Announcement

Collapse
No announcement yet.

ASA 5510 Problem Accesing Internet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5510 Problem Accesing Internet

    Hello,

    I configured my ASA 5510 with a T1 and I can ping publics domain successfuly from my firewall but I can not but from my lan I can not access Internet. Below is my confiugartion. Please help me:

    matyonkers(config)# sh run
    : Saved
    :
    ASA Version 8.2(1)
    !
    hostname matyonkers
    enable password YjMKbtBBW1l0zqdk encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    !
    interface Ethernet0/0
    description Linea Externa
    nameif Externa
    security-level 100
    ip address 199.27.204.xxx 255.255.255.248
    !
    interface Ethernet0/1
    nameif Interna
    security-level 0
    ip address 10.1.x.x 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    security-level 0
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    security-level 0
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.100 255.255.255.0
    management-only
    !
    ftp mode passive
    dns domain-lookup Externa
    dns domain-lookup Interna
    dns server-group PublicDns
    name-server 209.220.118.xxx
    name-server 209.220.118.xxx
    dns-group PublicDns
    access-list Externa_access_in extended permit ip any any
    access-list Interna_access_in extended permit ip any any
    access-list Externa_cryptomap extended permit ip any any
    access-list Externa_access_in_1 exten
    access-list Externa_access_in_1 extended permit tcp any any eq https
    access-list Externa_access_in_1 extended permit tcp any any eq www
    access-list Interna_access_in_1 extended permit ip any any
    access-list Externa_access_out extended permit ip any any
    pager lines 24
    logging asdm informational
    mtu Externa 1500
    mtu Interna 1500
    mtu management 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (Externa) 101 199.27.204.xxx-199.27.204.xxx
    netmask 255.255.255.248
    global (Externa) 101 interface
    nat (Externa) 0 0.0.0.0 0.0.0.0
    nat (management) 101 0.0.0.0 0.0.0.0
    access-group Externa_access_in_1 in interface Externa
    access-group Externa_access_out out interface Externa
    access-group Interna_access_in_1 in interface Interna
    route Externa 0.0.0.0 0.0.0.0 199.27.204.xxx 1
    route Interna 0.0.0.0 255.255.255.0 10.1.x.x 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 199.27.204.xxx 255.255.255.255 Externa
    no snmp-server location
    no snmp-server contact
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map Externa_map0 1 match address Externa_cryptomap
    crypto map Externa_map0 1 set peer 199.27.204.xxx
    crypto map Externa_map0 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-
    AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DE
    S-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 199.27.204.xxx-199.27.204.xxx Externa
    dhcpd dns 209.220.118.xxx 209.220.118.xxx interface Externa
    dhcpd enable Externa
    !
    dhcpd address 192.168.1.101-192.168.1.254 management
    dhcpd enable management
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username admin password eY/fQXw7Ure8
    tunnel-group 199.27.204.xxx type ipsec-l2l
    tunnel-group 199.27.204.xxx ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    message-length maximum client auto
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e6ac5f601be71bb02d07a11d07e5e63f
    : end

  • #2
    Re: ASA 5510 Problem Accesing Internet

    Your nat and global commands don't have the same nat id. The id is what binds the internal nat command to the global.


    global (Externa) 101 199.27.204.xxx-199.27.204.xxx
    netmask 255.255.255.248
    global (Externa) 101 interface
    nat (Externa) 0 0.0.0.0 0.0.0.0

    should be nat nat (inside) 1
    global (outside) 1

    Assuming u use nat id 1 and your interfaces are named inside and outside
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment

    Working...
    X