dns_map
      parameters
      message-length maximum 512
      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      !
      service-policy global_policy global

      ### To add ICMP to inspection policy ###

      policy-map global_policy
      class inspection_default
      inspect icmp

      Comment


      • #4
        Thanks for the replies.

        I will have a look later on this weekend.

        Thanks!
        Kind Regards,
        Simon

        Comment


        • #5
          All up and working. The changes I made were below.

          object network obj_any
          nat (inside,outside) dynamic interface

          icmp unreachable rate-limit 1 burst-size 1
          icmp permit any inside
          icmp permit any outside


          Many thanks for the help!
          Kind Regards,
          Simon

          Comment

          Working...
          X